ClickFix Campaign Utilizing MaaS Kit With Blockchain C2

    Date: 07/03/2026

    Severity: High

    Summary

    We are tracking a 28-day Malware-as-a-Service (MaaS) campaign abusing the Polygon blockchain for resilient C2 configuration. The attack utilizes a ClickFix lure, with over 130 compromised websites detected so far. Injected with a "JokerStat Analytics Tracker" script, compromised sites exfiltrate screenshots and session telemetry every 2 minutes. All 15 C2 domains run a full operator-facing web application under the same "JokerStat" identity. The domains were recently registered in May and June 2026 under low-reputation TLDs (.sbs, .click, .lat). Passive DNS records show over 10,000 queries to these C2 domains, indicating a widespread attack. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    boodystat.click

    cookischase.us

    destinkol.lol

    globalfiats.click

    kolonstat.lol

    massstat.biz

    massstat.co

    massstat.lol

    milkstatme.autos

    molterstat.xyz

    monsterimac.lat

    morganstat.sbs

    okliimnwq.co

    stroinnetsata.biz

    xverikstat.us

    https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4

    https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163

    https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "cookischase.us" or url like "cookischase.us" or siteurl like "cookischase.us" or domainname like "massstat.co" or url like "massstat.co" or siteurl like "massstat.co" or domainname like "massstat.lol" or url like "massstat.lol" or siteurl like "massstat.lol" or domainname like "molterstat.xyz" or url like "molterstat.xyz" or siteurl like "molterstat.xyz" or domainname like "morganstat.sbs" or url like "morganstat.sbs" or siteurl like "morganstat.sbs" or domainname like "https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163" or url like "https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163" or siteurl like "https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163" or domainname like "okliimnwq.co" or url like "okliimnwq.co" or siteurl like "okliimnwq.co" or domainname like "stroinnetsata.biz" or url like "stroinnetsata.biz" or siteurl like "stroinnetsata.biz" or domainname like "milkstatme.autos" or url like "milkstatme.autos" or siteurl like "milkstatme.autos" or domainname like "monsterimac.lat" or url like "monsterimac.lat" or siteurl like "monsterimac.lat" or domainname like "xverikstat.us" or url like "xverikstat.us" or siteurl like "xverikstat.us" or domainname like "boodystat.click" or url like "boodystat.click" or siteurl like "boodystat.click" or domainname like "globalfiats.click" or url like "globalfiats.click" or siteurl like "globalfiats.click" or domainname like "kolonstat.lol" or url like "kolonstat.lol" or siteurl like "kolonstat.lol" or domainname like "https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4" or url like "https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4" or siteurl like "https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4" or domainname like "https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3" or url like "https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3" or siteurl like "https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3" or domainname like "destinkol.lol" or url like "destinkol.lol" or siteurl like "destinkol.lol" or domainname like "massstat.biz" or url like "massstat.biz" or siteurl like "massstat.biz"

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-07-02-ClickFix-campaign-utilizing-MaaS-kit-with-Blockchain-C2.txt             


    Tags

    MalwareClickFixMaaSBlockchainExfiltration

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags