LIVE_FEED

--:--:--[HIGH]shop-***-deals.com→Magecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.net→Drive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.io→Obfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.co→Credential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.org→Malicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.com→FakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.app→Unauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ru→Drive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyz→C2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shop→Affiliate cloaking + cookie stuff// US-CENTRAL--:--:--[HIGH]shop-***-deals.com→Magecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.net→Drive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.io→Obfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.co→Credential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.org→Malicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.com→FakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.app→Unauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ru→Drive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyz→C2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shop→Affiliate cloaking + cookie stuff// US-CENTRAL

← назад към блога

Threat Intelligence2026-04-286 мин. четене

Anatomy of the 'Fake CAPTCHA → ClickFix' Lure

A 90-second walkthrough of one of the most effective social-engineering chains of the year, with the full MITM transcript from a live detection.

ClickFix is a technique in which a fake CAPTCHA page tricks the user into pasting a clipboard command into the Windows 'Run' dialog. The clipboard command is typically a PowerShell one-liner that downloads a second-stage loader.

The infrastructure impresses with its simplicity: a compromised WordPress plugin injects a single conditional script that replaces the page with the lure whenever the visitor matches the target profile (Windows + non-corporate IP + first visit).

Our pipeline catches this at the redirect-chain stage. The injected JS makes a same-origin fetch to /wp-content/plugins/<name>/api.php, which returns the lure HTML. That fetch is invisible to passive scanners but undeniable when replayed in a real browser.

The good news: every confirmed detection over the past quarter shared the same three-character header in the api.php response. We now flag that header at the network level for early warning.

свързани_статии

Detecting Magecart Skimmers in 2026: What Changed After Group 12

Why We Settled on a 5-Minute Scan Interval (Not 1 Minute)