224739 author: anyrun_app@infosec.exchange 17 Apr 07:01
tags: #anyrun #clickfix #explorewithanyrun #iocs #malicious #phishing

🚨 New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages.
⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.
🎯 The #phishing page loads only for US-based victims, as observed during analysis with a residential IP in #ANYRUN Sandbox.

πŸ‘¨β€πŸ’» Analysis session: https://app.any.run/browses/50395c46-41f5-4bb3-8205-61262ef4e63d/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice

πŸ“ URL: iaccindia[.]com
The page hijacks the full-screen mode and displays a fake β€œWindows Defender Security Center” popup.

🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user.

Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation.

🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a #malicious Run command.
Take a look: https://app.any.run/tasks/e83a5861-6006-4b1d-aba8-8536dcaa8057/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice

#IOCs:
supermedicalhospital[.]com
adflowtube[.]com
knowhouze[.]com
ecomicrolab[.]com
javascripterhub[.]com
virtual[.]urban-orthodontics[.]com

Streamline threat analysis for your SOC with #ANYRUN πŸš€

169231 author: abuse_ch@ioc.exchange 01 Feb 2025 14:23
https://bazaar.abuse.ch/sample/06e2adebb2b96be6cf7c2482c9948d9d21dcd1e16618800c71231951bed7b4d0/
tags: #clickfix #malware

Canada Revenue Agency (CRA) πŸ‡¨πŸ‡¦ themed #ClickFix campaign, using a fake captcha to spread #malware ‡️

FakeCaptcha:
πŸ–±οΈ https://urlhaus.abuse.ch/url/3423002/

HTA download URL:
🌐 https://urlhaus.abuse.ch/url/3418524/

Dropped HTA:
πŸ“„