Analyzing a Full ClickFix Attack Chain - Part 1
A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit.
AI Analysis
Technical Summary
This threat involves a multi-stage phishing attack chain starting with a malicious webpage mimicking Booking.com's interface with a fake CAPTCHA. Victims are socially engineered into executing a PowerShell command that runs a script directly in memory, avoiding disk detection. The script performs system fingerprinting, downloads a ZIP payload from a remote server, and deploys it into user directories. Persistence is achieved through registry modifications and scheduled tasks. The attack code includes fallback mechanisms and sends telemetry data via Telegram, suggesting use of a pre-built attack kit. Indicators include domains and URLs hosting the payload. There is no CVE or vendor patch information available.
Potential Impact
The attack can lead to unauthorized code execution on victim systems, persistence that survives reboots, and potential further payload execution. The use of fileless techniques and social engineering increases the difficulty of detection and mitigation. However, no known exploits in the wild or specific threat actor attribution is reported. The impact is medium severity given the attack complexity and persistence but lacks evidence of widespread exploitation or critical system compromise.
Mitigation Recommendations
No official patch or vendor advisory is currently available for this threat. Organizations should educate users to recognize phishing attempts, especially fake CAPTCHAs and unsolicited PowerShell commands. Blocking known malicious domains and URLs associated with this campaign (e.g., hailmeinc.com, accountpulsecentre.help, wiosyrondaty.com) at network perimeter controls can reduce exposure. Monitoring for unusual PowerShell activity and scheduled task creation may help detect infection attempts. Patch status is not yet confirmed — check vendor advisories for updates.
Indicators of Compromise
- domain: hailmeinc.com
- url: https://hailmeinc.com/bkmsiqop.zip
- domain: accountpulsecentre.help
- url: https://hailmeinc.com/bkmsiqop.zip'
- url: https://wiosyrondaty.com
- domain: textarea.select
- domain: wiosyrondaty.com
Analyzing a Full ClickFix Attack Chain - Part 1
Description
A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-stage phishing attack chain starting with a malicious webpage mimicking Booking.com's interface with a fake CAPTCHA. Victims are socially engineered into executing a PowerShell command that runs a script directly in memory, avoiding disk detection. The script performs system fingerprinting, downloads a ZIP payload from a remote server, and deploys it into user directories. Persistence is achieved through registry modifications and scheduled tasks. The attack code includes fallback mechanisms and sends telemetry data via Telegram, suggesting use of a pre-built attack kit. Indicators include domains and URLs hosting the payload. There is no CVE or vendor patch information available.
Potential Impact
The attack can lead to unauthorized code execution on victim systems, persistence that survives reboots, and potential further payload execution. The use of fileless techniques and social engineering increases the difficulty of detection and mitigation. However, no known exploits in the wild or specific threat actor attribution is reported. The impact is medium severity given the attack complexity and persistence but lacks evidence of widespread exploitation or critical system compromise.
Mitigation Recommendations
No official patch or vendor advisory is currently available for this threat. Organizations should educate users to recognize phishing attempts, especially fake CAPTCHAs and unsolicited PowerShell commands. Blocking known malicious domains and URLs associated with this campaign (e.g., hailmeinc.com, accountpulsecentre.help, wiosyrondaty.com) at network perimeter controls can reduce exposure. Monitoring for unusual PowerShell activity and scheduled task creation may help detect infection attempts. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.stormshield.com/news/analyzing-full-clickfix-attack-chain-part1/"]
- Adversary
- null
- Pulse Id
- 69ea2d5cd8732f2d8910fceb
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainhailmeinc.com | — | |
domainaccountpulsecentre.help | — | |
domaintextarea.select | — | |
domainwiosyrondaty.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://hailmeinc.com/bkmsiqop.zip | — | |
urlhttps://hailmeinc.com/bkmsiqop.zip' | — | |
urlhttps://wiosyrondaty.com | — |
Threat ID: 69ea31d787115cfb68230e01
Added to database: 4/23/2026, 2:51:03 PM
Last enriched: 4/23/2026, 3:06:03 PM
Last updated: 4/24/2026, 5:42:45 AM
Views: 46
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.