Guardio reported about the ClickFix stealer that is considered an evolved version of fake browser updates. Instead of relying on a file download, it used fake CAPTCHA pages that allowed it to evade detection more effectively. It beat popular anti-bot solutions when users clicked the Verify button, which copied a malicious PowerShell command for its execution. As a result, it exfiltrated victims’ account credentials and other data from their computers.

The company published their findings in “‘CAPTCHAgeddon’: Unmasking the Viral Evolution of the ClickFix Browser-Based Threat,” naming at least 172 indicators of compromise (IoCs) in the process comprising 156 domains and 16 IP addresses.

WhoisXML API analyzed the IoCs further. Our deep dive led to these discoveries:

• 1,156 unique client IP addresses communicated with 11 unique domain IoCs based on sample DNS traffic data from the Internet Abuse Signal Collective (IASC)
• Two alleged victim IP addresses communicated with three unique IP IoCs based on sample IASC DNS traffic data
• 30 of the domains identified as IoCs were deemed likely to turn malicious 51—209 days before they were dubbed as such

We also expanded the current list of IoCs and uncovered:

• 289 registrant-connected domains
• 193 email-connected domains, one was malicious
• 133 additional IP addresses, 86 were malicious
• 1,037 IP-connected domains, 28 were malicious
• 3,412 string-connected domains, 30 were malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the ClickFix IoCs

Our deeper dive into the 172 IoCs Guardio identified has two parts. The first delved into insights gleaned from an analysis of the data using sample DNS traffic data from IASC. The second, meanwhile, dove into our findings from our extensive array of intelligence.

Analyzing the IASC Data

Sample DNS traffic data from IASC revealed that 1,156 unique client IP addresses under 110 unique Autonomous System numbers (ASNs) communicated with 11 unique domains identified as IoCs via 4,787 DNS queries made between 29 July 2025 and 5 August 2025.

Another set of IASC data showed that two unique alleged victim IP addresses communicated with three unique IP addresses identified as IoCs under two unique ASNs based on the results of a Bulk IP Geolocation Lookup query.

Diving into WhoisXML API Intelligence

We began our foray by checking which of the 156 domains identified as IoCs appeared on the First Watch Malicious Domains Data Feed. We found out that 30 of the domains were deemed likely to turn malicious 51—209 days before they were dubbed as such on 6 August 2025. Take a look at more details for five of them below.

Next, we queried the 156 domains identified as IoCs on Bulk WHOIS API and discovered that:

• Only 125 domains had current WHOIS records.
• The 125 domains with current WHOIS records were created between 9 September 1997 and 19 June 2025. A majority, 88 to be exact, were created in 2025, hinting that the threat actors preferred to use newly registered domains (NRDs). In addition, 37 were created between 1997 and 2024.

  

• The top 5 registrars were Namecheap, which accounted for 28 domains; PDR for 25; GoDaddy for 11; WebCC for nine; and WebNIC for eight. The rest of the 44 domains were spread across 30 other registrars. They comprised OPENPROV-RU (five domains); NameSilo (four domains); NiceNIC (three domains); Bluehost, Global Domain Group, GMO Internet, Porkbun, and Wild West Domains (two domains each); and Amazon, CentralNIC, Cosmotown, Divido, Dreamscape Networks International, Dynadot, eNom, Eranet International, Gostovanje in Domene, Hello Internet, Hosting Concepts, Hostinger Operations, Instra, Internet Domain Service, Isimtescil Bilisim, Prado Ramiro Sebastian, R01-SU, Reg.ru, Squarespace Domains, Tucows, United-Domains, and URL Solutions (one domain each).

  

• While 56 domains did not have registrant countries on record, 69 were spread out among 13 nations. A total of 20 domains were registered in the U.S.; 19 in Iceland; 12 in Malaysia, four in Germany; three each in Canada and Seychelles; two in the U.K.; and one each in Australia, China, the Netherlands, New Zealand, Russia, and South Africa.

  

• Eleven domains had 11 unique registrant names on record.

A DNS Chronicle API query for the 156 domains identified as IoCs revealed that 136 had 17,287 historical domain-to-IP resolutions. The domains aasiwins[.]com, appmacosx[.]com, apposx[.]com, attlaw[.]com, autura[.]com, billiboard[.]com, buzzedcompany[.]com, cwbchicago[.]com, and deathtotheworld[.]com recorded the oldest resolutions on 5 February 2017. Take a look at the DNS histories of five domains below.

Next, we queried the 16 IP addresses identified as IoCs on Bulk IP Geolocation Lookup and discovered that:

• They were geolocated in 11 different countries led by Germany, which accounted for four IP addresses. The U.S. placed second with three IP addresses. One IP address each was geolocated in China, Iceland, Moldova, the Netherlands, Pakistan, Panama, Poland, Russia, and Switzerland.

  

• While eight IP addresses did not have ISPs on record, the rest were distributed among five ISPs. Hetzner Online accounted for four IP addresses while ARTNET, China Telecom, DigitalOcean, and Global-Data System IT accounted for one each.

  

A DNS Chronicle API query for the 16 IP addresses identified as IoCs uncovered 2,417 IP-to-domain resolutions over time. The IP address 181[.]174[.]164[.]117 posted 260 resolutions since 6 February 2017. Here are historical DNS details for five other IP addresses.

We used the following prompts on the WhoisXML API MCP Server:

• Get the DNS histories of the domains fepez.run, fessoclick.com, figurefaceted.ru, flammablegrunt.site, gbhjj.online, gettsveriff.com, gfddx.run, glsrvc.cloud, gmkkeycap.com, gozog.run, hastilybakeshop.ru, hipercompany.com, homeeick.com, honis.fun, howtocookportuguesestuff.com, and hypertrophyhphied.homes.
• Use IP Netblocks to verify IP ownership of 104.21.16.1, 104.21.32.1, 104.21.48.1, 104.21.64.1, 104.21.80.1, 104.21.96.1, and 104.21.112.1.
• Were there any IP commonalities over time across the domains above?

The results showed that the domains fepez[.]run, gfddx[.]run, and homeeick[.]com all used the Cloudflare IP addresses 104[.]21[.]16[.]1, 104[.]21[.]32[.]1, 104[.]21[.]48[.]1, 104[.]21[.]64[.]1, 104[.]21[.]80[.]1, 104[.]21[.]96[.]1, and 104[.]21[.]112[.]1 in May 2025.

On top of that, eight of the IP addresses, while not necessarily all Cloudflare owned, were first configured or first appeared in May 2025.

Expanding the Current List of ClickFix IoCs

Earlier, we mentioned that we found 11 unique registrant names for 11 of the 156 domains identified as IoCs. We queried them on Reverse WHOIS API and found out that they appeared in the current WHOIS records of 289 domains after duplicates and those already tagged as IoCs were filtered out.

Next, we queried the 156 domains identified as IoCs on WHOIS History API and uncovered 40 unique email addresses from their historical WHOIS records. Further scrutiny showed that 10 were public email addresses.

While none of them appeared in the current WHOIS records of any other domains based on the results of our Reverse WHOIS API queries, five of the 10 public email addresses were seen in the historical WHOIS records of 193 domains after duplicates, those already identified as IoCs, and the registrant-connected domains were filtered out.

A Threat Intelligence API query for the 193 email-connected domains revealed that one—znm[.]lol—has already been weaponized for malware distribution.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.