Bleepingcomputer
Artlist Subdomain Compromised in ClickFix Campaign Using EtherHiding Technique
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In July 2026, a ClickFix campaign was discovered on the Artlist subdomain new-blog.artlist[.]io, where attackers injected malicious code that masqueraded as a CAPTCHA to install a Remote Access Trojan (RAT). The attack originated from an infostealer infection traced back to a pirated software download in 2023, which compromised a developer's machine and provided access to high-privilege WordPress credentials. The attackers utilized a technique called EtherHiding, querying a smart contract on the Polygon blockchain to dynamically route to the malicious payload, avoiding detection. The campaign's infrastructure included a Tor-backed command-and-control (C2) fallback and DLL side-loading techniques. The incident highlights the growing trend of legitimate businesses being exploited as malware hosts. As of now, the campaign is still active, with ongoing investigations into the compromised components.
Key Points: • Attackers used EtherHiding to obfuscate malicious payload delivery via a blockchain query. • The compromise originated from an infostealer infection linked to a pirated software download. • The campaign successfully exploited high-privilege WordPress credentials to inject malware.