Trusted Design

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

概要

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Created: 2026-04-29

Indicators

• FileHash-SHA1 - 7450731c0baf5befb79966a6be7873a5b1a62a7a -
• FileHash-SHA1 - 10dfd71cf61ea3c1621a5b0c08c3b034773fb84b -
• FileHash-SHA256 - 818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c -
• FileHash-MD5 - fa1f2ac9172702ad10c24f0a637c26cd -
• URL - http://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi -
• FileHash-SHA256 - c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728 -
• FileHash-SHA256 - f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc -
• URL - http://robinhuds.com:9658/ -
• domain - robinhuds.com -
• IPv4 - 85.11.161.198 -
• FileHash-MD5 - b07a03883675654088a2b56a80933ca8 -
• FileHash-SHA1 - b374d1715148bc80394b844d9f008adfa5585d65 -
• FileHash-MD5 - b6a201726b44106a7dbe93a480b38420 -

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る