|
||
|
||
Bitdefender recently detailed how attackers continued to abuse Microsoft’s legacy MSHTA tool as a delivery mechanism across multiple malware campaigns. In one of the most prominent clusters, threat actors used the HTA-based loader CountLoader to deploy the infostealers LummaStealer and Amatera onto victims’ systems. As a result, affected users could lose sensitive data, including their credentials, browser-stored information, session tokens, and cryptocurrency-related information, to the attackers.
The Bitdefender study identified 128 network IoCs comprising subdomains, domains, and IP addresses.
We extracted domains from the subdomain IoCs then filtered out those owned by legitimate organizations and were inactive from the resulting list aided by the WhoisXML API MCP Server. We ended up with 81 domain IoCs for further analysis. Combining that with the 11 subdomain and 28 IP IoCs, we had a total of 120 network IoCs for our investigation.
Our DNS deep dive into the ClickFix attack targeting MSHTA users led to these discoveries:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis by querying the 11 subdomain IoCs on the WhoisXML API MCP Server and discovered that:
Here are more details on five examples.
| SUBDOMAIN IoC | WXA MCP SERVER FINDING |
|---|---|
| asd[.]s7610rir[.]pw | Shares the IP address of asq[.]d6shiiwz[.]pw |
| asq[.]d6shiiwz[.]pw | Shares the IP address of asd[.]s7610rir[.]pw |
| buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com | While hosted on a legitimate Alibaba Cloud OSS bucket, this could have been specially crafted for hosting second-stage payloads or droppers |
| check[.]qlkwr[.]com | Shares the IP address of d1[.]pool4883[.]pw |
| d1[.]pool4883[.]pw | Shares the IP address of check[.]qlkwr[.]com |
We then looked more closely at the 81 domain IoCs.
First, sample network traffic data from the IASC showed that 17 unique client IP addresses under four distinct ASNs communicated with 28 of the domain IoCs via 2,652 DNS queries made between 22 March and 20 May 2026.

We then queried the domain IoCs on Typosquatting API and found out that four appeared in three typosquatting groups.

It is interesting to note that the domains simplerwebs[.]world and simplerwebs[.]space appeared in the same typosquatting group with nine members. They were bulk-registered with the domains simplerways[.]shop, simplerwebs[.]website, simplerwebs[.]online, simplerwebs[.]site, simpleweb[.]ai, simplerwebs[.]sbs, and simplerwebs[.]click on 2 January 2025.
Based on the results of our First Watch Malicious Domains Data Feed searches for the domain IoCs, 20 of them were likely registered with malicious intent 90—501 days before they were dubbed as IoCs on 19 May 2026. Here are five examples.
| DOMAIN IoC | FIRST WATCH DATE | NUMBER OF DAYS BEFORE THE REPORT DATE |
|---|---|---|
| qlkwr[.]com | 01/03/25 | 501 |
| propofgustestyle[.]info | 01/21/25 | 483 |
| ms-team-ping6[.]com | 08/25/25 | 267 |
| holiday-updateservice[.]com | 11/16/25 | 184 |
| health-smooth-eu3[.]com | 11/18/25 | 182 |
Next, we queried the domain IoCs on WHOIS API and discovered that:

They were administered by seven different registrars.

While 10 did not have registrant countries on record, the remaining 71 were registered in seven different countries.

DNS Chronicle API queries for the domain IoCs revealed that 76 of them recorded 2,480 historical domain-to-IP resolutions over time. Take a look at more information for five examples below.
| DOMAIN IoC | NUMBER OF DOMAIN-TO-IP RESOLUTIONS | DATES SEEN |
|---|---|---|
| ms-team-ping6[.]com | 205 | 08/25/25–05/09/26 |
| alphazero1-endscape[.]cc | 121 | 11/23/25–05/10/26 |
| s3-updatehub[.]cc | 110 | 12/02/25–05/17/26 |
| globalsnn1-new[.]cc | 106 | 11/23/25–05/10/26 |
| my-smart-house1[.]com | 101 | 11/12/25–05/20/26 |
A total of 49 of the domain IoCs continue to post resolutions this May.
Next, we studied the 28 IP IoCs further.
Sample network traffic data from the IASC revealed that 618 unique IP addresses that could belong to victims under 16 distinct ASNs communicated with 25 of the IP IoCs between 23 November 2025 and 20 May 2026.

We then queried the IP IoCs on Bulk IP Geolocation Lookup and discovered that:

While nine did not have ISPs on record, the remaining 19 were administered by 16 different ISPs.

Lastly, we queried the IP IoCs on DNS Chronicle API and found out that 15 of them posted 2,564 historical IP-to-domain resolutions over time. Here are more details for five examples.
| IP IoC | NUMBER OF IP-TO-DOMAIN RESOLUTIONS | DATES SEEN |
|---|---|---|
| 103[.]115[.]17[.]90 | 1,000 | 02/15/19–09/04/20 |
| 100[.]1[.]121[.]27 | 520 | 02/07/17–05/20/26 |
| 87[.]96[.]21[.]84 | 260 | 02/06/17–08/15/24 |
| 107[.]175[.]187[.]11 | 140 | 06/24/17–08/16/20 |
| 222[.]73[.]29[.]92 | 119 | 10/22/19–02/04/22 |
As of May 2026, only one IP IoC continued to resolve domains.
To kick off our IoC list expansion, we queried the 81 domain IoCs on WHOIS History API and found out that 16 of them had 29 unique email addresses in their historical records. Further scrutiny allowed us to discern that 13 were public email addresses.
Reverse WHOIS API queries for the public email addresses showed that two could be owned by domainers and one was no longer active so they were excluded from the next step. This step also led to the discovery of 2,260 unique email-connected domains after those already tagged as IoCs were filtered out.
We then queried the email-connected domains on Threat Intelligence API, which revealed that 56 have already been confirmed malicious.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign