{ "Event": { "analysis": "1", "date": "2026-04-29", "extends_uuid": "", "info": "[Threat Intel] User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command", "protected": false, "publish_timestamp": "1779545727", "published": true, "threat_level_id": "3", "timestamp": "1779545726", "uuid": "af9cf7cb-d1d3-4dba-a1fd-06b94ee6de3f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": false, "type": "text", "uuid": "9d119cab-0b72-4293-8851-4ad774c14a7d", "value": "A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": false, "type": "text", "uuid": "8fbddfd8-bdef-4c2b-92db-b0bf1c69bdec", "value": "Name: User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command\nAuthor: AlienVault\nAdversary: \nTags: [\"phishing\", \"lumma stealer\", \"powershell\", \"information stealer\", \"credential theft\", \"hijackloader\", \"dll sideloading\", \"lummastealer\", \"clickfix\"]\nTgtd countries: []\nMlwr families: [\"HijackLoader\", \"Lumma Stealer - S1213\", \"LummaStealer\"]\nAttack_ids: [\"T1218.007\", \"T1005\", \"T1555\", \"T1036\", \"T1055\", \"T1059\", \"T1204\", \"T1041\", \"T1059.001\", \"T1566\", \"T1027\", \"T1573\", \"T1071.001\", \"T1574.002\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777679536", "to_ids": true, "type": "ip-dst", "uuid": "be8ae80f-6e21-4bd2-b8d8-d95d49bc4545", "value": "85.11.161.198", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "sha256", "uuid": "46b145d4-410d-4b29-acae-0c81a10a0ad0", "value": "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "sha256", "uuid": "8fdaa039-2238-48af-bea0-86639084e60b", "value": "c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777679558", "to_ids": true, "type": "url", "uuid": "0a2fca2b-37c4-407a-983c-1f75cb68308c", "value": "http://robinhuds.com:9658/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777679579", "to_ids": true, "type": "url", "uuid": "ad21efd4-7d33-4f62-8ed6-388e91ff325d", "value": "http://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "sha256", "uuid": "9d88ee81-31f2-49b8-8c22-5b44506ce453", "value": "818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "md5", "uuid": "e1e6bcb3-2e1a-4b87-91bd-d7ed92cc3bff", "value": "b07a03883675654088a2b56a80933ca8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "md5", "uuid": "c53a6f9a-7dbb-490c-a3cf-8a52f607b9c8", "value": "b6a201726b44106a7dbe93a480b38420" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "md5", "uuid": "ba360ca0-0806-4f9c-8122-f61ee35fbecb", "value": "fa1f2ac9172702ad10c24f0a637c26cd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "sha1", "uuid": "f95720b5-343d-4870-a2e8-9b6154089a1d", "value": "10dfd71cf61ea3c1621a5b0c08c3b034773fb84b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "sha1", "uuid": "ad28fcd8-322a-4f3f-b488-360e4a500d12", "value": "7450731c0baf5befb79966a6be7873a5b1a62a7a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460409", "to_ids": true, "type": "sha1", "uuid": "0d0cd129-16a2-470f-b990-1847641115d1", "value": "b374d1715148bc80394b844d9f008adfa5585d65" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777679600", "to_ids": true, "type": "domain", "uuid": "cfdf1f81-2182-4b46-8aaa-fcb5496c5f62", "value": "robinhuds.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777675337", "to_ids": false, "type": "link", "uuid": "9ac33922-545c-4f77-8791-d0d30e217321", "value": "https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] } ] } }