Date: 07/03/2026
Severity: High
Summary
We are tracking a 28-day Malware-as-a-Service (MaaS) campaign abusing the Polygon blockchain for resilient C2 configuration. The attack utilizes a ClickFix lure, with over 130 compromised websites detected so far. Injected with a "JokerStat Analytics Tracker" script, compromised sites exfiltrate screenshots and session telemetry every 2 minutes. All 15 C2 domains run a full operator-facing web application under the same "JokerStat" identity. The domains were recently registered in May and June 2026 under low-reputation TLDs (.sbs, .click, .lat). Passive DNS records show over 10,000 queries to these C2 domains, indicating a widespread attack.
Indicators of Compromise (IOC) List
Domains/URLs | boodystat.click cookischase.us destinkol.lol globalfiats.click kolonstat.lol massstat.biz massstat.co massstat.lol milkstatme.autos molterstat.xyz monsterimac.lat morganstat.sbs okliimnwq.co stroinnetsata.biz xverikstat.us https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4 https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163 https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "cookischase.us" or url like "cookischase.us" or siteurl like "cookischase.us" or domainname like "massstat.co" or url like "massstat.co" or siteurl like "massstat.co" or domainname like "massstat.lol" or url like "massstat.lol" or siteurl like "massstat.lol" or domainname like "molterstat.xyz" or url like "molterstat.xyz" or siteurl like "molterstat.xyz" or domainname like "morganstat.sbs" or url like "morganstat.sbs" or siteurl like "morganstat.sbs" or domainname like "https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163" or url like "https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163" or siteurl like "https://massstat.co/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=28d3c27c-485d-42fe-a3d5-ef51a4c8b163" or domainname like "okliimnwq.co" or url like "okliimnwq.co" or siteurl like "okliimnwq.co" or domainname like "stroinnetsata.biz" or url like "stroinnetsata.biz" or siteurl like "stroinnetsata.biz" or domainname like "milkstatme.autos" or url like "milkstatme.autos" or siteurl like "milkstatme.autos" or domainname like "monsterimac.lat" or url like "monsterimac.lat" or siteurl like "monsterimac.lat" or domainname like "xverikstat.us" or url like "xverikstat.us" or siteurl like "xverikstat.us" or domainname like "boodystat.click" or url like "boodystat.click" or siteurl like "boodystat.click" or domainname like "globalfiats.click" or url like "globalfiats.click" or siteurl like "globalfiats.click" or domainname like "kolonstat.lol" or url like "kolonstat.lol" or siteurl like "kolonstat.lol" or domainname like "https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4" or url like "https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4" or siteurl like "https://boodystat.click/dl/file/89e178b6-246f-4ce3-9ce5-6117cb4cd716?t=25bcf8ca-b9f9-42fc-ac9a-18dc45df8ab4" or domainname like "https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3" or url like "https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3" or siteurl like "https://xverikstat.us/dl/file/8140e835-c8d0-466f-aaa4-7b544072129a?t=5f7820a6-8229-4c38-9e27-88c58cc76ec3" or domainname like "destinkol.lol" or url like "destinkol.lol" or siteurl like "destinkol.lol" or domainname like "massstat.biz" or url like "massstat.biz" or siteurl like "massstat.biz" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-07-02-ClickFix-campaign-utilizing-MaaS-kit-with-Blockchain-C2.txt