ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery
A multi-stage phishing campaign impersonates job platforms LinkedIn and Indeed using typosquatted domains and fake CAPTCHA pages distributed via Google Ads. The attack chain leverages legacy protocols and native Windows utilities to trick victims into executing commands that deploy portable Python runtimes, which then run in-memory shellcode. This delivers CastleLoader malware, a Malware-as-a-Service framework with encrypted command and control communications, followed by a Python-based remote access trojan (RAT) that provides interactive shell control and persistence. The campaign uses living-off-the-land binaries and fileless execution techniques to evade detection.
AI Analysis
Technical Summary
This threat involves a phishing campaign that uses typosquatted domains mimicking LinkedIn and Indeed to lure victims via fake CAPTCHA pages. The attackers exploit the legacy Finger protocol and native Windows utilities to execute commands that deploy portable Python runtimes (CPython or IronPython). These runtimes execute shellcode in memory, delivering CastleLoader malware, which uses ChaCha20 and RC4 encryption for its command and control communications. Subsequently, a Python-based RAT is deployed, offering interactive shell access, in-memory payload execution, and persistence mechanisms. The campaign employs living-off-the-land binaries and fileless techniques to maintain a low detection footprint.
Potential Impact
The campaign enables attackers to gain remote access and control over compromised systems through a Python-based RAT, facilitating in-memory payload execution and persistence. The use of encrypted communications and fileless techniques complicates detection and mitigation efforts. This can lead to unauthorized system control, data theft, or further malicious activities on affected machines.
Mitigation Recommendations
No official patch or vendor advisory is available for this campaign. Mitigation should focus on user awareness to recognize phishing attempts, especially those involving typosquatted domains and fake CAPTCHA pages. Blocking known malicious domains and monitoring for unusual use of legacy protocols and living-off-the-land binaries may help reduce risk. Since this is a social engineering and malware delivery campaign, endpoint detection solutions that can identify anomalous in-memory execution and RAT behaviors are recommended.
Indicators of Compromise
- domain: teamsvoicehub.com
- domain: dapala.net
- domain: staruxaproruha.com
- domain: ai-like.net
- domain: mtg-life.net
- hash: 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4
- domain: novayastaruxa.com
- domain: kevinnotanother.com
- hash: 7c54bcf3aea8348e8902cac80eb0df31b43a71601a62e2514087fef40a416bfd
- domain: candipoker.net
- domain: linkedwith.org
- domain: linked-on.com
- domain: linkedall.org
- domain: uslinked.org
- domain: linked-people.com
- domain: linkedplus.org
- domain: linked-hr.com
- domain: indeed-jobs.net
- domain: indeedhiring.com
- url: http://linked-hr.com/leyts.php
- url: http://teamsvoicehub.com/leyts.php
- hash: cd4a51037bf58733c0cb24b273951dd3fcea45a2aaeb8b30a3c625e183c4c0c7
- hash: d56b810dfacaa1630bf562ccdefd46835349710d9516334e1a182619335ddea7
- hash: d3e936fa36289fd1210047d8f25257bab0608825ed92908dc98c00e33bdb3db2
- hash: d04ae4d214531d70c634d29763a9c0b84d601cf94aaca4720363f7512995393c
- hash: c024a3d852b73fef5bfca7ec5c80df3d59ff9ec858e0adad80c588fe22c39dfc
- hash: e5e43b0830369c39fab45363486da4d21a98c5097ea262c9816997f11c73c1c4
- hash: ee2d34ac98eaf1451d19fdc99f0bb52db1db60f71933a91f5655af0703ff2464
- domain: crewlworkinew.com
- hash: 202f3c8cf41a627db403295874220ddd
- hash: 2a350525ba72ffc9fe45a05a423833d5
- hash: 9d740bcb290c0c70596180f05a117f594411bbdd
- hash: ba1740688cf1236ef29516be83593ba548944df6
- hash: 0e346fb46176ffce4c7dbe40a8682bc1f4a2fc70b7389be427568d97a47bd149
- url: http://ai-like.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3
- url: http://catalyst-ltd.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://dapala.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://dmtn-tv.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://domawe.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://idrci.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://indeed-jobs.net/leyts.php
- url: http://indeedhiring.com/leyts.php
- url: http://linked-on.com/leyts.php
- url: http://linked-people.com/leyts.php
- url: http://linkedall.org/infos.php
- url: http://linkedplus.org/leyts.php
- url: http://linkedwith.org/leyts.php
- url: http://mtg-life.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://sedaliarealty.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3
- url: http://sinjim.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9
- url: http://tronscaner.net/infos.php
- url: http://uslinked.org/infos.php
- domain: 1006326830900030409.com
- domain: catalyst-ltd.net
- domain: dmtn-tv.net
- domain: domawe.net
- domain: golinked.net
- domain: idrci.net
- domain: sedaliarealty.net
- domain: sinjim.net
- domain: tronscaner.net
ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery
Description
A multi-stage phishing campaign impersonates job platforms LinkedIn and Indeed using typosquatted domains and fake CAPTCHA pages distributed via Google Ads. The attack chain leverages legacy protocols and native Windows utilities to trick victims into executing commands that deploy portable Python runtimes, which then run in-memory shellcode. This delivers CastleLoader malware, a Malware-as-a-Service framework with encrypted command and control communications, followed by a Python-based remote access trojan (RAT) that provides interactive shell control and persistence. The campaign uses living-off-the-land binaries and fileless execution techniques to evade detection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a phishing campaign that uses typosquatted domains mimicking LinkedIn and Indeed to lure victims via fake CAPTCHA pages. The attackers exploit the legacy Finger protocol and native Windows utilities to execute commands that deploy portable Python runtimes (CPython or IronPython). These runtimes execute shellcode in memory, delivering CastleLoader malware, which uses ChaCha20 and RC4 encryption for its command and control communications. Subsequently, a Python-based RAT is deployed, offering interactive shell access, in-memory payload execution, and persistence mechanisms. The campaign employs living-off-the-land binaries and fileless techniques to maintain a low detection footprint.
Potential Impact
The campaign enables attackers to gain remote access and control over compromised systems through a Python-based RAT, facilitating in-memory payload execution and persistence. The use of encrypted communications and fileless techniques complicates detection and mitigation efforts. This can lead to unauthorized system control, data theft, or further malicious activities on affected machines.
Mitigation Recommendations
No official patch or vendor advisory is available for this campaign. Mitigation should focus on user awareness to recognize phishing attempts, especially those involving typosquatted domains and fake CAPTCHA pages. Blocking known malicious domains and monitoring for unusual use of legacy protocols and living-off-the-land binaries may help reduce risk. Since this is a social engineering and malware delivery campaign, endpoint detection solutions that can identify anomalous in-memory execution and RAT behaviors are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/clickfix-is-now-hiring-from-job-platform-impersonation-to-python-based-rat-delivery"]
- Adversary
- null
- Pulse Id
- 6a2201a331661aba15d362d1
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainteamsvoicehub.com | — | |
domaindapala.net | — | |
domainstaruxaproruha.com | — | |
domainai-like.net | — | |
domainmtg-life.net | — | |
domainnovayastaruxa.com | — | |
domainkevinnotanother.com | — | |
domaincandipoker.net | — | |
domainlinkedwith.org | — | |
domainlinked-on.com | — | |
domainlinkedall.org | — | |
domainuslinked.org | — | |
domainlinked-people.com | — | |
domainlinkedplus.org | — | |
domainlinked-hr.com | — | |
domainindeed-jobs.net | — | |
domainindeedhiring.com | — | |
domaincrewlworkinew.com | — | |
domain1006326830900030409.com | — | |
domaincatalyst-ltd.net | — | |
domaindmtn-tv.net | — | |
domaindomawe.net | — | |
domaingolinked.net | — | |
domainidrci.net | — | |
domainsedaliarealty.net | — | |
domainsinjim.net | — | |
domaintronscaner.net | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4 | — | |
hash7c54bcf3aea8348e8902cac80eb0df31b43a71601a62e2514087fef40a416bfd | — | |
hashcd4a51037bf58733c0cb24b273951dd3fcea45a2aaeb8b30a3c625e183c4c0c7 | — | |
hashd56b810dfacaa1630bf562ccdefd46835349710d9516334e1a182619335ddea7 | — | |
hashd3e936fa36289fd1210047d8f25257bab0608825ed92908dc98c00e33bdb3db2 | — | |
hashd04ae4d214531d70c634d29763a9c0b84d601cf94aaca4720363f7512995393c | — | |
hashc024a3d852b73fef5bfca7ec5c80df3d59ff9ec858e0adad80c588fe22c39dfc | — | |
hashe5e43b0830369c39fab45363486da4d21a98c5097ea262c9816997f11c73c1c4 | — | |
hashee2d34ac98eaf1451d19fdc99f0bb52db1db60f71933a91f5655af0703ff2464 | — | |
hash202f3c8cf41a627db403295874220ddd | — | |
hash2a350525ba72ffc9fe45a05a423833d5 | — | |
hash9d740bcb290c0c70596180f05a117f594411bbdd | — | |
hashba1740688cf1236ef29516be83593ba548944df6 | — | |
hash0e346fb46176ffce4c7dbe40a8682bc1f4a2fc70b7389be427568d97a47bd149 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://linked-hr.com/leyts.php | — | |
urlhttp://teamsvoicehub.com/leyts.php | — | |
urlhttp://ai-like.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3 | — | |
urlhttp://catalyst-ltd.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://dapala.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://dmtn-tv.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://domawe.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://idrci.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://indeed-jobs.net/leyts.php | — | |
urlhttp://indeedhiring.com/leyts.php | — | |
urlhttp://linked-on.com/leyts.php | — | |
urlhttp://linked-people.com/leyts.php | — | |
urlhttp://linkedall.org/infos.php | — | |
urlhttp://linkedplus.org/leyts.php | — | |
urlhttp://linkedwith.org/leyts.php | — | |
urlhttp://mtg-life.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://sedaliarealty.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3 | — | |
urlhttp://sinjim.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9 | — | |
urlhttp://tronscaner.net/infos.php | — | |
urlhttp://uslinked.org/infos.php | — |
Threat ID: 6a226a3de29bf47b5039b601
Added to database: 6/5/2026, 6:18:37 AM
Last enriched: 6/5/2026, 6:33:28 AM
Last updated: 6/5/2026, 1:40:48 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.