How I Get Access ClickFix Dashboard Due to Bad SecOps

How I Get Access ClickFix Dashboard Due to Bad SecOps

Introduction

That afternoon, one of my monitoring teammates casually mentioned a new alert: “Why is this user opening a Polygon crypto website?” That immediately caught my attention and I suspected the user had accessed a website infected with ClickFix.

The suspicion became stronger because the user was not from the IT team and had no known involvement with cryptocurrency or Web3-related activities. In addition, a few days earlier we had investigated another incident where a user accidentally visited a ClickFix-infected website, which led to several IoCs, including connections to Web3 Polygon infrastructure used by the threat actor to host malware payloads.

Read also: Infostealer Spreading Through Fake Google reCAPTCHA

After investigating the alert, we discovered a website called FlameAsia displaying a ClickFix-related error page. From there, we began collecting additional Indicators of Compromise (IoCs) and identified a suspicious link associated with the campaign.

Out of curiosity, I decided to decode the ClickFix script being used and managed to uncover the URL leveraged by the threat actor to distribute the malware: https://mnepohui[.]sbs/.

Infected Web
Infected Web

While accessing the link, I performed a simple scan using ffuf to identify any exposed or interesting endpoints. The scan revealed a login panel at the /login endpoint, along with a publicly accessible PHP backup file located at api/index.php.bak.

Bak file Download
Bak file Download

After obtaining part of the source code from the backup file, I started reviewing several interesting sections. Since the file was part of the API, it contained multiple features and functionalities. One of the most notable findings was a file upload feature that lacked proper file type validation, allowing PHP files to be uploaded directly.

Source code for upload
Source code for upload

The upload feature did require an API key, but the key was not securely stored in a configuration file or environment variable. Instead, it was hardcoded directly within the same source file, making it easily retrievable from the exposed code. With access to the API key, uploading a web shell was successfully achieved.

Curl Upload
Curl Upload

By leveraging the API key found in the source code, I used curl to upload a Weevly backdoor through the vulnerable upload feature. The upload was successful and provided direct access to the server, effectively giving me administrative-level control over the ClickFix infrastructure.

Read also: Hacking Phishing-as-a-Service

Weevly Backdoor Success
Weevely Backdoor Success

Out of curiosity, I attempted to download the entire source code of the website. However, the archiving process frequently failed due to timeouts, causing ZIP generation to be unstable. To work around this issue, I wrote a small script to make the archiving process more reliable. Once the ZIP file was successfully generated, I proceeded to download the archive.

Tree Files
Tree Files

Below are several screenshots of the analytics dashboard used by the threat actors. The dashboard displays various metrics, including total downloads, source domains, successful infection flows and other analytical data related to the campaign’s activity and distribution performance.

Download Dashboard
Infected Dashboard
Analytics Dashboard

Shortly after, it appears the threat actors realized that someone else had gained access to their system. In response, they removed the backdoor I had deployed, deleted the backup (.bak) file and rotated their API key, effectively disabling the upload functionality and revoking access.

Second Wave

A few days after I wrote the draft of this post, on Friday 15 May 2026, the alert “user access crypto polygon” appeared again. After verification, we confirmed that it was still part of the same ongoing ClickFix campaign.

What is interesting is that the threat actor did not significantly change their server or operational patterns. Instead, they only switched domains to continue their activity after the previous one was flagged and widely reported, in an attempt to evade detection. They then moved the campaign to a new domain named babybon[.]cfd.

From the indicators collected, the communication patterns, server responses, and certain configuration details remained identical to the previous infrastructure. This suggests that although their access or operations were briefly disrupted, the threat actors continued the campaign using largely the same methods.

Still curious, I revisited the previously obtained source code and noticed something I had missed before: a Telegram bot API key along with its associated chat ID embedded in the code.

Soruce Code Bot
Bot Telegram API KEY

Based on the extracted data, it appears that the threat actors were using Russian as their primary language of communication.

Telegram Chat
Telegram Chat Translated

In this ClickFix method, the attackers do more than just steal credentials. They also abuse any access they obtain. When valid WordPress credentials are found, they quietly create a new administrator account and inject the ClickFix script into the target website. The admin usernames typically follow a pattern such as adminbackup followed by random numbers, and they also use the email [email protected].

Infected Hosts Admin List
Infected Host Administrator List

Baca juga: WordPress Security Plugin Guide: 7 Best Picks for Better WordPress Security

Previously, I was able to identify the server’s IP address through an access point that has since been removed. I then investigated the ASN associated with that server, along with other IP addresses within the same network range. The results suggested that many IPs in that ASN are linked to suspicious activities, including malware hosting, C2 panels, phishing pages, payload distribution, and credential stealer infrastructure.

Indicator Of Compromised

Below are several indicators identified during the investigation. The list includes domains used in the campaign as well as sample payload hashes retrieved from the related server infrastructure.

Domain

abrmot[.]pro
amalgama[.]lat
anakondabob[.]club
arigatodomen[.]sbs
babybon[.]cfd
bearman[.]bond
betalegenda[.]cfd
bigblower[.]click
biletors[.]cfd
birdybird[.]rest
bobik[.]cfd
bulletpop[.]cyou
burunduktracker[.]xyz
cal[.]magicalegyptwomen[.]com
chinabowl[.]club
chinarice[.]asia
chubrik[.]sbs
comicstar[.]lat
corppop[.]shop
cosmostars[.]shop
fesold[.]com
ganiballektor[.]cfd
gasshopper[.]sale
gdedengikarlos[.]cfd
hardenedom[.]shop
holopebamiy[.]bond
kaleda[.]pro
kaloed[.]pro
krolikrojer[.]lat
lenders[.]digital
lizablud[.]shop
mamkor[.]pro
mampodik[.]asia
marinaradom[.]cfd
mavpaprokla[.]lat
mebanebols[.]trade
megamegalodon[.]click
mekasa[.]pro
merindashop[.]cyou
misterslivker[.]asia
mistertwister[.]sale
mob[.]lanjut[.]in
moll[.]lanjut[.]in
momasites[.]lol
mylovedomen[.]asia
netblokirovka[.]asia
nihaoclub[.]asia
nowfoods[.]my
peachbro[.]bond
pilotkadomen[.]club
pinokros[.]xyz
pokese[.]pro
pringlesbob[.]cfd
pusanik[.]shop
sandman[.]bond
sandman[.]lat
slivkishow[.]asia
smackit[.]lat
smenapodik[.]bond
spartanec[.]lat
superboomer[.]world
thisismine[.]asia
zewaplus[.]club

SHA256

7158035cfc3cffc8aa23c9ba614a3ad512b30f4c18e60506a7057bed97eaf055  SettingSync.dll
ecd69b4afd4c1034972ac51ad08dd44824ac39fe5ce6c1d03fff1694d3cf2b80  cscript2.dll
3a6b7d2082763e9581fa59fb9e7f94a044ed1ef0fb073afdf0fd72f1c1a29b99  edputil.dll
e6185efd48faf9336f0d1e8b1ba0f5716a247767c60088e438a86f8bbf0cfe81  payload.exe
2a17bb42829c3dd3259a5471a5f26b1d51db281f5da7bf9ba3402acf12781185  swprv2.dll
4687ebe922ad8e87a624deabbb08cfda8ea515b29b301e3c0c3f44570117f171  vpncli.dll
64e54058d9cae020b51850d49e4b0365dd0a6d4d0aea877bd804ea8c02f899e5  wsqmcons.dll

Email

adminbackup[@]wordpress[.]org

Final Thoughts

This investigation shows that the ClickFix campaign does more than just steal credentials. It also abuses gained access to aggressively spread infections in a worm-like manner. When the threat actors obtain valid WordPress credentials, they immediately create a new administrator account silently, typically following a pattern such as adminbackup[random], and then inject the ClickFix script into the compromised website to continue malware distribution.

This case also highlights how poor security operations practices such as exposed backup files, hardcoded API keys, and weak file upload validation can significantly expand access to both the attacker’s infrastructure and victim environments.

For mitigation, organizations are strongly advised to take immediate action:

  • Enable MFA across WordPress, hosting panels, VPNs, and any other externally accessible services.
  • Conduct audits to identify any suspicious or unauthorized administrator accounts.
  • Review and block known IoCs and domains associated with the campaign.
  • Apply regular patching and maintain continuous monitoring of login activity and system access.

A single exposed credential can serve as the starting point for a chained compromise affecting multiple websites and systems.

It should be noted that the threat actor’s activity in this campaign is still ongoing to this day and is likely to remain large-scale, as their methods, infrastructure, and tools are still active and continue to be used to support malware distribution.