How I Get Access ClickFix Dashboard Due to Bad SecOps
Introduction
That afternoon, one of my monitoring teammates casually mentioned a new alert: “Why is this user opening a Polygon crypto website?” That immediately caught my attention and I suspected the user had accessed a website infected with ClickFix.
The suspicion became stronger because the user was not from the IT team and had no known involvement with cryptocurrency or Web3-related activities. In addition, a few days earlier we had investigated another incident where a user accidentally visited a ClickFix-infected website, which led to several IoCs, including connections to Web3 Polygon infrastructure used by the threat actor to host malware payloads.
Read also: Infostealer Spreading Through Fake Google reCAPTCHA
After investigating the alert, we discovered a website called FlameAsia displaying a ClickFix-related error page. From there, we began collecting additional Indicators of Compromise (IoCs) and identified a suspicious link associated with the campaign.
Out of curiosity, I decided to decode the ClickFix script being used and managed to uncover the URL leveraged by the threat actor to distribute the malware: https://mnepohui[.]sbs/.
While accessing the link, I performed a simple scan using ffuf to identify any exposed or interesting endpoints. The scan revealed a login panel at the /login endpoint, along with a publicly accessible PHP backup file located at api/index.php.bak.
After obtaining part of the source code from the backup file, I started reviewing several interesting sections. Since the file was part of the API, it contained multiple features and functionalities. One of the most notable findings was a file upload feature that lacked proper file type validation, allowing PHP files to be uploaded directly.
The upload feature did require an API key, but the key was not securely stored in a configuration file or environment variable. Instead, it was hardcoded directly within the same source file, making it easily retrievable from the exposed code. With access to the API key, uploading a web shell was successfully achieved.
By leveraging the API key found in the source code, I used curl to upload a Weevly backdoor through the vulnerable upload feature. The upload was successful and provided direct access to the server, effectively giving me administrative-level control over the ClickFix infrastructure.
Read also: Hacking Phishing-as-a-Service
Out of curiosity, I attempted to download the entire source code of the website. However, the archiving process frequently failed due to timeouts, causing ZIP generation to be unstable. To work around this issue, I wrote a small script to make the archiving process more reliable. Once the ZIP file was successfully generated, I proceeded to download the archive.
Below are several screenshots of the analytics dashboard used by the threat actors. The dashboard displays various metrics, including total downloads, source domains, successful infection flows and other analytical data related to the campaign’s activity and distribution performance.
Shortly after, it appears the threat actors realized that someone else had gained access to their system. In response, they removed the backdoor I had deployed, deleted the backup (.bak) file and rotated their API key, effectively disabling the upload functionality and revoking access.
Second Wave
A few days after I wrote the draft of this post, on Friday 15 May 2026, the alert “user access crypto polygon” appeared again. After verification, we confirmed that it was still part of the same ongoing ClickFix campaign.
What is interesting is that the threat actor did not significantly change their server or operational patterns. Instead, they only switched domains to continue their activity after the previous one was flagged and widely reported, in an attempt to evade detection. They then moved the campaign to a new domain named babybon[.]cfd.
From the indicators collected, the communication patterns, server responses, and certain configuration details remained identical to the previous infrastructure. This suggests that although their access or operations were briefly disrupted, the threat actors continued the campaign using largely the same methods.
Still curious, I revisited the previously obtained source code and noticed something I had missed before: a Telegram bot API key along with its associated chat ID embedded in the code.
Based on the extracted data, it appears that the threat actors were using Russian as their primary language of communication.
In this ClickFix method, the attackers do more than just steal credentials. They also abuse any access they obtain. When valid WordPress credentials are found, they quietly create a new administrator account and inject the ClickFix script into the target website. The admin usernames typically follow a pattern such as adminbackup followed by random numbers, and they also use the email [email protected].
Baca juga: WordPress Security Plugin Guide: 7 Best Picks for Better WordPress Security
Previously, I was able to identify the server’s IP address through an access point that has since been removed. I then investigated the ASN associated with that server, along with other IP addresses within the same network range. The results suggested that many IPs in that ASN are linked to suspicious activities, including malware hosting, C2 panels, phishing pages, payload distribution, and credential stealer infrastructure.
Indicator Of Compromised
Below are several indicators identified during the investigation. The list includes domains used in the campaign as well as sample payload hashes retrieved from the related server infrastructure.
Domain
abrmot[.]pro
amalgama[.]lat
anakondabob[.]club
arigatodomen[.]sbs
babybon[.]cfd
bearman[.]bond
betalegenda[.]cfd
bigblower[.]click
biletors[.]cfd
birdybird[.]rest
bobik[.]cfd
bulletpop[.]cyou
burunduktracker[.]xyz
cal[.]magicalegyptwomen[.]com
chinabowl[.]club
chinarice[.]asia
chubrik[.]sbs
comicstar[.]lat
corppop[.]shop
cosmostars[.]shop
fesold[.]com
ganiballektor[.]cfd
gasshopper[.]sale
gdedengikarlos[.]cfd
hardenedom[.]shop
holopebamiy[.]bond
kaleda[.]pro
kaloed[.]pro
krolikrojer[.]lat
lenders[.]digital
lizablud[.]shop
mamkor[.]pro
mampodik[.]asia
marinaradom[.]cfd
mavpaprokla[.]lat
mebanebols[.]trade
megamegalodon[.]click
mekasa[.]pro
merindashop[.]cyou
misterslivker[.]asia
mistertwister[.]sale
mob[.]lanjut[.]in
moll[.]lanjut[.]in
momasites[.]lol
mylovedomen[.]asia
netblokirovka[.]asia
nihaoclub[.]asia
nowfoods[.]my
peachbro[.]bond
pilotkadomen[.]club
pinokros[.]xyz
pokese[.]pro
pringlesbob[.]cfd
pusanik[.]shop
sandman[.]bond
sandman[.]lat
slivkishow[.]asia
smackit[.]lat
smenapodik[.]bond
spartanec[.]lat
superboomer[.]world
thisismine[.]asia
zewaplus[.]club
SHA256
7158035cfc3cffc8aa23c9ba614a3ad512b30f4c18e60506a7057bed97eaf055 SettingSync.dll
ecd69b4afd4c1034972ac51ad08dd44824ac39fe5ce6c1d03fff1694d3cf2b80 cscript2.dll
3a6b7d2082763e9581fa59fb9e7f94a044ed1ef0fb073afdf0fd72f1c1a29b99 edputil.dll
e6185efd48faf9336f0d1e8b1ba0f5716a247767c60088e438a86f8bbf0cfe81 payload.exe
2a17bb42829c3dd3259a5471a5f26b1d51db281f5da7bf9ba3402acf12781185 swprv2.dll
4687ebe922ad8e87a624deabbb08cfda8ea515b29b301e3c0c3f44570117f171 vpncli.dll
64e54058d9cae020b51850d49e4b0365dd0a6d4d0aea877bd804ea8c02f899e5 wsqmcons.dll
adminbackup[@]wordpress[.]org
Final Thoughts
This investigation shows that the ClickFix campaign does more than just steal credentials. It also abuses gained access to aggressively spread infections in a worm-like manner. When the threat actors obtain valid WordPress credentials, they immediately create a new administrator account silently, typically following a pattern such as adminbackup[random], and then inject the ClickFix script into the compromised website to continue malware distribution.
This case also highlights how poor security operations practices such as exposed backup files, hardcoded API keys, and weak file upload validation can significantly expand access to both the attacker’s infrastructure and victim environments.
For mitigation, organizations are strongly advised to take immediate action:
- Enable MFA across WordPress, hosting panels, VPNs, and any other externally accessible services.
- Conduct audits to identify any suspicious or unauthorized administrator accounts.
- Review and block known IoCs and domains associated with the campaign.
- Apply regular patching and maintain continuous monitoring of login activity and system access.
A single exposed credential can serve as the starting point for a chained compromise affecting multiple websites and systems.
It should be noted that the threat actor’s activity in this campaign is still ongoing to this day and is likely to remain large-scale, as their methods, infrastructure, and tools are still active and continue to be used to support malware distribution.