Date: 07/15/2026
Severity: High
Summary
Researchers identified an infostealer infection led to the theft of WordPress credentials, enabling attackers to launch a sophisticated ClickFix campaign. The attack leveraged EtherHiding, PowerShell, DLL sideloading, and in-memory execution to deploy a multi-stage RAT. To evade detection and maintain resilience, the malware used Tor-based C2 fallback and anti-analysis techniques. Once deployed, it provided capabilities including credential theft, keylogging, remote desktop access, file management.
Indicators of Compromise (IOC) List
Domain/Urls | auth-code-check.info aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwltbcysuybirygxzvp23ad.onion t77e4phezpwqebpbhdagr26ewkfaxytscimhxofws4wcisjo4wundead.onion vsjyfpt7vcd6atniefmz36ikxrqk5eyv573a2af4e2ntb437wdch63yd.onion fejdqikkdwheckrutucbbyeovpdnef4bopz2fx636i67p3qpffpfxxad.onion |
IP Address | 45.151.74.119 109.172.95.184 151.236.4.135 62.60.156.11 |
Hash | 3a9b8eccad62d84fc59f86dae41e8c74ae6ae544f079b099b12b37de1abd7a60
26817725650583d99ca3e617a618dd75c0f71bd316b5761780b7361f5f824cad
d518964aa67c359d0a806909451130591e337276bea33b6d41ef79126904ca3a
2f592365de553d8bb023a9e11439c2e18dcbe84d22b0cd6025b043d7d9029ac7
a7c94343b51643b7477ba2c7630b168ce3cb1f03126a85c39363e70742e3afb5
6bc18b6c6050bdd554c4a945838b8b3a35b5c5813b950cf5f2e822b2396718cf
75d4b6cec5bdc40cda25b5b9be136ccca97d77843825796beace7ddbfe87b614
8035b177ca682962fd6501228ebd460ef174183ac08a87d81514bba3ecfd9502
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwltbcysuybirygxzvp23ad.onion" or url like "aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwltbcysuybirygxzvp23ad.onion" or siteurl like "aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwltbcysuybirygxzvp23ad.onion" or domainname like "vsjyfpt7vcd6atniefmz36ikxrqk5eyv573a2af4e2ntb437wdch63yd.onion" or url like "vsjyfpt7vcd6atniefmz36ikxrqk5eyv573a2af4e2ntb437wdch63yd.onion" or siteurl like "vsjyfpt7vcd6atniefmz36ikxrqk5eyv573a2af4e2ntb437wdch63yd.onion" or domainname like "fejdqikkdwheckrutucbbyeovpdnef4bopz2fx636i67p3qpffpfxxad.onion" or url like "fejdqikkdwheckrutucbbyeovpdnef4bopz2fx636i67p3qpffpfxxad.onion" or siteurl like "fejdqikkdwheckrutucbbyeovpdnef4bopz2fx636i67p3qpffpfxxad.onion" or domainname like "t77e4phezpwqebpbhdagr26ewkfaxytscimhxofws4wcisjo4wundead.onion" or url like "t77e4phezpwqebpbhdagr26ewkfaxytscimhxofws4wcisjo4wundead.onion" or siteurl like "t77e4phezpwqebpbhdagr26ewkfaxytscimhxofws4wcisjo4wundead.onion" or domainname like "auth-code-check.info" or url like "auth-code-check.info" or siteurl like "auth-code-check.info" |
Detection Query 2 : | dstipaddress IN ("45.151.74.119","151.236.4.135","109.172.95.184","62.60.156.11") or srcipaddress IN ("45.151.74.119","151.236.4.135","109.172.95.184","62.60.156.11") |
Detection Query 3 : | sha256hash IN ("6bc18b6c6050bdd554c4a945838b8b3a35b5c5813b950cf5f2e822b2396718cf","75d4b6cec5bdc40cda25b5b9be136ccca97d77843825796beace7ddbfe87b614","2f592365de553d8bb023a9e11439c2e18dcbe84d22b0cd6025b043d7d9029ac7","3a9b8eccad62d84fc59f86dae41e8c74ae6ae544f079b099b12b37de1abd7a60","a7c94343b51643b7477ba2c7630b168ce3cb1f03126a85c39363e70742e3afb5","d518964aa67c359d0a806909451130591e337276bea33b6d41ef79126904ca3a","8035b177ca682962fd6501228ebd460ef174183ac08a87d81514bba3ecfd9502","26817725650583d99ca3e617a618dd75c0f71bd316b5761780b7361f5f824cad")
|
Reference:
https://www.infostealers.com/article/how-an-infostealer-infection-led-to-a-sophisticated-clickfix-campaign-at-artlist/