Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Meet IClickFix: a widespread framework using the ClickFix tactic

0
Medium
Malwareemmenhtal loadernetsupport ratwatering holexfiles stealersocial engineeringclickfixwordpressjavascriptcaptchat1204.002t1190t1205t1505.003t1059.001t1102.003t1547.001t1027t1027.002t1071.001
Published: Fri Jan 30 2026 (01/30/2026, 08:20:09 UTC)
Source: AlienVault OTX General

Description

IClickFix is a malicious framework targeting WordPress sites globally by injecting malicious JavaScript that uses a fake CAPTCHA challenge to trick users into executing code that installs NetSupport RAT, granting attackers full control. Active since December 2024, it has infected over 3,800 sites and evolved from distributing Emmenhtal Loader and XFiles Stealer to primarily delivering NetSupport RAT. The attack leverages social engineering (ClickFix tactic) and watering hole techniques to compromise users without requiring authentication. The campaign is opportunistic and widespread rather than targeted, posing a medium severity threat due to its impact on confidentiality and integrity, ease of exploitation via compromised websites, and broad scope. European organizations with WordPress-based web presences are at risk, especially in countries with high WordPress adoption and significant online services. Mitigation requires proactive website security hardening, monitoring for injected scripts, user education on CAPTCHA anomalies, and network detection of RAT communications.

AI-Powered Analysis

AILast updated: 01/30/2026, 08:57:21 UTC

Technical Analysis

IClickFix is a malicious framework that compromises WordPress websites by injecting malicious JavaScript code which presents visitors with a fake CAPTCHA challenge. This social engineering tactic, known as ClickFix, deceives users into executing malicious code that ultimately installs the NetSupport Remote Access Trojan (RAT) on their systems. The RAT provides attackers with full remote control, enabling data theft, system manipulation, and persistence. Initially, the framework distributed other malware such as Emmenhtal Loader and XFiles Stealer, but it has since evolved to focus on NetSupport RAT. The campaign has been active since December 2024 and has infected over 3,800 WordPress sites worldwide. The infection chain involves watering hole attacks where legitimate websites are compromised to target visitors, leveraging JavaScript injection and social engineering to bypass traditional defenses. The framework also employs traffic distribution systems to refine its lures and maximize infection rates. Exploitation does not require user authentication but depends on user interaction with the fake CAPTCHA prompt. The campaign appears opportunistic, targeting any vulnerable WordPress site rather than specific high-value targets. The lack of known exploits in the wild suggests infections occur through compromised sites rather than direct exploitation of WordPress vulnerabilities. The threat leverages multiple MITRE ATT&CK techniques including initial access via watering hole (T1189), user execution (T1204.002), persistence (T1547.001), and command and control (T1071.001).

Potential Impact

For European organizations, the IClickFix framework poses a significant risk to the confidentiality and integrity of systems and data. Compromised WordPress sites can serve as infection vectors to internal users and customers, potentially leading to widespread NetSupport RAT infections. This can result in unauthorized access, data exfiltration, disruption of services, and long-term persistence within networks. Organizations relying heavily on WordPress for public-facing websites, e-commerce, or customer portals are particularly vulnerable. The social engineering aspect increases the likelihood of successful infections, as users may be deceived by the fake CAPTCHA challenge. Additionally, infected websites can damage organizational reputation and lead to regulatory compliance issues under GDPR if personal data is compromised. The opportunistic nature means any organization with insufficiently secured WordPress sites is at risk, making widespread impact possible across multiple sectors including government, finance, healthcare, and education in Europe.

Mitigation Recommendations

European organizations should implement a multi-layered defense strategy tailored to this threat. First, conduct thorough security audits of all WordPress sites to detect and remove injected malicious JavaScript, using automated scanning tools specialized in identifying unauthorized script injections. Harden WordPress installations by applying the latest security patches, disabling unnecessary plugins and themes, and enforcing strict access controls. Employ Web Application Firewalls (WAFs) configured to detect and block suspicious JavaScript behavior and known attack patterns related to CAPTCHA spoofing. Educate users and administrators to recognize fake CAPTCHA challenges and avoid interacting with suspicious prompts. Monitor network traffic for unusual outbound connections indicative of NetSupport RAT command and control activity, and employ endpoint detection and response (EDR) solutions to identify RAT behaviors. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on websites. Regularly back up website data and maintain incident response plans to quickly remediate infections. Finally, collaborate with hosting providers and security communities to share threat intelligence and coordinate takedown of compromised sites.

Affected Countries

United KingdomUnited Kingdom
GermanyGermany
FranceFrance
NetherlandsNetherlands
ItalyItaly
SpainSpain
PolandPoland
SwedenSweden
Need more detailed analysis?Upgrade to Pro Console

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/"]
Adversary
null
Pulse Id
697c69b9af67a1f288275176
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip85.208.84.35
ip141.98.11.175
ip83.222.190.174

Domain

ValueDescriptionCopy
domainfoundationasdasd.com
domain1teamintl.com
domainaasdtvcvchcvhhhhh.com
domainabogados-gs.com
domainaksdaitkatktk.com
domainalmhdnursing.qa
domainalsokdalsdkals.com
domainappasdmdamsdmasd.com
domainasdaotasktjastmnt.com
domainatmospheredast.com
domainbasketballast.com
domainbestiamos.com
domainbestieslos.com
domainbooksbypatriciaschultz.com
domaincaprofklfkzttripwith.com
domaindasdalksdkmasdas.com
domaindasktiitititit.com
domaindasopdoaodoaoaoao.com
domaindhdjisksnsbhssu.com
domaindreamdraftingsydney.com.au
domainecoawnings.com.au
domainerisaactuarialservices.com
domainfnotusykakimao.com
domainfoflfalflafl.com
domainforfsakencoilddxga.com
domainfsdotiototakkaakkal.com
domainfsdtiototoitweot.com
domaingenerationkasdm.com
domaingerab.bt
domainikfsdfksldkflsktoq.com
domainititoiaitoaitoiakkaka.com
domainjairecanoas.com
domainjdaklsjdklajsldkjd.com
domainkalkgmbzfghq.com
domainkdfmmikfkafjikmfikfjhm.com
domainkdkdaosdkalkdkdakd.com
domainksaitkktkatfl.com
domainksdkgsdkgkgmgm.pro
domainksfldfklskdmbxcvb.com
domainldasldalsd.com
domainlosiposithankyou.com
domainmakimakiokina.com
domainmedi-care.gr
domainmexicaletta.com.br
domainnewgenlosehops.com
domainnightlomsknies.com
domainnotlimbobimboa.com
domainnotmauserfizko.com
domainototaikfffkf.com
domainototoqtklktzlk.com
domainotpnemoyjfh.com
domainovertimeforus.com
domainpisikakimmmad.com
domainpptpooalfkakktl.com
domainpqoqllalll.com
domainpusykakimao.com
domainremarkableaskf.com
domainscottvmorton.com
domainsdfikguoriqoir.cloud
domainserviceverifcaptcho.com
domainsfc-oman.com
domainskldfjgsldkmfgsdfg.com
domainsmallfootmyfor.com
domainsoinpharmaceuticals.com
domainsolpower.com.my
domainstangherlini.com.br
domaintalentforth.org
domaintripallmaljok.com
domainundermymindops.com
domainunderstandott.com
domainuniversitynsd.com
domainwintars.com
domainxxclglglglklgkxlc.com
domainzmzkdodudhdbdu.com
domainwww.alwanqa.com
domainwww.mitaxi.net
domainwww.raftingsella.com
domainwww.webentangled.com

Hash

ValueDescriptionCopy
hash051cdb6ac8e168d178e35489b6da4c74
hash14ca8f4ee0dd828ecfd0c566dce00f06
hash26e28c01461f7e65c402bdf09923d435
hash3aabcd7c81425b3b9327a2bf643251c6
hash3be27483fdcdbf9ebae93234785235e3
hash5be6fb8f28544d4f83c25a2b76ff7890
hash67c53a770390e8c038060a1921c20da9
hash7629af8099b76f85d37b3802041503ee
hashe7b92529ea10176fe35ba73fa4edef74
hashee75b57b9300aab96530503bfae8a2f2
hash1d9b5cfcc30436112a7e31d5e4624f52e845c573
hash360b61fe19cdc1afb2b34d8c25d8b88a4c843a82
hash38c171457d160f8a6f26baa668f5c302f6c29cd1
hash49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
hash6ad5d9338984c52b37f2176c8ae4ae2366a7fd25
hash98dd757e1c1fa8b5605bda892aa0b82ebefa1f07
hashcd7d6a571d58ff9bd6a411f98a205c43b9a34da2
hashea841199baa7307280fc9e4688ac75e5624f2181
hashf40a5efcb9dee679de22658c6f95c7e9c0f2f0c0
hashfc5b325d433cde797f6ad0d8b1305d6fb16d4e34
hash05b03a25e10535c5c8e2327ee800ff5894f5dbfaf72e3fdcd9901def6f072c6d
hash06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
hash0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
hash2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5
hash2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
hash4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
hash62f7a444ab0c645f20c7dc6340c3eaaad7ef033b2188c3e5123406762990c517
hash6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
hash6846bc236bd2095fbf93f8b31dd4ca0798614fcab20fbd2ecac6cc7f431c6dec
hash83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9
hashb11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2
hashb6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
hashd96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
hashe0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d
hash27c4a776680b7cfa16280b8c3cf3e6f5edd3517d
hash73ef9b5513abd9372b564ba24c67cd884acbb67a
hashcc1fbd7c3f6242fd3b2ff042af856c57e22835ae
hashce9195af37e24e20fe74bca13a348f92e28aa0a6
hashd448b53a0c953d809857c6fe3f561a60a377eb7b
hashd92f5cd6d068b14e3687fef1aba28b4078bd2fcf

Url

ValueDescriptionCopy
urlhttp://141.98.11.175/fakeurl.htm
urlhttp://83.222.190.174:443/fakeurl.html
urlhttp://85.208.84.35:443/fakeurl.htm
urlhttp://fnotusykakimao.com:443
urlhttp://pusykakimao.com:443
urlhttp://scottvmorton.com/tytuy.json'
urlhttps://bestieslos.com/over.js
urlhttps://booksbypatriciaschultz.com/liner.php
urlhttps://ksdkgsdkgkgmgm.pro/ofofo.js
urlhttps://ksfldfklskdmbxcvb.com/-
urlhttps://ksfldfklskdmbxcvb.com/admin/
urlhttps://ksfldfklskdmbxcvb.com/gigi?ts=1765169670
urlhttps://ototaikfffkf.com/fffa.js

Threat ID: 697c6f1cac063202223d4635

Added to database: 1/30/2026, 8:43:08 AM

Last enriched: 1/30/2026, 8:57:21 AM

Last updated: 1/31/2026, 6:02:48 AM

Views: 15

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2026-01-30

Medium
MalwareSat Jan 31 2026

When Malware Talks Back

Medium
MalwareFri Jan 30 2026

Threat Intelligence Dossier: TOXICSNAKE

Medium
CampaignFri Jan 30 2026

LABYRINTH CHOLLIMA Evolves into Three Adversaries

Medium
MalwareFri Jan 30 2026

Attack on *stan: Your malware, my C2

Medium
MalwareFri Jan 30 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats