Artlist Subdomain Compromised in ClickFix Campaign Using EtherHiding Technique

Artlist Subdomain Compromised in ClickFix Campaign Using EtherHiding Technique

First seen 14 Jul 2026, 19:58 UTC InfostealersBleepingcomputerGbhackerswww.derp.cagithub.com 82% similarity 67.5

Article Content

Browse articles
ThreatCluster

In July 2026, a ClickFix campaign was discovered on the Artlist subdomain new-blog.artlist[.]io, where attackers injected malicious code that masqueraded as a CAPTCHA to install a Remote Access Trojan (RAT). The attack originated from an infostealer infection traced back to a pirated software download in 2023, which compromised a developer's machine and provided access to high-privilege WordPress credentials. The attackers utilized a technique called EtherHiding, querying a smart contract on the Polygon blockchain to dynamically route to the malicious payload, avoiding detection. The campaign's infrastructure included a Tor-backed command-and-control (C2) fallback and DLL side-loading techniques. The incident highlights the growing trend of legitimate businesses being exploited as malware hosts. As of now, the campaign is still active, with ongoing investigations into the compromised components.

Key Points: • Attackers used EtherHiding to obfuscate malicious payload delivery via a blockchain query. • The compromise originated from an infostealer infection linked to a pirated software download. • The campaign successfully exploited high-privilege WordPress credentials to inject malware.

ThreatCluster AI

Timeline

2023-08-01
Infostealer infection traced to pirated software
A developer downloaded a pirated copy of Adobe Acrobat, leading to credential theft and eventual compromise of Artlist's subdomain.
Infostealers
2026-07-13
Malicious code injected into Artlist subdomain
An obfuscated script was found on new-blog.artlist[.]io, leading to a fake CAPTCHA prompting users to install a RAT.
Derp
2026-07-14
ClickFix campaign reported
Researchers confirmed the ClickFix campaign's operation and its reliance on stolen credentials and blockchain techniques.
Infostealers
2026-07-15
Campaign details published
Further analysis revealed the use of DLL side-loading and Tor for C2 communications in the ClickFix campaign.
Gbhackers

Community

Browse all →