How an Infostealer Infection Led to a Sophisticated ClickFix Campaign at Artlist
A shared research investigation by Hudson Rock and Matt Kirkland (derp.ca).
In mid-July 2026, researchers discovered a sophisticated ClickFix campaign operating on a subdomain belonging to the popular digital asset platform, Artlist. The attackers had successfully compromised new-blog.artlist[.]io, injecting malicious code designed to trick visitors into installing a Remote Access Trojan (RAT) disguised as a human verification CAPTCHA.
But how did threat actors gain access to a corporate blog in the first place? Through Hudson Rock’s cybercrime intelligence capabilities, we traced the root cause back three years, to an infostealer infection stemming from a pirated software download.
The Root Cause: A Pirated Torrent (August 2023)
In August 2023, an Israeli freelance WordPress Full Stack Developer made a critical operational security error: they attempted to download a pirated copy of Adobe Acrobat PRO DC.
When the developer executed the torrented file, they unknowingly infected their machine with an Infostealer. The malware immediately scraped all saved browser passwords, cookies, and session tokens, sending them directly to threat actor command-and-control servers.
The Compromise: Stolen Corporate Credentials
The developer had likely previously been hired for collaboration by a high-ranking employee at Artlist, a Senior Content Executive who had been with the company for six years. Because of this collaboration, the developer had the executive’s highly privileged login credentials saved on their local machine.
When the developer’s computer was compromised, those credentials were siphoned into the cybercrime ecosystem. Among the stolen data were the username (the full name of the employee) and a very strong password specifically for new-blog.artlist[.]io/blog/wp-login.php.
Armed with valid, high-privilege access, threat actors were able to log into the WordPress backend and inject malicious JavaScript into the HTML templates of the blog, setting the stage for the ClickFix campaign.
This incident perfectly illustrates a trend Hudson Rock researchers have extensively documented: how legitimate businesses are converted into malware hosts. By leveraging compromised credentials obtained from infostealer markets, threat actors can bypass traditional perimeter security. They exploit highly trusted corporate domains to host and distribute their own malicious campaigns, easily slipping under the radar of standard network filters and reputation checks.
The Attack: EtherHiding to ClickFix
To avoid rapid detection and takedown, the threat actors employed an advanced evasion technique known as EtherHiding, before deploying the ClickFix social engineering payload.
What is EtherHiding? Instead of hardcoding a malicious server URL directly into the compromised Artlist website (which is easy for defenders to block), the attackers injected obfuscated JavaScript that queries a smart contract on the Polygon blockchain. The smart contract acts as a dynamic router, returning the actual URL of the malicious payload. If the payload server is taken down, the attackers simply update the blockchain contract, seamlessly rotating their infrastructure without ever having to log back into the compromised WordPress site.
Once the smart contract resolves the next-stage server (in this case, auth-code-check[.]info), the script injects the ClickFix payload onto the user’s screen.
The ClickFix payload creates a full-page overlay that mimics a reCAPTCHA verification prompt. It blocks common keyboard shortcuts and instructs the user to press a specific key combination (Windows + X, I, Ctrl+V, Enter). This action pastes a hidden PowerShell command, which the malicious script secretly copied to the user’s clipboard, directly into the Windows Terminal.
This command silently downloads a password-protected ZIP archive (fdupdate.zip), extracts it using a staging copy of 7-Zip, and executes a legitimate, signed updater binary (fdupdate.exe, belonging to StruSoft/FEM-Design). This signed executable is used as a trusted vehicle to side-load a chain of malicious, unsigned DLLs into memory, beginning with LibBind.dll.
From there, the execution chain resembles a Russian nesting doll of sophisticated obfuscation:
LibBind.dllreads an encrypted slice from an accompanying data file (Stream.Toolkit.dat), decodes it, and allocates memory.- To execute this raw shellcode without triggering traditional API hooks (like
CreateThread), the malware uses a clever callback execution primitive via the Windows APIEnumTimeFormatsEx. - This shellcode then parses a custom virtual file system (
Face.dat) to extract and decode a Delphi loader (act.exe). - The Delphi loader decrypts an embedded ZIP, which decompresses into raw position-independent x64 code, which finally manually maps the ultimate RAT payload into memory.
Advanced C2 and Tor Fallback: The final decoded DLL is a massively capable Remote Access Trojan (RAT). What makes it stand out is its resilience. It communicates via a custom, framed protocol protected by hybrid CryptoAPI encryption (RSA/AES). If its primary Command and Control (C2) servers fail, it contains a built-in fallback mechanism that drops a Tor module into memory and begins beaconing out to hardcoded .onion addresses over a local SOCKS proxy.
Once fully deployed, the RAT gives threat actors total control over the infected machine. Beyond standard keylogging and targeted browser credential collection (extracting login data, autofill, tokens, and cookies), it features a hidden-desktop subsystem allowing operators to interact with a hidden virtual session. It also supports live screen streaming, resumable file transfers, and the ability to act as a SOCKS bridge, turning the victim’s PC into a pivot point for further network intrusions.
For a deep dive into the reverse engineering of the PowerShell wrappers, the DLL side-loading chain, and the custom C2 protocol of the final payload, you can read Matt Kirkland’s full technical teardown here: EtherHiding to ClickFix Analysis.
Note: Hudson Rock reached out to Artlist regarding this incident but has not received a comment as of the time of this publishing.
Hudson Rock Threat Feeds: Unrivaled C2 Visibility
As threats like ClickFix and Phishing-as-a-Service (PaaS) continue to evolve rapidly, relying solely on reactive indicators is no longer sufficient. To combat this, Hudson Rock has introduced Threat Feeds within our Cavalier platform.
This capability provides threat intelligence teams with unrivaled, live Command and Control (C2) data extracted directly from active campaigns. By proactively monitoring this infrastructure, organizations can block communications at the network edge, preventing infections and data exfiltration before they occur.
Indicators of Compromise (IOCs)
Below is a summary of the network and file-based indicators associated with this ClickFix and native RAT campaign.
Network Indicators
- Compromised Host: new-blog.artlist[.]io
- Delivery Domain: auth-code-check[.]info
- Polygon EtherHiding Contract:
0xB6bC9e1D0b2fB96Ab7C47E04Cb0BE477410bC1f2 - Direct IP C2s:
- 45.151.74[.]119:443
- 109.172.95[.]184:443
- 151.236.4[.]135:443
- 62.60.156[.]11:443
- Tor (.onion) Fallback C2s:
- aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwltbcysuybirygxzvp23ad[.]onion:443
- t77e4phezpwqebpbhdagr26ewkfaxytscimhxofws4wcisjo4wundead[.]onion:443
- vsjyfpt7vcd6atniefmz36ikxrqk5eyv573a2af4e2ntb437wdch63yd[.]onion:443
- fejdqikkdwheckrutucbbyeovpdnef4bopz2fx636i67p3qpffpfxxad[.]onion:443
File Indicators (SHA-256)
3a9b8eccad62d84fc59f86dae41e8c74ae6ae544f079b099b12b37de1abd7a60(fdupdate.zip)26817725650583d99ca3e617a618dd75c0f71bd316b5761780b7361f5f824cad(7z.exe staged helper)d518964aa67c359d0a806909451130591e337276bea33b6d41ef79126904ca3a(fdupdate.exe signed StruSoft updater)2f592365de553d8bb023a9e11439c2e18dcbe84d22b0cd6025b043d7d9029ac7(LibBind.dll sideloaded loader)a7c94343b51643b7477ba2c7630b168ce3cb1f03126a85c39363e70742e3afb5(TBFVSS_DLL_SRV_64.dll)6bc18b6c6050bdd554c4a945838b8b3a35b5c5813b950cf5f2e822b2396718cf(Stream.Toolkit.dat)75d4b6cec5bdc40cda25b5b9be136ccca97d77843825796beace7ddbfe87b614(act.exe decoded Delphi loader)8035b177ca682962fd6501228ebd460ef174183ac08a87d81514bba3ecfd9502(Final decoded RAT PE)
Protect Your Organization from Imminent Intrusions
With our new Threat Feeds, cybersecurity teams can monitor live C2 infrastructure from infostealer campaigns, ClickFix networks, and PhaaS operations to proactively block malicious communications.
To learn more about how Hudson Rock protects companies from intrusions caused by info-stealer infections of employees, partners, and users, and how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here:
https://www.hudsonrock.com/schedule-demo
We also provide access to various free cybercrime intelligence tools that you can find here:
www.hudsonrock.com/free-tools
Thanks for reading, Rock Hudson Rock!
Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock
Follow us on Twitter: https://www.twitter.com/RockHudsonRock