/tags/etherhiding/Recent content in EtherHiding onHugoen-usSun, 17 May 2026 00:00:00 +0000/posts/etherhidingattackchain/Sun, 17 May 2026 00:00:00 +0000/posts/etherhidingattackchain/<ul> <li>Reading time : &ldquo;13 min&rdquo;</li> </ul> <h1 id="clickfix-phishing-campaign-with-etherhiding">ClickFix Phishing Campaign with EtherHiding</h1> <h2 id="executive-summary">Executive Summary</h2> <p>This report documents an active, sophisticated multi-stage attack campaign observed across hundreds of compromised WordPress websites. The campaign fuses two advanced techniques: <strong>ClickFix</strong> social engineering — which tricks users into manually executing malicious commands — and <strong>EtherHiding</strong>, a persistence mechanism that stores malware payloads directly on the Binance Smart Chain (BSC), making takedown nearly impossible.</p> <p>Researchers identified over <strong>400 sandbox analyses on ANY.RUN</strong> linked to this campaign&rsquo;s infrastructure, with C2 domains <code>dntds.shop</code> and <code>sdntds.shop</code> observed in active use as recently as <strong>June 13, 2026</strong>. The final payload is a PowerShell-based shellcode loader that downloads and executes a binary from a bulletproof-hosted IP (<code>158[.]94[.]208[.]92</code> / <code>158[.]94[.]208[.]104</code>), consistent with infostealer or RAT deployment.</p>