Date: 06/18/2026
Severity: High
Summary
In March 2026, ThreatLabz detected multiple malicious typosquatting domains built using AI website generators. Cybercriminals are using these tools to rapidly scale convincing lures, ranging from simple credential harvesting to ClickFix campaigns delivering Remote Access Trojans (RATs). This post analyzes a specific ClickFix campaign that mimics a Brazilian bank to deploy a newly discovered, PowerShell-based malware dubbed SmartRAT. This threat features encrypted C2 communications, remote system control, credential theft via keylogging and banking overlays, and persistence through Windows services and scheduled tasks.
Indicators of Compromise (IOC) List
Domains/URLs : | crefisa.online vfsgloball.net cartaobb.com windowsupdate-cdn.com |
IP Address : | 64.95.13.238 162.141.111.227 |
Hash : | 297eb45f028d44d750297d2f932b9c91
6bf4d4c62b5138ace281ce3d08297787
3c72e1f37f115b00c3ad6ed31bacfe8a
b17ccdb5531555e43f082d6e77c07227
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "windowsupdate-cdn.com" or url like "windowsupdate-cdn.com" or siteurl like "windowsupdate-cdn.com" or domainname like "crefisa.online" or url like "crefisa.online" or siteurl like "crefisa.online" or domainname like "vfsgloball.net" or url like "vfsgloball.net" or siteurl like "vfsgloball.net" or domainname like "cartaobb.com" or url like "cartaobb.com" or siteurl like "cartaobb.com" |
Detection Query 2 : | dstipaddress IN ("162.141.111.227","64.95.13.238","162.141.111.227") or srcipaddress IN ("162.141.111.227","64.95.13.238","162.141.111.227") |
Detection Query 3 : | md5hash IN ("3c72e1f37f115b00c3ad6ed31bacfe8a","297eb45f028d44d750297d2f932b9c91","6bf4d4c62b5138ace281ce3d08297787","b17ccdb5531555e43f082d6e77c07227")
|
Reference:
https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat