{
  "name": "The Evolution of ClickFix: From Cleartext to Server Side Polymorphism",
  "slug": "the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism",
  "description": "The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.",
  "published": "2026-05-20T09:12:22+00:00",
  "created_at": "2026-05-20T09:12:22+00:00",
  "modified_at": "2026-05-21T14:46:37+00:00",
  "created_at_opencti": "2026-05-20T09:12:22+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-20",
    "base64 obfuscation",
    "clickfix",
    "deerstealer",
    "fake captcha",
    "fileless execution",
    "infostealer",
    "powershell",
    "server-side polymorphism",
    "vidar",
    "xor encryption"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "158.94.210.248"
      },
      {
        "id": "",
        "name": "108.233.207.35"
      },
      {
        "id": "",
        "name": "208.109.20.46"
      },
      {
        "id": "",
        "name": "www.kwispelcollege.nl"
      },
      {
        "id": "",
        "name": "www.ancorama.it"
      },
      {
        "id": "",
        "name": "www.thestandardequine.com"
      },
      {
        "id": "",
        "name": "www.voguebeautybar.com"
      },
      {
        "id": "",
        "name": "www.chadeverettharris.com"
      },
      {
        "id": "",
        "name": "www.sixthdimensionlearning.com"
      },
      {
        "id": "",
        "name": "www.shivshankarexp.com"
      },
      {
        "id": "",
        "name": "www.kundcoffee.com"
      },
      {
        "id": "",
        "name": "www.fggcumuahia.sch.ng"
      },
      {
        "id": "",
        "name": "www.omnicoresolutions.net"
      },
      {
        "id": "",
        "name": "www.kompleksikulla.com"
      },
      {
        "id": "",
        "name": "www.ajitexport.com"
      },
      {
        "id": "",
        "name": "www.sbobet.net.cm"
      },
      {
        "id": "",
        "name": "www.ahgsecurity.services"
      },
      {
        "id": "",
        "name": "www.franzfoto.com"
      },
      {
        "id": "",
        "name": "www.pricianastore.com"
      },
      {
        "id": "",
        "name": "www.urbangardenworkshop.com"
      },
      {
        "id": "",
        "name": "www.oulpansheli.org"
      },
      {
        "id": "",
        "name": "www.spurmart.de"
      },
      {
        "id": "",
        "name": "www.rymediatalks.com"
      },
      {
        "id": "",
        "name": "www.qarnifoods.com"
      },
      {
        "id": "",
        "name": "www.sahabatkarir.com"
      },
      {
        "id": "",
        "name": "www.njfamilyphotography.com"
      },
      {
        "id": "",
        "name": "www.sparkedgecap.com"
      },
      {
        "id": "",
        "name": "www.jkbuildersg.com"
      },
      {
        "id": "",
        "name": "www.geely-tunisie.com"
      },
      {
        "id": "",
        "name": "www.terramarketgroup.com"
      },
      {
        "id": "",
        "name": "www.instalacionescobos.com"
      },
      {
        "id": "",
        "name": "www.coinnewsdaily.com"
      },
      {
        "id": "",
        "name": "www.nefis.be"
      },
      {
        "id": "",
        "name": "www.befrankphotos.com"
      },
      {
        "id": "",
        "name": "www.internationallegalcouncil.com"
      },
      {
        "id": "",
        "name": "www.dynamicvision.nl"
      },
      {
        "id": "",
        "name": "www.auraaesthetics.in"
      },
      {
        "id": "",
        "name": "www.dtale.co"
      },
      {
        "id": "",
        "name": "www.samriddhabeachresort.com"
      },
      {
        "id": "",
        "name": "www.boisegaragedoorsrepair.com"
      },
      {
        "id": "",
        "name": "www.mealsonthebus.net"
      },
      {
        "id": "",
        "name": "www.sharonmkelly.com"
      },
      {
        "id": "",
        "name": "www.jenniferjohnsonstudio.com"
      },
      {
        "id": "",
        "name": "www.zeitdanach.ch"
      },
      {
        "id": "",
        "name": "www.dubaihairdoctor.com"
      },
      {
        "id": "",
        "name": "www.weddingcarsshrewsbury.co.uk"
      },
      {
        "id": "",
        "name": "www.toyeencresttech.com.ng"
      },
      {
        "id": "",
        "name": "www.veluwheels.com"
      },
      {
        "id": "",
        "name": "www.colosseumclub.it"
      },
      {
        "id": "",
        "name": "www.holtoncars.co.uk"
      },
      {
        "id": "",
        "name": "www.dailynewsicon.com"
      },
      {
        "id": "",
        "name": "www.colorsofcapital.com"
      },
      {
        "id": "",
        "name": "www.cdacapitalbogota.com"
      },
      {
        "id": "",
        "name": "www.patchworkdigital.co.uk"
      },
      {
        "id": "",
        "name": "www.sunclickusa.com"
      },
      {
        "id": "",
        "name": "www.clayci.com"
      },
      {
        "id": "",
        "name": "www.cakerecipehome.com"
      },
      {
        "id": "",
        "name": "www.diamondledmedia.com"
      },
      {
        "id": "",
        "name": "www.records.world"
      },
      {
        "id": "",
        "name": "www.firenzealluvione.it"
      },
      {
        "id": "",
        "name": "www.collectivefab.agency"
      },
      {
        "id": "",
        "name": "www.threepublic.com"
      },
      {
        "id": "",
        "name": "www.donmontero.pl"
      },
      {
        "id": "",
        "name": "www.danteti.co"
      },
      {
        "id": "",
        "name": "www.myhealthcarebilling.com"
      },
      {
        "id": "",
        "name": "www.crossfitbondi.com.au"
      },
      {
        "id": "",
        "name": "www.legacypool.us"
      },
      {
        "id": "",
        "name": "www.lionsbreathwellness.com.au"
      },
      {
        "id": "",
        "name": "www.greenlineconversations.com"
      },
      {
        "id": "",
        "name": "www.julnohub.com.ng"
      },
      {
        "id": "",
        "name": "www.adotapets.com.br"
      },
      {
        "id": "",
        "name": "www.bespaargoed.nl"
      },
      {
        "id": "",
        "name": "www.getprojecttopics.com"
      },
      {
        "id": "",
        "name": "www.mehryanatravel.net"
      },
      {
        "id": "",
        "name": "www.freemel2.it"
      },
      {
        "id": "",
        "name": "www.maison-terrier.fr"
      },
      {
        "id": "",
        "name": "www.carletmovilidad.com"
      },
      {
        "id": "",
        "name": "www.7medindia.com"
      },
      {
        "id": "",
        "name": "www.sdalazer.com"
      },
      {
        "id": "",
        "name": "www.corticaltms.com.au"
      },
      {
        "id": "",
        "name": "www.playflowdogtraining.it"
      },
      {
        "id": "",
        "name": "www.smtmachines.com.br"
      },
      {
        "id": "",
        "name": "www.groundedflooring.com.au"
      },
      {
        "id": "",
        "name": "www.firstclasskitchens.ca"
      },
      {
        "id": "",
        "name": "www.gustavogorriaran.com.uy"
      },
      {
        "id": "",
        "name": "www.einvoicesolutions.com"
      },
      {
        "id": "",
        "name": "www.av-subthai.me"
      },
      {
        "id": "",
        "name": "www.gullivergaragedoors.com"
      },
      {
        "id": "",
        "name": "www.coastalcreationsct.com"
      },
      {
        "id": "",
        "name": "www.singaporeguides.ru"
      },
      {
        "id": "",
        "name": "www.cubefire.co.uk"
      },
      {
        "id": "",
        "name": "www.powerauto.ch"
      },
      {
        "id": "",
        "name": "www.bevolve.co.za"
      },
      {
        "id": "",
        "name": "www.bengalspeech.com"
      },
      {
        "id": "",
        "name": "www.modelodecking.com.au"
      },
      {
        "id": "",
        "name": "www.corporaterescue.com"
      },
      {
        "id": "",
        "name": "www.forcevision.hu"
      },
      {
        "id": "",
        "name": "www.proplayuk.com"
      },
      {
        "id": "",
        "name": "www.polkadotdp.com"
      },
      {
        "id": "",
        "name": "www.theuddhavelite.com"
      },
      {
        "id": "",
        "name": "www.call-united.com"
      },
      {
        "id": "",
        "name": "www.etablissementbientraitant.fr"
      },
      {
        "id": "",
        "name": "www.aprendatorah.com.br"
      },
      {
        "id": "",
        "name": "www.africaneconomicglobalconvergence.org"
      },
      {
        "id": "",
        "name": "www.francotaboada.com"
      },
      {
        "id": "",
        "name": "www.fieratartufidabruzzo.it"
      },
      {
        "id": "",
        "name": "www.federicodelmonaco.it"
      },
      {
        "id": "",
        "name": "www.eduagentclub.com"
      },
      {
        "id": "",
        "name": "www.reksawijaya.co.id"
      },
      {
        "id": "",
        "name": "www.affix.it"
      },
      {
        "id": "",
        "name": "www.reports.socheers.net"
      },
      {
        "id": "",
        "name": "www.kidzacademyllc.org"
      },
      {
        "id": "",
        "name": "www.fsejobs.co.uk"
      },
      {
        "id": "",
        "name": "www.johncohencoaching.com"
      },
      {
        "id": "",
        "name": "www.skanbo.se"
      },
      {
        "id": "",
        "name": "www.tuoperito.com"
      },
      {
        "id": "",
        "name": "www.dunebuggydubai.ae"
      },
      {
        "id": "",
        "name": "www.papurn.com"
      },
      {
        "id": "",
        "name": "www.executiveplus.co.uk"
      },
      {
        "id": "",
        "name": "www.tamava.org"
      },
      {
        "id": "",
        "name": "www.uniqueprime.com.br"
      },
      {
        "id": "",
        "name": "www.johnsminibushire.co.uk"
      },
      {
        "id": "",
        "name": "www.sardegnaecology.it"
      },
      {
        "id": "",
        "name": "www.migen.ph"
      },
      {
        "id": "",
        "name": "www.iconlng.com"
      },
      {
        "id": "",
        "name": "www.tvandfilmlaw.com"
      },
      {
        "id": "",
        "name": "www.egithvandinther.com"
      },
      {
        "id": "",
        "name": "www.luco.com.uy"
      },
      {
        "id": "",
        "name": "www.semakankerjaya.com"
      },
      {
        "id": "",
        "name": "www.pompiliomartinez.edu.co"
      },
      {
        "id": "",
        "name": "www.pariya.com.au"
      },
      {
        "id": "",
        "name": "www.theazuretech.com"
      },
      {
        "id": "",
        "name": "www.gikseo.com"
      },
      {
        "id": "",
        "name": "www.warbirdmarineholdings.com"
      },
      {
        "id": "",
        "name": "www.philcomp.ph"
      },
      {
        "id": "",
        "name": "www.dz-travels.com"
      },
      {
        "id": "",
        "name": "www.mydriverbs.com"
      },
      {
        "id": "",
        "name": "www.kerenor.care"
      },
      {
        "id": "",
        "name": "www.divulgaabc.com"
      },
      {
        "id": "",
        "name": "www.argirisangelopoulos.gr"
      },
      {
        "id": "",
        "name": "www.montanaranchrental.com"
      },
      {
        "id": "",
        "name": "www.bizpost.ie"
      },
      {
        "id": "",
        "name": "www.promorent.it"
      },
      {
        "id": "",
        "name": "www.lachen-lebenslust.de"
      },
      {
        "id": "",
        "name": "www.house-innergy.com"
      },
      {
        "id": "",
        "name": "www.precision-surgical.com"
      },
      {
        "id": "",
        "name": "www.skogslogistikab.se"
      },
      {
        "id": "",
        "name": "www.visionplasticsusa.com"
      },
      {
        "id": "",
        "name": "www.omindianfood.com.indiantableny.com"
      },
      {
        "id": "",
        "name": "www.vpujes.edu.in"
      },
      {
        "id": "",
        "name": "www.acnet.org.au"
      },
      {
        "id": "",
        "name": "www.thefuturelist.com"
      },
      {
        "id": "",
        "name": "www.squivle.com"
      },
      {
        "id": "",
        "name": "www.become-remarkable.com"
      },
      {
        "id": "",
        "name": "www.habitatinteriors.in"
      },
      {
        "id": "",
        "name": "www.freejunkcarhauling.com"
      },
      {
        "id": "",
        "name": "www.roofrepairspecialist.com"
      },
      {
        "id": "",
        "name": "www.broarmand.org.ph"
      },
      {
        "id": "",
        "name": "www.nataliegonchar.com"
      },
      {
        "id": "",
        "name": "www.resiliencebehavioralhealthcenters.com"
      },
      {
        "id": "",
        "name": "www.livecup.se"
      },
      {
        "id": "",
        "name": "www.androidevi.com"
      },
      {
        "id": "",
        "name": "www.breastdoctorpune.com"
      },
      {
        "id": "",
        "name": "www.diversidadesexual.com.br"
      },
      {
        "id": "",
        "name": "www.delaneyfeatherston.com.au"
      },
      {
        "id": "",
        "name": "www.elisorlawllp.com"
      },
      {
        "id": "",
        "name": "www.equinoxfinance.com.au"
      },
      {
        "id": "",
        "name": "www.attorneys.mk"
      },
      {
        "id": "",
        "name": "www.grupoespacios.net"
      },
      {
        "id": "",
        "name": "www.wholefoodplantbasedrd.com"
      },
      {
        "id": "",
        "name": "www.redapplecoaching.ca"
      },
      {
        "id": "",
        "name": "www.cheaphardware.co.uk"
      },
      {
        "id": "",
        "name": "www.hotelthamlahaveli.com"
      },
      {
        "id": "",
        "name": "www.safespacesouthwest.com"
      },
      {
        "id": "",
        "name": "www.residence-schmitt.com"
      },
      {
        "id": "",
        "name": "www.kreativ-konditorin.de"
      },
      {
        "id": "",
        "name": "www.inviziblemantattooremoval.com"
      },
      {
        "id": "",
        "name": "www.holystica.org"
      },
      {
        "id": "",
        "name": "www.inspiredself.co"
      },
      {
        "id": "",
        "name": "www.futbol.co"
      },
      {
        "id": "",
        "name": "www.tuslacteos.com"
      },
      {
        "id": "",
        "name": "www.mspsdaycare.com"
      },
      {
        "id": "",
        "name": "www.hotelplayadeaguilar.com"
      },
      {
        "id": "",
        "name": "www.visualimpressao.com.br"
      },
      {
        "id": "",
        "name": "www.studiocima.org"
      },
      {
        "id": "",
        "name": "www.nonprofit.oldrosetheater.com"
      },
      {
        "id": "",
        "name": "www.sexysclub.com"
      },
      {
        "id": "",
        "name": "www.nimbussystems.co.in"
      },
      {
        "id": "",
        "name": "www.luminary-group.com.au"
      },
      {
        "id": "",
        "name": "www.equityunion.com"
      },
      {
        "id": "",
        "name": "www.ambavgarhpalace.com"
      },
      {
        "id": "",
        "name": "www.happyvalleydayfacility.com"
      },
      {
        "id": "",
        "name": "www.hazaracarremoval.com.au"
      },
      {
        "id": "",
        "name": "www.brownseacordoba.com"
      },
      {
        "id": "",
        "name": "www.yroenergy.com"
      },
      {
        "id": "",
        "name": "www.drpcapital.com"
      },
      {
        "id": "",
        "name": "www.depilalaser.it"
      },
      {
        "id": "",
        "name": "www.agabuilders.co.uk"
      },
      {
        "id": "",
        "name": "www.holisticayurveda.ca"
      },
      {
        "id": "",
        "name": "www.acmatic.in"
      }
    ],
    "malware": [
      {
        "id": "2c582ed8-35df-4ef9-917d-994e214aa5f9",
        "name": "Vidar",
        "slug": "vidar"
      },
      {
        "id": "legacy:malware:2e1a7a078f215d19",
        "name": "DeerStealer",
        "slug": "deerstealer"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "voshodrobotics.com"
      },
      {
        "id": "",
        "name": "ahpropiscines.com"
      },
      {
        "id": "",
        "name": "dealsdepot.xyz"
      },
      {
        "id": "",
        "name": "devdoesmortgages.com"
      },
      {
        "id": "",
        "name": "liftwar.carshineonline.com"
      },
      {
        "id": "",
        "name": "emecsport.com"
      },
      {
        "id": "",
        "name": "sam-n.com"
      },
      {
        "id": "",
        "name": "truegentsbarbers.com"
      },
      {
        "id": "",
        "name": "compraway.com"
      },
      {
        "id": "",
        "name": "lots24.de"
      },
      {
        "id": "",
        "name": "turbolifemag.com"
      },
      {
        "id": "",
        "name": "auggieeats.com"
      },
      {
        "id": "",
        "name": "studio.mascaf-production.infobymika.fr"
      },
      {
        "id": "",
        "name": "nickvanhoegen.de"
      },
      {
        "id": "",
        "name": "corporatestrategyforinnovation.com"
      },
      {
        "id": "",
        "name": "aa-solutions.de"
      },
      {
        "id": "",
        "name": "jurisimmoaveyron.fr"
      },
      {
        "id": "",
        "name": "itmyworld.com"
      },
      {
        "id": "",
        "name": "rasketehnikamuuk.ee"
      },
      {
        "id": "",
        "name": "ethekeconnect.com"
      },
      {
        "id": "",
        "name": "hosts-to-nicaragua.com"
      },
      {
        "id": "",
        "name": "secureattached.com"
      },
      {
        "id": "",
        "name": "josdream.com"
      },
      {
        "id": "",
        "name": "hesweindia.com"
      },
      {
        "id": "",
        "name": "doublebubbleslot.net"
      },
      {
        "id": "",
        "name": "syrcamp.wizardswp.com"
      },
      {
        "id": "",
        "name": "ovissweets.ovisshop.com"
      },
      {
        "id": "",
        "name": "gbfurniture.net"
      },
      {
        "id": "",
        "name": "downholeinjection.com"
      },
      {
        "id": "",
        "name": "globalrvsales.com.au"
      },
      {
        "id": "",
        "name": "imagesuitepr.com"
      },
      {
        "id": "",
        "name": "dev.kiddiekollege.ca"
      },
      {
        "id": "",
        "name": "sentrex.bluehat.hosting"
      },
      {
        "id": "",
        "name": "peprah-gyamfi.com"
      },
      {
        "id": "",
        "name": "angrybees.eu"
      },
      {
        "id": "",
        "name": "lifestylehubz.com"
      },
      {
        "id": "",
        "name": "kartacpa.co.il"
      },
      {
        "id": "",
        "name": "twenty-pho-hour.com"
      },
      {
        "id": "",
        "name": "baking-tales.com"
      },
      {
        "id": "",
        "name": "christianereichwein.com"
      },
      {
        "id": "",
        "name": "freetoolz.online"
      },
      {
        "id": "",
        "name": "abnerdantas.com"
      },
      {
        "id": "",
        "name": "citytrav.com"
      },
      {
        "id": "",
        "name": "homeinvestorhandbookoforganization.com"
      },
      {
        "id": "",
        "name": "shoppingnetworks.org"
      },
      {
        "id": "",
        "name": "lunellimalhasetecidos.com.br"
      },
      {
        "id": "",
        "name": "cdn.alfayha.ae"
      },
      {
        "id": "",
        "name": "technolawgi.com"
      },
      {
        "id": "",
        "name": "jeepbastard.com"
      },
      {
        "id": "",
        "name": "oakandcedarus.com"
      },
      {
        "id": "",
        "name": "bellalucaconsulting.com"
      },
      {
        "id": "",
        "name": "sageequities.net"
      },
      {
        "id": "",
        "name": "admissions2026.com"
      },
      {
        "id": "",
        "name": "aficomtech.com"
      },
      {
        "id": "",
        "name": "hanzelova.gunslingers.sk"
      },
      {
        "id": "",
        "name": "kustantiblogs.web.id"
      },
      {
        "id": "",
        "name": "laglorianails.com"
      },
      {
        "id": "",
        "name": "generalaccessoriesinc.com"
      },
      {
        "id": "",
        "name": "sycamorerunpuppies.com"
      },
      {
        "id": "",
        "name": "dkroofingandbuildingltd.co.uk"
      },
      {
        "id": "",
        "name": "djlandscapingltd.co.uk"
      },
      {
        "id": "",
        "name": "urinyoglobal.com"
      },
      {
        "id": "",
        "name": "aachenhc.com"
      },
      {
        "id": "",
        "name": "silvertechconsulting.pk"
      },
      {
        "id": "",
        "name": "barkandplaypr.com"
      },
      {
        "id": "",
        "name": "montrealguideservice.com"
      },
      {
        "id": "",
        "name": "jablaservice.com"
      },
      {
        "id": "",
        "name": "deeringindustries.com"
      },
      {
        "id": "",
        "name": "scalewithzephyr.com"
      },
      {
        "id": "",
        "name": "chewy.pk"
      },
      {
        "id": "",
        "name": "ohiovalleyprep.com"
      },
      {
        "id": "",
        "name": "camaintenance.co.za"
      },
      {
        "id": "",
        "name": "stampstory.in"
      },
      {
        "id": "",
        "name": "my.cofeusa.com"
      },
      {
        "id": "",
        "name": "kyveincare.com"
      },
      {
        "id": "",
        "name": "cbcloja.org.mk"
      },
      {
        "id": "",
        "name": "aloeveraleaf.com"
      },
      {
        "id": "",
        "name": "cualixrealestate.com"
      },
      {
        "id": "",
        "name": "justmoluxuryhampers.com"
      },
      {
        "id": "",
        "name": "allplanetssame.cfd"
      },
      {
        "id": "",
        "name": "gplpropertyservices.com"
      },
      {
        "id": "",
        "name": "atlbasements.com"
      },
      {
        "id": "",
        "name": "helloremovals.co.uk"
      },
      {
        "id": "",
        "name": "mail.shimantohukushi.ac.jp"
      },
      {
        "id": "",
        "name": "planet-q.com"
      },
      {
        "id": "",
        "name": "jenniferstarns.com"
      },
      {
        "id": "",
        "name": "boyntonbeachflmovers.com"
      },
      {
        "id": "",
        "name": "planbcreative.org"
      },
      {
        "id": "",
        "name": "eliezerstaycation.com"
      },
      {
        "id": "",
        "name": "fairplayloginapp.com"
      },
      {
        "id": "",
        "name": "northamericanmastiff.ca"
      },
      {
        "id": "",
        "name": "redcross.org.pg"
      },
      {
        "id": "",
        "name": "ivitaminclinic.co.uk"
      },
      {
        "id": "",
        "name": "cleanpoweraustralia.com.au"
      },
      {
        "id": "",
        "name": "artemcollection.obatone.com"
      },
      {
        "id": "",
        "name": "lacaverneguitare.titanswp.com"
      },
      {
        "id": "",
        "name": "martin0815.de"
      },
      {
        "id": "",
        "name": "breakaway-tackle.co.uk"
      },
      {
        "id": "",
        "name": "aginginplacellc.com"
      },
      {
        "id": "",
        "name": "bespokeforyou.de"
      },
      {
        "id": "",
        "name": "vedabelgium.com"
      },
      {
        "id": "",
        "name": "infinittapinturas.com.br"
      },
      {
        "id": "",
        "name": "oceanicblueempire.com"
      },
      {
        "id": "",
        "name": "sokokeconservatory.com"
      },
      {
        "id": "",
        "name": "thedirtdoctors.com"
      },
      {
        "id": "",
        "name": "ekramit.net"
      },
      {
        "id": "",
        "name": "medicalandhealtharticlesforagingparents.com"
      },
      {
        "id": "",
        "name": "reardanathletics.com"
      },
      {
        "id": "",
        "name": "telefoonboekbedrijven.be"
      },
      {
        "id": "",
        "name": "feelbrightlight.com"
      },
      {
        "id": "",
        "name": "bradisongroup.com"
      },
      {
        "id": "",
        "name": "ffduopartners.com"
      },
      {
        "id": "",
        "name": "ladylakemovers.com"
      },
      {
        "id": "",
        "name": "anamariaromanow.com"
      },
      {
        "id": "",
        "name": "linkinsightnews.com"
      },
      {
        "id": "",
        "name": "lifemagazine.nl"
      },
      {
        "id": "",
        "name": "tbuildnsw.com.au"
      },
      {
        "id": "",
        "name": "signsexpress.silvertechconsultants.com"
      },
      {
        "id": "",
        "name": "ebikevtt.ca"
      },
      {
        "id": "",
        "name": "theeconomiccloset.com"
      },
      {
        "id": "",
        "name": "singhaar.com.pk"
      },
      {
        "id": "",
        "name": "deliciasdovaledocafe.com.br"
      },
      {
        "id": "",
        "name": "jarotmw.id"
      },
      {
        "id": "",
        "name": "a-mimarte.com"
      },
      {
        "id": "",
        "name": "tsysf.org"
      },
      {
        "id": "",
        "name": "americanprogaragedoorllc.com"
      },
      {
        "id": "",
        "name": "hghomeremodelingcorp.com"
      },
      {
        "id": "",
        "name": "hamicalifornia.org"
      },
      {
        "id": "",
        "name": "anima.kraken-design.eu"
      },
      {
        "id": "",
        "name": "lowongankerjabaru.web.id"
      },
      {
        "id": "",
        "name": "loveworldvirtualchurch.org.uk"
      },
      {
        "id": "",
        "name": "estacao36.com.br"
      },
      {
        "id": "",
        "name": "insideafricans.com"
      },
      {
        "id": "",
        "name": "kantoorrecensie.nl"
      },
      {
        "id": "",
        "name": "agencenathtech.com"
      },
      {
        "id": "",
        "name": "stuartrealty.ca"
      },
      {
        "id": "",
        "name": "nycr-dev.gc2.cdn4.net"
      },
      {
        "id": "",
        "name": "firstgaragedoor.net"
      },
      {
        "id": "",
        "name": "careers.socheers.net"
      },
      {
        "id": "",
        "name": "globetracklogistics.com.au"
      },
      {
        "id": "",
        "name": "antiquekreations.com"
      },
      {
        "id": "",
        "name": "technologypundits.com"
      },
      {
        "id": "",
        "name": "art4peaceawards.org"
      },
      {
        "id": "",
        "name": "business-standard.com.au"
      },
      {
        "id": "",
        "name": "notarytogo.com"
      },
      {
        "id": "",
        "name": "2ppinmobiliaria.online"
      },
      {
        "id": "",
        "name": "vonericroofing.com"
      },
      {
        "id": "",
        "name": "saisio.fr"
      },
      {
        "id": "",
        "name": "brandalcapital.com"
      },
      {
        "id": "",
        "name": "rjglamesfamilyfoundation.org"
      },
      {
        "id": "",
        "name": "alquiler.teksoluz.com"
      },
      {
        "id": "",
        "name": "asphalttechpro.com"
      },
      {
        "id": "",
        "name": "trustcitytownship.com"
      },
      {
        "id": "",
        "name": "blackbookinvestments.co.uk"
      },
      {
        "id": "",
        "name": "thedogcentral.com"
      },
      {
        "id": "",
        "name": "nexttwavepr.com"
      },
      {
        "id": "",
        "name": "statsguru.in"
      },
      {
        "id": "",
        "name": "iasohealth.com.au"
      },
      {
        "id": "",
        "name": "townsendpharmacy.com"
      },
      {
        "id": "",
        "name": "hiebspressurewashing.com"
      },
      {
        "id": "",
        "name": "demythbio.com"
      },
      {
        "id": "",
        "name": "fsyyouth.com"
      },
      {
        "id": "",
        "name": "effectiveguidesforsuccess.com"
      },
      {
        "id": "",
        "name": "semotalk.com"
      },
      {
        "id": "",
        "name": "momentumphysio.co.il"
      },
      {
        "id": "",
        "name": "hmgprojects.com.au"
      },
      {
        "id": "",
        "name": "piratesammason.com"
      },
      {
        "id": "",
        "name": "qblicense.com"
      },
      {
        "id": "",
        "name": "helpwin.com.br"
      },
      {
        "id": "",
        "name": "mail.precosdemotos.com.br"
      },
      {
        "id": "",
        "name": "odettelafrance.net"
      },
      {
        "id": "",
        "name": "innvantage.skstechsolution.us"
      },
      {
        "id": "",
        "name": "my-art.biz"
      },
      {
        "id": "",
        "name": "taxgod.in"
      },
      {
        "id": "",
        "name": "hijamawala.co.uk"
      },
      {
        "id": "",
        "name": "contabilimperial.com.br"
      },
      {
        "id": "",
        "name": "vendmama.com"
      },
      {
        "id": "",
        "name": "g3-bizltd.com"
      },
      {
        "id": "",
        "name": "eij-management.com"
      },
      {
        "id": "",
        "name": "tgsconstruccion.cl"
      },
      {
        "id": "",
        "name": "store.ecorybd.com"
      },
      {
        "id": "",
        "name": "fb68.homes"
      },
      {
        "id": "",
        "name": "qnayds.in"
      },
      {
        "id": "",
        "name": "bcgausa.org"
      },
      {
        "id": "",
        "name": "gscprotool.com"
      },
      {
        "id": "",
        "name": "monetsmeals.wpvence.com"
      },
      {
        "id": "",
        "name": "dublinhomecarellc.com"
      },
      {
        "id": "",
        "name": "graphidash.com"
      },
      {
        "id": "",
        "name": "gaudiyamission.org"
      },
      {
        "id": "",
        "name": "ajmery.pk"
      },
      {
        "id": "",
        "name": "gosunnysidesolar.com"
      },
      {
        "id": "",
        "name": "explore.preservemyjoints.com"
      },
      {
        "id": "",
        "name": "teknobodega.mx"
      },
      {
        "id": "",
        "name": "an-instrumente.de"
      },
      {
        "id": "",
        "name": "blog.israkey.com"
      },
      {
        "id": "",
        "name": "localmates.demo-techcilo.com"
      },
      {
        "id": "",
        "name": "bellacasashade.com"
      },
      {
        "id": "",
        "name": "bluebar.com.au"
      },
      {
        "id": "",
        "name": "autodrivetrafikkskole.no"
      },
      {
        "id": "",
        "name": "ruouchat.vn"
      }
    ]
  },
  "external_refs": [
    "https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism",
    "https://otx.alienvault.com/pulse/6a0d971608b49dfc89267777"
  ]
}