216.73.217.22

ClickFix in action: how fake captcha can encrypt an entire company

· Published 19/02/2026 15:26 · Modified 19/02/2026 18:13

Export JSON

Essential information

Published
19/02/2026 15:26
Modified
19/02/2026 18:13
Tags
2026-02-19 c2 communication clickfix fake captcha latrodectus malware analysis persistence ransomware side-loading supper
Related entities
17 observables, 2 techniques (mitre), 2 malware, 5 others

Description

The report details a malware attack on a large Polish organization involving techniques. It describes the initial infection vector, where users were tricked into running malicious code through a Windows+R shortcut. The analysis covers two main malware families: (version 2.3) and . The report provides technical details on the malware's functionality, communication protocols, and mechanisms. It also includes indicators of compromise, such as C2 server IP addresses and file hashes. The authors emphasize the importance of employee education and monitoring for unusual events to mitigate such threats.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (17)

  • 85.239.54.130
  • 110.199.19.162
  • 171.130.169.141
  • 185.233.166.27
  • 27.166.233.185
  • https://fadoklismokley.com/work/?counter=0&type=1&guid=3B7FFFF7F331576B6FA3479BDF43&os=6&arch=1&username=JohnDoe&group=2201209746&ver=2.3&up=7&direction=fadoklismokley.com
  • https://gasrobariokley.com/work/
  • https://fadoklismokley.com/work/
  • https://gasrobariokley.com/work/?counter=0&type=1&guid=3B7FFFF7F331576B6FA3479BDF43&os=6&arch=1&username=JohnDoe&group=2201209746&ver=2.3&up=7&direction=gasrobariokley.com
  • http://naintn.com/amazoncdn.com/oeiich37874cj30dkk43885j10vj38h38jd/nrs/opn/ca/
  • http://jzluw.com/cdn-dynmedia-1.microsoft.com/is/n03ufh3k003jdhkg99fhhas/is/content/
  • af45a728552ccfdcd9435c40ace60a9354d7c1b52abf507a2f1cb371dada4fde
  • be5bcdfc0dbe204001b071e8270bd6856ce6841c43338d8db914e045147b0e77
  • 6673794376681c48ce4981b42e9293eee010d60ef6b100a3866c0abd571ea648
  • 21b953dc06933a69bcb2e0ea2839b47288fc8f577e183c95a13fc3905061b4e6
  • b7f8750851e70ec755343d322d7d81ea0fc1b12d4a1ab6a60e7c8605df4cd6a5
  • 2528df60e55f210a6396dd7740d76afe30d5e9e8684a5b8a02a63bdcb5041bfc

Techniques (MITRE) (2)

  • T1055
    Process Injection
  • T1027
    Obfuscated Files or Information

Malware (2)

  • Latrodectus
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • Supper
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29

Others (5)

  • Poland
  • gasrobariokley.com
  • naintn.com
  • fadoklismokley.com
  • jzluw.com

External references