This report documents an active, sophisticated multi-stage attack campaign observed across hundreds of compromised WordPress websites. The campaign fuses two advanced techniques: ClickFix social engineering — which tricks users into manually executing malicious commands — and EtherHiding, a persistence mechanism that stores malware payloads directly on the Binance Smart Chain (BSC), making takedown nearly impossible.
Researchers identified over 400 sandbox analyses on ANY.RUN linked to this campaign’s infrastructure, with C2 domains dntds.shop and sdntds.shop observed in active use as recently as June 13, 2026. The final payload is a PowerShell-based shellcode loader that downloads and executes a binary from a bulletproof-hosted IP (158[.]94[.]208[.]92 / 158[.]94[.]208[.]104), consistent with infostealer or RAT deployment.
ClickFix Phishing Campaign Delivering NetSupport RAT
A multi-stage attack chain leveraging fake property review portals, ClickFix social engineering, and a custom MSI dropper to establish persistent remote access via NetSupport Manager.
Executive Summary
A threat actor is operating a sophisticated phishing campaign impersonating Booking.com, directing victims to fraudulent property review portals. A ClickFix lure tricks users into executing a malicious msiexec command that downloads and installs a custom MSI dropper from attacker-controlled IP addresses. The dropper deploys a VBScript installer that extracts password-protected archives, establishes persistence via the Windows Startup folder, and launches a silently configured NetSupport Manager client, granting the attacker full remote access to compromised machines. All staging files are deleted upon completion to impede forensic investigation. Two C2 domains masquerade as CDN infrastructure to blend into normal network traffic.
Scope. A company web server was compromised via the hosted site. The team captured a forensic disk image and a live memory dump in time for offline analysis. Artifacts for this walkthrough: archive.org: dfir-case1.
Web layer. Apache access and error logs show repeated OWASP-style abuse: SQL injection (including attempted INTO OUTFILE / upload-style payloads), reflected XSS, local file inclusion / path traversal, and an IDS log-clear request consistent with covering tracks on the app.
In the heart of Golang Country stands GETI City - a metropolis where technology and ambition touch the sky…
Scene 1: The City
The winter wind howls through GETI City’s glass-and-steel canyons, carrying whispers of digital secrets between towering skyscrapers. Neon signs pierce the darkness, their glow reflecting off the frost-covered windows of Brukley Company’s cybersecurity headquarters.
