A Technique-Based Approach to Hunting Web-Delivered Malware
This report details a technique-based method for hunting web-delivered malware by analyzing HTTP bodies using Censys. It demonstrates the approach through a live discovery of a ClickFix campaign that delivers XWorm V5. 6 malware via a five-stage attack chain. The report includes indicators such as hashes, URLs, and domains associated with the campaign. There is no known exploit in the wild beyond this discovery, and no affected software versions or patches are specified. The threat is assessed as medium severity based on the campaign's complexity and delivery method.
AI Analysis
Technical Summary
The threat involves a ClickFix malware campaign delivering XWorm V5.6 through a multi-stage attack chain observed via HTTP body hunting techniques using Censys. The approach focuses on identifying web-delivered malware by analyzing HTTP traffic content rather than relying solely on traditional indicators. The campaign's indicators include multiple file hashes, URLs, and domains linked to the malware distribution. No specific vulnerable software versions or CVEs are associated with this threat, and no vendor patches or fixes are indicated.
Potential Impact
The impact involves potential infection by XWorm V5.6 malware through web-delivered payloads in a multi-stage attack. The malware could compromise affected systems if the attack chain is successful. However, there is no evidence of widespread exploitation or known active threats beyond the documented campaign. The medium severity reflects the potential risk of infection but limited current exploitation.
Mitigation Recommendations
No official patches or vendor advisories are available for this threat. Mitigation should focus on detecting and blocking the identified indicators of compromise such as the listed hashes, URLs, and domains. Network and endpoint defenses can be tuned to monitor HTTP traffic for suspicious payloads consistent with the described attack chain. Since this is a detection and hunting technique report, applying threat intelligence feeds containing these indicators is recommended. Patch status is not yet confirmed — check vendor advisories for any updates.
Indicators of Compromise
- hash: 46912c7ccc19ec28668f1e2771c37eed
- hash: 6c36798e0205584677dabd2579954130d8f87774
- hash: 020668f00325631bec2b9c6dd8596d7744e118f68424fdbb28eb2a318f3a7adf
- hash: 656991f4dabe0e5d989be730dac86a2cf294b6b538b08d7db7a0a72f0c6c484b
- hash: 7e13561d794f7065e9cb3afc319acc7ac9861b4cf653082c1a11d5cc25a5d1f1
- hash: adc2f550e7ff2b707a070ffaa50fc367af6a01c037f1f5b347c444cca3c9a650
- hash: b67d8db2f53547b4a5b070b736cd93cbdf3ece21109972d54f193e8ede0b584b
- hash: c52314cea0d81acd337cec2f968e55d20c52aca4504d7c452842cd1dcfb9fdf1
- url: https://4a-m.al/ConvertedFile.txt
- url: https://4a-m.al/ConvertedFile.txt.
- url: https://4a-m.al/ConvertedFile.txtStage
- url: https://orcanmedikal.com.tr/tool.hta
- url: https://orcanmedikal.com.tr/tool.htaStage
- domain: 4a-m.al
- domain: orcanmedikal.com.tr
A Technique-Based Approach to Hunting Web-Delivered Malware
Description
This report details a technique-based method for hunting web-delivered malware by analyzing HTTP bodies using Censys. It demonstrates the approach through a live discovery of a ClickFix campaign that delivers XWorm V5. 6 malware via a five-stage attack chain. The report includes indicators such as hashes, URLs, and domains associated with the campaign. There is no known exploit in the wild beyond this discovery, and no affected software versions or patches are specified. The threat is assessed as medium severity based on the campaign's complexity and delivery method.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat involves a ClickFix malware campaign delivering XWorm V5.6 through a multi-stage attack chain observed via HTTP body hunting techniques using Censys. The approach focuses on identifying web-delivered malware by analyzing HTTP traffic content rather than relying solely on traditional indicators. The campaign's indicators include multiple file hashes, URLs, and domains linked to the malware distribution. No specific vulnerable software versions or CVEs are associated with this threat, and no vendor patches or fixes are indicated.
Potential Impact
The impact involves potential infection by XWorm V5.6 malware through web-delivered payloads in a multi-stage attack. The malware could compromise affected systems if the attack chain is successful. However, there is no evidence of widespread exploitation or known active threats beyond the documented campaign. The medium severity reflects the potential risk of infection but limited current exploitation.
Mitigation Recommendations
No official patches or vendor advisories are available for this threat. Mitigation should focus on detecting and blocking the identified indicators of compromise such as the listed hashes, URLs, and domains. Network and endpoint defenses can be tuned to monitor HTTP traffic for suspicious payloads consistent with the described attack chain. Since this is a detection and hunting technique report, applying threat intelligence feeds containing these indicators is recommended. Patch status is not yet confirmed — check vendor advisories for any updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://censys.com/blog/technique-based-approach-hunting-web-delivered-malware/"]
- Adversary
- null
- Pulse Id
- 69cf8d0d1edba26a610bb8bd
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash46912c7ccc19ec28668f1e2771c37eed | — | |
hash6c36798e0205584677dabd2579954130d8f87774 | — | |
hash020668f00325631bec2b9c6dd8596d7744e118f68424fdbb28eb2a318f3a7adf | — | |
hash656991f4dabe0e5d989be730dac86a2cf294b6b538b08d7db7a0a72f0c6c484b | — | |
hash7e13561d794f7065e9cb3afc319acc7ac9861b4cf653082c1a11d5cc25a5d1f1 | — | |
hashadc2f550e7ff2b707a070ffaa50fc367af6a01c037f1f5b347c444cca3c9a650 | — | |
hashb67d8db2f53547b4a5b070b736cd93cbdf3ece21109972d54f193e8ede0b584b | — | |
hashc52314cea0d81acd337cec2f968e55d20c52aca4504d7c452842cd1dcfb9fdf1 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://4a-m.al/ConvertedFile.txt | — | |
urlhttps://4a-m.al/ConvertedFile.txt. | — | |
urlhttps://4a-m.al/ConvertedFile.txtStage | — | |
urlhttps://orcanmedikal.com.tr/tool.hta | — | |
urlhttps://orcanmedikal.com.tr/tool.htaStage | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain4a-m.al | — | |
domainorcanmedikal.com.tr | — |
Threat ID: 69cff22d0a160ebd924486f1
Added to database: 4/3/2026, 5:00:29 PM
Last enriched: 4/3/2026, 5:15:50 PM
Last updated: 4/4/2026, 5:19:56 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.