{ "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "slug": "meet-iclickfix-a-widespread-framework-using-the-clickfix-tactic", "description": "IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.", "published": "2026-01-30T07:20:09+00:00", "created_at": "2026-01-30T07:20:09+00:00", "modified_at": "2026-01-30T07:51:46+00:00", "created_at_opencti": "2026-01-30T07:20:09+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-01-30", "captcha", "clickfix", "emmenhtal loader", "javascript", "netsupport rat", "social engineering", "watering hole", "wordpress", "xfiles stealer" ], "related_entities": { "observables": [ { "id": "", "name": "141.98.11.175" }, { "id": "", "name": "83.222.190.174" }, { "id": "", "name": "85.208.84.35" }, { "id": "", "name": "https://ototaikfffkf.com/fffa.js" }, { "id": "", "name": "www.alwanqa.com" }, { "id": "", "name": "https://ksfldfklskdmbxcvb.com/gigi?ts=1765169670" }, { "id": "", "name": "http://pusykakimao.com:443" }, { "id": "", "name": "https://bestieslos.com/over.js" }, { "id": "", "name": "www.raftingsella.com" }, { "id": "", "name": "https://booksbypatriciaschultz.com/liner.php" }, { "id": "", "name": "http://85.208.84.35:443/fakeurl.htm" }, { "id": "", "name": "http://scottvmorton.com/tytuy.json'" }, { "id": "", "name": "http://141.98.11.175/fakeurl.htm" }, { "id": "", "name": "http://fnotusykakimao.com:443" }, { "id": "", "name": "www.webentangled.com" }, { "id": "", "name": "https://ksfldfklskdmbxcvb.com/-" }, { "id": "", "name": "http://83.222.190.174:443/fakeurl.html" }, { "id": "", "name": "https://ksfldfklskdmbxcvb.com/admin/" }, { "id": "", "name": "https://ksdkgsdkgkgmgm.pro/ofofo.js" }, { "id": "", "name": "www.mitaxi.net" }, { "id": "", "name": "2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689" }, { "id": "", "name": "2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5" }, { "id": "", "name": "83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9" }, { "id": "", "name": "6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269" }, { "id": "", "name": "6846bc236bd2095fbf93f8b31dd4ca0798614fcab20fbd2ecac6cc7f431c6dec" }, { "id": "", "name": "b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80" }, { "id": "", "name": "62f7a444ab0c645f20c7dc6340c3eaaad7ef033b2188c3e5123406762990c517" }, { "id": "", "name": "d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368" }, { "id": "", "name": "06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268" }, { "id": "", "name": "e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d" }, { "id": "", "name": "b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2" }, { "id": "", "name": "4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b" }, { "id": "", "name": "0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f" }, { "id": "", "name": "05b03a25e10535c5c8e2327ee800ff5894f5dbfaf72e3fdcd9901def6f072c6d" } ], "malware": [ { "id": "f761326f-e850-43f9-ae0c-bca0aa8ff4c8", "name": "XFiles Stealer", "slug": "xfiles-stealer" }, { "id": "legacy:malware:b54c1e74358cc3f6", "name": "Emmenhtal Loader", "slug": "emmenhtal-loader" }, { "id": "legacy:malware:72c31ed0db92bc73", "name": "NetSupport RAT", "slug": "netsupport-rat" } ], "attack_patterns": [ { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" } ], "others": [ { "id": "", "name": "Ghana" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "generationkasdm.com" }, { "id": "", "name": "makimakiokina.com" }, { "id": "", "name": "abogados-gs.com" }, { "id": "", "name": "erisaactuarialservices.com" }, { "id": "", "name": "fsdtiototoitweot.com" }, { "id": "", "name": "scottvmorton.com" }, { "id": "", "name": "1teamintl.com" }, { "id": "", "name": "bestieslos.com" }, { "id": "", "name": "ksfldfklskdmbxcvb.com" }, { "id": "", "name": "pptpooalfkakktl.com" }, { "id": "", "name": "stangherlini.com.br" }, { "id": "", "name": "pusykakimao.com" }, { "id": "", "name": "alsokdalsdkals.com" }, { "id": "", "name": "xxclglglglklgkxlc.com" }, { "id": "", "name": "foflfalflafl.com" }, { "id": "", "name": "sdfikguoriqoir.cloud" }, { "id": "", "name": "ldasldalsd.com" }, { "id": "", "name": "universitynsd.com" }, { "id": "", "name": "ksdkgsdkgkgmgm.pro" }, { "id": "", "name": "jdaklsjdklajsldkjd.com" }, { "id": "", "name": "wintars.com" }, { "id": "", "name": "solpower.com.my" }, { "id": "", "name": "dreamdraftingsydney.com.au" }, { "id": "", "name": "mexicaletta.com.br" }, { "id": "", "name": "talentforth.org" }, { "id": "", "name": "serviceverifcaptcho.com" }, { "id": "", "name": "fnotusykakimao.com" }, { "id": "", "name": "undermymindops.com" }, { "id": "", "name": "soinpharmaceuticals.com" }, { "id": "", "name": "caprofklfkzttripwith.com" }, { "id": "", "name": "dasopdoaodoaoaoao.com" }, { "id": "", "name": "understandott.com" }, { "id": "", "name": "aasdtvcvchcvhhhhh.com" }, { "id": "", "name": "kdkdaosdkalkdkdakd.com" }, { "id": "", "name": "skldfjgsldkmfgsdfg.com" }, { "id": "", "name": "ecoawnings.com.au" }, { "id": "", "name": "foundationasdasd.com" }, { "id": "", "name": "losiposithankyou.com" }, { "id": "", "name": "notmauserfizko.com" }, { "id": "", "name": "almhdnursing.qa" }, { "id": "", "name": "ksaitkktkatfl.com" }, { "id": "", "name": "remarkableaskf.com" }, { "id": "", "name": "dhdjisksnsbhssu.com" }, { "id": "", "name": "nightlomsknies.com" }, { "id": "", "name": "ototaikfffkf.com" }, { "id": "", "name": "ititoiaitoaitoiakkaka.com" }, { "id": "", "name": "pisikakimmmad.com" }, { "id": "", "name": "atmospheredast.com" }, { "id": "", "name": "fsdotiototakkaakkal.com" }, { "id": "", "name": "appasdmdamsdmasd.com" }, { "id": "", "name": "tripallmaljok.com" }, { "id": "", "name": "ikfsdfksldkflsktoq.com" }, { "id": "", "name": "notlimbobimboa.com" }, { "id": "", "name": "kalkgmbzfghq.com" }, { "id": "", "name": "sfc-oman.com" }, { "id": "", "name": "kdfmmikfkafjikmfikfjhm.com" }, { "id": "", "name": "otpnemoyjfh.com" }, { "id": "", "name": "dasktiitititit.com" }, { "id": "", "name": "asdaotasktjastmnt.com" }, { "id": "", "name": "gerab.bt" }, { "id": "", "name": "pqoqllalll.com" }, { "id": "", "name": "bestiamos.com" }, { "id": "", "name": "jairecanoas.com" }, { "id": "", "name": "forfsakencoilddxga.com" }, { "id": "", "name": "aksdaitkatktk.com" }, { "id": "", "name": "dasdalksdkmasdas.com" }, { "id": "", "name": "basketballast.com" }, { "id": "", "name": "medi-care.gr" }, { "id": "", "name": "smallfootmyfor.com" }, { "id": "", "name": "ototoqtklktzlk.com" }, { "id": "", "name": "overtimeforus.com" }, { "id": "", "name": "zmzkdodudhdbdu.com" }, { "id": "", "name": "newgenlosehops.com" }, { "id": "", "name": "booksbypatriciaschultz.com" } ] }, "external_refs": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/", "https://otx.alienvault.com/pulse/697c69b9af67a1f288275176" ] }