{"id":160518,"date":"2025-10-08T09:16:53","date_gmt":"2025-10-08T16:16:53","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=160518"},"modified":"2025-10-14T05:46:47","modified_gmt":"2025-10-14T12:46:47","slug":"clickfix-generator-first-of-its-kind","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/","title":{"rendered":"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator"},"content":{"rendered":"<h2><a id=\"post-160518-_4lt92rr5muov\"><\/a>Avant-propos<\/h2>\n<p>Les attaquants int\u00e8grent une technique d\u2019ing\u00e9nierie sociale tr\u00e8s efficace, appel\u00e9e ClickFix, dans des kits d\u2019hame\u00e7onnage faciles \u00e0 utiliser, la rendant accessible \u00e0 un plus grand nombre d\u2019acteurs de la menace. Cette technique trompe les victimes pour qu\u2019elles contournent les mesures de s\u00e9curit\u00e9 en ex\u00e9cutant manuellement des malwares, g\u00e9n\u00e9ralement des voleurs d\u2019informations et des chevaux de Troie d\u2019acc\u00e8s \u00e0 distance (RAT). La banalisation de cette technique s\u2019inscrit dans la tendance de l\u2019hame\u00e7onnage-as-a-service, qui r\u00e9duit les comp\u00e9tences et l\u2019effort n\u00e9cessaires pour mener des attaques fructueuses.<\/p>\n<p>Nous avons identifi\u00e9 un kit d\u2019hame\u00e7onnage nomm\u00e9 IUAM ClickFix Generator qui automatise la cr\u00e9ation de ces attaques. Ce kit g\u00e9n\u00e8re des pages d\u2019hame\u00e7onnage hautement personnalisables, attirant les victimes en imitant les challenges de v\u00e9rification du navigateur souvent utilis\u00e9s pour bloquer le trafic automatis\u00e9. Il comprend des fonctionnalit\u00e9s avanc\u00e9es, telles que la d\u00e9tection du syst\u00e8me d\u2019exploitation et l\u2019injection dans le presse\u2011papiers, permettant le d\u00e9ploiement multiplateforme de malwares avec peu d\u2019effort.<\/p>\n<p>Nous avons vu au moins une campagne dans laquelle les attaquants ont utilis\u00e9 des pages g\u00e9n\u00e9r\u00e9es par IUAM ClickFix Generator pour d\u00e9ployer le malware DeerStealer. De plus, l\u2019analyse de plusieurs autres pages pr\u00e9sentant de l\u00e9g\u00e8res diff\u00e9rences techniques et visuelles indique une tendance plus large. Cela sugg\u00e8re que les attaquants d\u00e9veloppent un \u00e9cosyst\u00e8me commercial croissant pour mon\u00e9tiser cette technique via des kits d\u2019hame\u00e7onnage concurrents bas\u00e9s sur le th\u00e8me ClickFix.<\/p>\n<p>Les clients de Palo\u00a0Alto\u00a0Networks sont mieux prot\u00e9g\u00e9s contre cette menace gr\u00e2ce aux produits et services suivants\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-url-filtering\/administration\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0URL\u00a0Filtering<\/a> et <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0DNS\u00a0Security<\/a> permettent d\u2019identifier les domaines et URL associ\u00e9s \u00e0 cette activit\u00e9 comme \u00e9tant malveillants.<\/li>\n<li>Les mod\u00e8les de Machine\u00a0Learning d\u2019<a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0WildFire<\/a> ont \u00e9t\u00e9 mis \u00e0 jour sur la base des indicateurs de compromission (IoC) identifi\u00e9s dans cette recherche.<\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noopener\">Cortex\u00a0XDR<\/a> et <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XSIAM\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a><\/li>\n<\/ul>\n<p>Si vous pensez que votre entreprise a pu \u00eatre compromise ou si vous faites face \u00e0 une urgence, contactez l\u2019<a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">\u00e9quipe Unit\u00a042 de r\u00e9ponse \u00e0 incident<\/a>.<\/p>\n<table style=\"width: 97.4979%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>Unit\u00a042 -\u00a0Th\u00e9matiques connexes<\/b><\/td>\n<td style=\"width: 218.899%;\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/tag\/clickfix-fr\/\" target=\"_blank\" rel=\"noopener\"><b>ClickFix<\/b><\/a>, <strong><a href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/tag\/phishing-fr\/\" target=\"_blank\" rel=\"noopener\">Phishing<\/a><\/strong><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><b>Les coulisses\u00a0du g\u00e9n\u00e9rateur d\u2019hame\u00e7onnage ClickFix<\/b><\/h2>\n<p>Nous avons identifi\u00e9 un g\u00e9n\u00e9rateur de kits d\u2019hame\u00e7onnage accessible publiquement, h\u00e9berg\u00e9 sur un serveur HTTP \u00e0 l\u2019adresse\u00a0IP <span style=\"font-family: 'courier new', courier, monospace;\">38.242.212[.]5<\/span>, observ\u00e9 pour la premi\u00e8re fois le 18\u00a0juillet 2025. Il est rest\u00e9 actif jusqu\u2019au d\u00e9but du mois d\u2019octobre.<\/p>\n<p>Le serveur h\u00e9berge une application web sur le port TCP\u00a03000, d\u00e9velopp\u00e9e \u00e0 l\u2019aide du framework Express et stylis\u00e9e avec Tailwind CSS. L\u2019application affiche une page HTML intitul\u00e9e IUAM ClickFix Generator.<\/p>\n<p>Cet outil permet aux acteurs de la menace de cr\u00e9er des pages d\u2019hame\u00e7onnage hautement personnalisables qui reproduisent le comportement challenge\u2011r\u00e9ponse d\u2019une page de v\u00e9rification de navigateur, g\u00e9n\u00e9ralement d\u00e9ploy\u00e9e par les r\u00e9seaux de diffusion de contenu (CDN) et les fournisseurs de s\u00e9curit\u00e9 cloud pour se prot\u00e9ger contre les menaces automatis\u00e9es. L\u2019interface usurp\u00e9e est con\u00e7ue pour para\u00eetre l\u00e9gitime aux yeux des victimes, ce qui am\u00e9liore l\u2019efficacit\u00e9 du leurre.<\/p>\n<p>Un acteur peut configurer chaque d\u00e9tail via une interface utilisateur simple (Figure\u00a01), notamment\u00a0:<\/p>\n<ul>\n<li><strong>Configuration du site et des messages <\/strong>\n<ul>\n<li>Permet de personnaliser le titre de la page d\u2019hame\u00e7onnage (par d\u00e9faut\u00a0: \u00ab\u00a0Juste un instant...\u00a0\u00bb) et le domaine.<\/li>\n<li>Comprend un message de page modifiable, un texte de widget, des notes de bas de page et des messages de r\u00e9ussite ou d\u2019erreur pour attirer ou instruire les victimes.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Configuration du presse-papiers <\/strong>\n<ul>\n<li>D\u00e9finit le contenu automatiquement copi\u00e9 dans le presse-papiers de la victime lorsqu\u2019elle clique sur les prompts de v\u00e9rification, g\u00e9n\u00e9ralement une commande malveillante qu\u2019elle doit coller et ex\u00e9cuter.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Blocage de l\u2019acc\u00e8s mobile et fen\u00eatre contextuelle de s\u00e9curit\u00e9 <\/strong>\n<ul>\n<li>D\u00e9tecte l\u2019acc\u00e8s depuis un appareil mobile et invite la victime \u00e0 passer \u00e0 un navigateur de bureau et \u00e0 modifier l\u2019\u00e9l\u00e9ment d\u2019instruction principal qui lui est pr\u00e9sent\u00e9 (fen\u00eatre contextuelle de s\u00e9curit\u00e9).<\/li>\n<\/ul>\n<\/li>\n<li><strong>Param\u00e8tres avanc\u00e9s<\/strong>\n<ul>\n<li>Permet des techniques d\u2019obfuscation et l\u2019injection automatique de scripts JavaScript pour copier du contenu dans le presse\u2011papiers.<\/li>\n<li>Inclut la d\u00e9tection du syst\u00e8me d\u2019exploitation pour adapter les commandes \u00e0 Windows (invite de commandes ou PowerShell) ou macOS (terminal).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_160519\" aria-describedby=\"caption-attachment-160519\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160519 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-178363-160518-1.png\" alt=\"Captures d\u2019\u00e9cran d\u2019IUAM ClickFix Generator, un \u00ab\u00a0outil professionnel de configuration de pages d\u2019hame\u00e7onnage\u00a0\u00bb. Les param\u00e8tres d\u00e9taill\u00e9s comprennent des cases \u00e0 cocher, des valeurs num\u00e9riques et des menus d\u00e9roulants afin de personnaliser les fonctionnalit\u00e9s de s\u00e9curit\u00e9.\" width=\"1000\" height=\"767\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-178363-160518-1.png 1268w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-178363-160518-1-574x440.png 574w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-178363-160518-1-913x700.png 913w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-178363-160518-1-768x589.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-160519\" class=\"wp-caption-text\">Figure 1. Interface utilisateur du kit d\u2019hame\u00e7onnage IUAM ClickFix Generator.<\/figcaption><\/figure>\n<h2><b>Du g\u00e9n\u00e9rateur \u00e0 la premi\u00e8re ligne\u00a0: exemples de campagnes r\u00e9elles<\/b><\/h2>\n<p>Notre analyse montre que les attaquants ont utilis\u00e9 le kit d\u2019hame\u00e7onnage identifi\u00e9 (ou des variantes proches) pour cr\u00e9er une s\u00e9rie de pages d\u2019hame\u00e7onnage sur le th\u00e8me ClickFix. Ces pages pr\u00e9sentent un th\u00e8me visuel coh\u00e9rent, imitant les challenges de v\u00e9rification des navigateurs fr\u00e9quemment d\u00e9ploy\u00e9s par les plateformes CDN et de s\u00e9curit\u00e9 web. Elles exploitent \u00e9galement la d\u00e9tection sp\u00e9cifique du syst\u00e8me d\u2019exploitation et les m\u00e9canismes de copie de commandes pour inciter les victimes \u00e0 ex\u00e9cuter manuellement des payloads malveillants.<\/p>\n<p>Cependant, toutes les pages d\u2019hame\u00e7onnage identifi\u00e9es ne pr\u00e9sentent pas la m\u00eame structure ni le m\u00eame comportement. Si nous avons confirm\u00e9 au moins un cas o\u00f9 les attaquants ont diffus\u00e9 DeerStealer via une page g\u00e9n\u00e9r\u00e9e par cet outil, nous avons \u00e9galement observ\u00e9 plusieurs autres pages d\u2019hame\u00e7onnage pr\u00e9sentant de l\u00e9g\u00e8res diff\u00e9rences dans la mise en \u0153uvre technique et le design visuel. Ces diff\u00e9rences sont notamment les suivantes\u00a0:<\/p>\n<ul>\n<li>Variations structurelles dans la pr\u00e9sentation HTML\/DOM<\/li>\n<li>M\u00e9canismes de copie de commande modifi\u00e9s ou compl\u00e8tement diff\u00e9rents<\/li>\n<li>Absence de logique JavaScript sp\u00e9cifique (par exemple, d\u00e9tection du syst\u00e8me d\u2019exploitation ou instructions dynamiques)<\/li>\n<li>Simplification ou incoh\u00e9rence de l\u2019usurpation des pages de challenge du navigateur<\/li>\n<\/ul>\n<p>Ces diff\u00e9rences sugg\u00e8rent l\u2019existence de plusieurs variantes du kit ClickFix, ou de kits d\u2019hame\u00e7onnage distincts inspir\u00e9s du m\u00eame concept de leurre, mais d\u00e9velopp\u00e9s de mani\u00e8re ind\u00e9pendante ou d\u00e9riv\u00e9s de versions ant\u00e9rieures.<\/p>\n<p>Les exemples ci-dessous illustrent la diversit\u00e9 des pages d\u2019hame\u00e7onnage ClickFix que nous avons d\u00e9couvertes, chacune pr\u00e9sentant des niveaux de sophistication, des comportements et des m\u00e9canismes de diffusion l\u00e9g\u00e8rement diff\u00e9rents.<\/p>\n<h3><a id=\"post-160518-_dxbacsxzeh35\"><\/a>Campagne\u00a01\u00a0: l\u2019attaque sous Windows uniquement (DeerStealer)<\/h3>\n<p>Dans le cadre d\u2019une campagne, les attaquants ont configur\u00e9 le kit pour cibler sp\u00e9cifiquement les utilisateurs Windows. L\u2019auteur de la menace n\u2019a inclus aucune logique de d\u00e9tection du syst\u00e8me d\u2019exploitation dans cette configuration. Par cons\u00e9quent, la page ne proposait pas d\u2019instructions alternatives ni de commandes adapt\u00e9es \u00e0 macOS ou \u00e0 des syst\u00e8mes autres que Windows.<\/p>\n<p>Lorsque la victime interagit avec l\u2019\u00e9l\u00e9ment CAPTCHA (Figure\u00a02) en cliquant sur la case \u00e0 cocher destin\u00e9e \u00e0 v\u00e9rifier si elle est humaine, cette action d\u00e9clenche un script JavaScript en arri\u00e8re\u2011plan qui copie dans le presse\u2011papiers une commande PowerShell malveillante. Simultan\u00e9ment, une fen\u00eatre contextuelle s\u2019affiche, l\u2019invitant \u00e0 ouvrir la bo\u00eete de dialogue Ex\u00e9cuter de Windows (touche Win+R), \u00e0 coller le contenu du presse\u2011papiers et \u00e0 ex\u00e9cuter la commande. Une fois ces instructions suivies, la commande t\u00e9l\u00e9charge et lance un script batch en plusieurs \u00e9tapes qui finit par installer l\u2019infostealer DeerStealer.<\/p>\n<figure id=\"attachment_160530\" aria-describedby=\"caption-attachment-160530\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160530 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-181564-160518-2.png\" alt=\"Capture d\u2019\u00e9cran d\u2019une prompt CAPTCHA de v\u00e9rification de Cloudflare invitant l\u2019utilisateur \u00e0 appuyer sur des touches sp\u00e9cifiques pour confirmer qu\u2019il n\u2019est pas un robot. Les instructions et un identifiant CAPTCHA sont visibles.\" width=\"1000\" height=\"732\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-181564-160518-2.png 1714w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-181564-160518-2-601x440.png 601w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-181564-160518-2-957x700.png 957w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-181564-160518-2-768x562.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-181564-160518-2-1536x1124.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-160530\" class=\"wp-caption-text\">Figure\u00a02. Campagne\u00a01 \u2013 Page ClickFix diffusant DeerStealer.<\/figcaption><\/figure>\n<p>La Figure\u00a03 ci-dessous montre la commande copi\u00e9e que nous avons observ\u00e9e.<\/p>\n<figure id=\"attachment_160541\" aria-describedby=\"caption-attachment-160541\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160541 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-184919-160518-3.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un script de ligne de commande contenant une commande permettant d\u2019envoyer une requ\u00eate r\u00e9seau \u00e0 une adresse\u00a0IP sp\u00e9cifi\u00e9e et d\u2019ex\u00e9cuter un fichier batch.\" width=\"1000\" height=\"193\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-184919-160518-3.png 2048w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-184919-160518-3-786x152.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-184919-160518-3-1920x371.png 1920w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-184919-160518-3-768x149.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-184919-160518-3-1536x297.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-160541\" class=\"wp-caption-text\">Figure 3. Structure DOM montrant la commande copi\u00e9e dans le presse-papiers de la victime.<\/figcaption><\/figure>\n<p>Lorsqu\u2019elle est ex\u00e9cut\u00e9e, cette commande t\u00e9l\u00e9charge un <a href=\"https:\/\/www.virustotal.com\/gui\/file\/2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b\" target=\"_blank\" rel=\"noopener\">script batch<\/a> <span style=\"font-family: 'courier new', courier, monospace;\">cv.bat<\/span> (SHA256: <span style=\"font-family: 'courier new', courier, monospace;\">2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b<\/span>) dans le r\u00e9pertoire temporaire de la victime et l\u2019ex\u00e9cute imm\u00e9diatement.<\/p>\n<p>L\u2019analyse du script batch r\u00e9v\u00e8le un processus en plusieurs \u00e9tapes con\u00e7u pour t\u00e9l\u00e9charger et ex\u00e9cuter un <a href=\"https:\/\/www.virustotal.com\/gui\/file\/ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151\" target=\"_blank\" rel=\"noopener\">fichier MSI malveillant<\/a> (SHA256: <span style=\"font-family: 'courier new', courier, monospace;\">ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151<\/span>) identifi\u00e9 comme le voleur d\u2019informations DeerStealer.<\/p>\n<h3><a id=\"post-160518-_7x43hq89clrc\"><\/a>Campagne 2 : <span style=\"font-weight: 400;\"><strong>l\u2019attaque multiplateforme <\/strong><\/span> (Odyssey Infostealer)<\/h3>\n<p>Dans un autre cas que nous avons observ\u00e9 (Figure\u00a04), l\u2019auteur de la menace a d\u00e9ploy\u00e9 trois\u00a0variantes de la page d\u2019hame\u00e7onnage. Celles\u2011ci ont toutes conduit, en fin de cha\u00eene, \u00e0 la diffusion de l\u2019infostealer Odyssey pour les utilisateurs macOS et d\u2019une souche de malware encore non identifi\u00e9e pour les utilisateurs Windows. Malgr\u00e9 ces variantes, la structure centrale de la page d\u2019hame\u00e7onnage est rest\u00e9e coh\u00e9rente.<\/p>\n<figure id=\"attachment_160552\" aria-describedby=\"caption-attachment-160552\" style=\"width: 614px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160552 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-187830-160518-4.png\" alt=\"Capture d\u2019\u00e9cran d\u2019une page de v\u00e9rification de s\u00e9curit\u00e9 du site speedtestcheck.org, affichant un message relatif \u00e0 un trafic web inhabituel d\u00e9tect\u00e9 \u00e0 partir de l\u2019adresse\u00a0IP de l\u2019utilisateur. La page indique comment v\u00e9rifier l\u2019identit\u00e9 humaine en saisissant des commandes dans un terminal informatique et comporte une case \u00e0 cocher \u00ab\u00a0Je ne suis pas un robot\u00a0\u00bb ainsi qu\u2019un bouton \u00ab\u00a0Copier\u00a0\u00bb pour dupliquer le texte des commandes.\" width=\"614\" height=\"526\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-187830-160518-4.png 614w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-187830-160518-4-514x440.png 514w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><figcaption id=\"caption-attachment-160552\" class=\"wp-caption-text\">Figure 4. Campagne 2 \u2013 Page ClickFix diffusant Odyssey for macOS.<\/figcaption><\/figure>\n<p>Chaque version de la page d\u2019hame\u00e7onnage d\u00e9tecte le syst\u00e8me d\u2019exploitation de la victime via JavaScript, en analysant notamment la cha\u00eene <span style=\"font-family: 'courier new', courier, monospace;\">navigator.userAgent<\/span> du navigateur, puis fournit le payload en cons\u00e9quence.<\/p>\n<p>Alors que le texte visible (Figure\u00a04) sugg\u00e8re une cha\u00eene inoffensive, le clic sur le bouton \u00ab\u00a0Copier\u00a0\u00bb ex\u00e9cute un script JavaScript qui place dans le presse\u2011papiers une commande malveillante, \u2014 diff\u00e9rente de celle affich\u00e9e.<\/p>\n<p>Les commandes et les cibles sp\u00e9cifiques varient d\u2019une version \u00e0 l\u2019autre de cette page d\u2019hame\u00e7onnage.<\/p>\n<h4><strong>Option\u00a01\u00a0: Payload multiplateforme Windows et macOS<br \/>\n<\/strong><\/h4>\n<p>Dans les variantes multiplateformes, les attaquants envoient aux utilisateurs de Windows une commande PowerShell malveillante con\u00e7ue pour t\u00e9l\u00e9charger et ex\u00e9cuter une souche de malware non identifi\u00e9e. Ils fournissent aux utilisateurs de macOS une commande cod\u00e9e en Base64 pour livrer Odyssey (Figure\u00a05).<\/p>\n<figure id=\"attachment_160563\" aria-describedby=\"caption-attachment-160563\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160563 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-190349-160518-5.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un extrait de code dans un \u00e9diteur de texte affichant des instructions conditionnelles en JavaScript qui g\u00e8rent les commandes de copie selon le syst\u00e8me d\u2019exploitation de l\u2019utilisateur, incluant Mac, Windows et un syst\u00e8me inconnu. Ce code comprend des commentaires et des lignes de commande pour chaque condition.\" width=\"1000\" height=\"386\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-190349-160518-5.png 2048w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-190349-160518-5-786x304.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-190349-160518-5-1812x700.png 1812w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-190349-160518-5-768x297.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-190349-160518-5-1536x593.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-160563\" class=\"wp-caption-text\">Figure 5. Structure DOM pr\u00e9sentant un exemple multiplateforme.<\/figcaption><\/figure>\n<p>Voici quelques exemples de domaines qui ont h\u00e9berg\u00e9 cette variante\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">tradingview.connect-app[.]us[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">treadingveew.dekstop-apps[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">treadingveew.last-desk[.]org<\/span><\/li>\n<\/ul>\n<h4><a id=\"post-160518-_9ryzrutvdwzp\"><\/a>Option\u00a02\u00a0: variante ciblant macOS avec leurre Windows et gestion du repli (fallback)<\/h4>\n<p>Dans d\u2019autres variantes ax\u00e9es sur macOS, les utilisateurs macOS re\u00e7oivent une commande encod\u00e9e en Base64 destin\u00e9e \u00e0 diffuser Odyssey. Les utilisateurs Windows re\u00e7oivent, en trompe-l\u2019\u0153il, une commande PowerShell inoffensive visant \u00e0 compl\u00e9ter l\u2019ing\u00e9nierie sociale sans livrer de payload. Ces commandes PowerShell utilisent parfois des domaines contenant des caract\u00e8res cyrilliques qui imitent visuellement des caract\u00e8res latins pour para\u00eetre l\u00e9gitimes (Figures\u00a06 et\u00a07).<\/p>\n<p>Pour les syst\u00e8mes d\u2019exploitation non reconnus (c.-\u00e0-d. quand la d\u00e9tection \u00e9choue), la page d\u2019hame\u00e7onnage affiche une commande \u00e0 l\u2019apparence b\u00e9nigne qui n\u2019entra\u00eene encore aucune activit\u00e9 malveillante (Figures\u00a06 et\u00a07).<\/p>\n<figure id=\"attachment_160574\" aria-describedby=\"caption-attachment-160574\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160574 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-194333-160518-6.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un extrait de code impliquant des variables et diff\u00e9rentes commandes li\u00e9es \u00e0 CloudFlare.\" width=\"1000\" height=\"104\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-194333-160518-6.png 2048w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-194333-160518-6-786x82.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-194333-160518-6-1920x200.png 1920w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-194333-160518-6-768x80.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-194333-160518-6-1536x160.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-160574\" class=\"wp-caption-text\">Figure 6. Structure DOM de la page d\u2019hame\u00e7onnage montrant les commandes conditionn\u00e9es du syst\u00e8me d\u2019exploitation.<\/figcaption><\/figure>\n<figure id=\"attachment_160585\" aria-describedby=\"caption-attachment-160585\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160585 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-197198-160518-7.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un extrait de code montrant des commandes JavaScript utilis\u00e9es pour des commandes du terminal, g\u00e9rant diff\u00e9rents syst\u00e8mes d\u2019exploitation, avec une variable currentThemeIsDark ax\u00e9e sur Windows.\" width=\"1000\" height=\"126\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-197198-160518-7.png 2048w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-197198-160518-7-786x99.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-197198-160518-7-1920x243.png 1920w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-197198-160518-7-768x97.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-197198-160518-7-1536x194.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-160585\" class=\"wp-caption-text\">Figure 7. Structure DOM de la page d\u2019hame\u00e7onnage montrant les commandes conditionn\u00e9es du syst\u00e8me d\u2019exploitation.<\/figcaption><\/figure>\n<p>Voici quelques exemples de domaines qui ont h\u00e9berg\u00e9 cette variante\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">claudflurer[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">teamsonsoft[.]com<\/span><\/li>\n<\/ul>\n<h4><a id=\"post-160518-_uwubfjtu75e0\"><\/a>Option\u00a03\u00a0: exclusivit\u00e9 macOS diffusant uniquement Odyssey<\/h4>\n<p>Une autre variante semble \u00eatre exclusivement destin\u00e9e \u00e0 macOS\u00a0: elle fournit une unique commande encod\u00e9e en Base64 qui t\u00e9l\u00e9charge et ex\u00e9cute Odyssey, sans configuration pour d\u2019autres syst\u00e8mes d\u2019exploitation (Figure\u00a08).<\/p>\n<figure id=\"attachment_160596\" aria-describedby=\"caption-attachment-160596\" style=\"width: 2048px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160596 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-200066-160518-8.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un extrait de code contenant des commandes JavaScript utilis\u00e9es pour les commandes du terminal.\" width=\"2048\" height=\"122\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-200066-160518-8.png 2048w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-200066-160518-8-786x47.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-200066-160518-8-1920x114.png 1920w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-200066-160518-8-768x46.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-200066-160518-8-1536x92.png 1536w\" sizes=\"(max-width: 2048px) 100vw, 2048px\" \/><figcaption id=\"caption-attachment-160596\" class=\"wp-caption-text\">Figure 8. Exemple ax\u00e9 sur macOS sans syst\u00e8me d\u2019exploitation sp\u00e9cifi\u00e9.<\/figcaption><\/figure>\n<p>Cette commande t\u00e9l\u00e9charge et ex\u00e9cute un infostealer macOS Odyssey. Il utilise \u00e9galement <span style=\"font-family: 'courier new', courier, monospace;\">nohup<\/span> bash, qui lance un nouveau shell Bash en arri\u00e8re-plan et ignore les interruptions (signaux HUP), de sorte que le processus continue \u00e0 s\u2019ex\u00e9cuter m\u00eame si le terminal est ferm\u00e9.<\/p>\n<p>Voici quelques exemples de domaines ou d\u2019adresses\u00a0IP qui ont h\u00e9berg\u00e9 cette variante\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">emailreddit[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps[:]\/\/188.92.28[.]186<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">cloudlare-lndex[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">tradingviewen[.]com<\/span><\/li>\n<\/ul>\n<h2><a id=\"post-160518-_r4hnwfyeabe2\"><\/a><b>Origines et artefacts communs<\/b><\/h2>\n<p>Malgr\u00e9 des diff\u00e9rences dans la logique de ciblage et les URL de livraison des payloads, toutes les pages d\u2019hame\u00e7onnage analys\u00e9es dans la campagne\u00a02 partagent une structure sous-jacente identique, incluant une mise en page HTML coh\u00e9rente et une nomenclature uniforme des fonctions JavaScript.<\/p>\n<p>De plus, bien que l\u2019adresse sp\u00e9cifique du serveur de commande et contr\u00f4le (C2) varie d\u2019une page \u00e0 l\u2019autre, notre analyse a confirm\u00e9 que tous ces serveurs appartiennent \u00e0 Odyssey.<\/p>\n<p>Cette coh\u00e9rence, tant dans la structure des pages que dans l\u2019infrastructure\u00a0C2, sugg\u00e8re fortement que ces variantes font partie du m\u00eame cluster d\u2019activit\u00e9 et proviennent probablement d\u2019une base de code ou d\u2019un outil g\u00e9n\u00e9rateur commun.<\/p>\n<p>Odyssey est un malware\u2011as\u2011a\u2011service (MaaS) op\u00e9r\u00e9 par un acteur de cybercriminalit\u00e9 actif sur des forums du dark web tels qu\u2019Exploit et XSS, connu pour collaborer avec d\u2019autres acteurs et affili\u00e9s. Il est donc plausible que ces variations de pages d\u2019hame\u00e7onnage refl\u00e8tent des d\u00e9ploiements personnalis\u00e9s d\u2019un kit de base distribu\u00e9 par l\u2019op\u00e9rateur du malware ou ses affili\u00e9s.<\/p>\n<p>Selon des publications de l\u2019acteur qui commercialise et op\u00e8re le MaaS Odyssey, celui-ci aurait fourni sur demande \u00e0 ses affili\u00e9s des pages leurres de type ClickFix, renfor\u00e7ant l\u2019hypoth\u00e8se que ces variantes proviennent d\u2019un g\u00e9n\u00e9rateur commun, mais sont adapt\u00e9es \u00e0 chaque affili\u00e9, campagne ou pr\u00e9f\u00e9rence individuelle.<\/p>\n<p>Enfin, certaines pages contenaient des commentaires laiss\u00e9s par les d\u00e9veloppeurs, r\u00e9dig\u00e9s en russe (Figures\u00a09 et\u00a010).<\/p>\n<figure id=\"attachment_160607\" aria-describedby=\"caption-attachment-160607\" style=\"width: 718px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160607 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-202628-160518-9.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un code informatique comprenant une fonction JavaScript nomm\u00e9e notifyClick, qui envoie une notification de clic \u00e0 l\u2019aide de l\u2019API fetch \u00e0 \u00ab\u00a0stats.php\u00a0\u00bb. Ce code comprend un commentaire en caract\u00e8res cyrilliques qui se traduit par \u00ab\u00a0Fonction d\u2019envoi d\u2019une notification de clic\u00a0\u00bb.\" width=\"718\" height=\"124\" \/><figcaption id=\"caption-attachment-160607\" class=\"wp-caption-text\">Figure 9. Commentaire d\u2019un d\u00e9veloppeur russe.<\/figcaption><\/figure>\n<p>Traduction fran\u00e7aise de ce commentaire en russe \u00e0 la Figure 9 : <span style=\"font-family: 'courier new', courier, monospace;\">Ajouter un appel \u00e0 stats.php lors du chargement de la page<\/span>.<\/p>\n<figure id=\"attachment_160618\" aria-describedby=\"caption-attachment-160618\" style=\"width: 756px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-160618 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/word-image-204989-160518-10.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un commentaire en caract\u00e8res cyrilliques faisant partie d\u2019un extrait de code dans une balise de script qui ajoute un appel de recherche \u00ab\u00a0stats.php\u00a0\u00bb lors du chargement d\u2019une page web. \" width=\"756\" height=\"170\" \/><figcaption id=\"caption-attachment-160618\" class=\"wp-caption-text\">Figure 10. Commentaire d\u2019un d\u00e9veloppeur russe.<\/figcaption><\/figure>\n<p>Traduction fran\u00e7aise du commentaire en russe \u00e0 la Figure 10 : <span style=\"font-family: 'courier new', courier, monospace;\">Fonction permettant d\u2019envoyer une notification de clic<\/span>.<\/p>\n<p>En fin de compte, la coh\u00e9rence structurelle de tous les \u00e9chantillons indique fortement qu\u2019ils ont \u00e9t\u00e9 g\u00e9n\u00e9r\u00e9s \u00e0 partir d\u2019un seul kit d\u2019hame\u00e7onnage configurable, dont chaque variante malveillante a \u00e9t\u00e9 con\u00e7ue pour diffuser le logiciel malveillant Odyssey.<\/p>\n<h2><a id=\"post-160518-_2an8ryq91inv\"><\/a>Conclusion<\/h2>\n<p>La d\u00e9couverte d\u2019IUAM ClickFix Generator offre un rare aper\u00e7u des outils qui abaissent la barri\u00e8re d\u2019entr\u00e9e pour les cybercriminels, leur permettant de lancer des attaques sophistiqu\u00e9es et multiplateformes sans expertise technique pouss\u00e9e. L\u2019efficacit\u00e9 de la technique ClickFix repose sur l\u2019exploitation de l\u2019instinct de l\u2019utilisateur \u00e0 suivre les instructions affich\u00e9es \u00e0 l\u2019\u00e9cran provenant d\u2019un pr\u00e9tendu fournisseur de s\u00e9curit\u00e9 fiable.<\/p>\n<p>Cette menace souligne l\u2019importance de la vigilance et de la sensibilisation des utilisateurs. Les particuliers et les organisations doivent se montrer prudents face \u00e0 tout site web qui leur demande de copier et d\u2019ex\u00e9cuter manuellement des commandes pour prouver qu\u2019ils sont humains. Cette tactique d\u2019ing\u00e9nierie sociale simple mais trompeuse repr\u00e9sente une menace croissante, transformant les actions de la victime en vecteur principal d\u2019infection.<\/p>\n<h3><a id=\"post-160518-_lsbythhc3nz9\"><\/a>Protection et att\u00e9nuation des risques par Palo\u00a0Alto\u00a0Networks<\/h3>\n<p>Les clients de Palo\u00a0Alto\u00a0Networks sont mieux prot\u00e9g\u00e9s contre les menaces mentionn\u00e9es ci-dessus gr\u00e2ce aux produits suivants\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-url-filtering\/administration\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0URL\u00a0Filtering<\/a> et <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0DNS\u00a0Security<\/a> permettent d\u2019identifier les domaines et URL associ\u00e9s \u00e0 cette activit\u00e9 comme \u00e9tant malveillants.<\/li>\n<li>Les mod\u00e8les de Machine\u00a0Learning d\u2019<a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0WildFire<\/a> ont \u00e9t\u00e9 mis \u00e0 jour sur la base des indicateurs de compromission (IoC) identifi\u00e9s dans cette recherche.<\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> et <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XSIAM\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a> sont con\u00e7us pour pr\u00e9venir les infections par \u00e9chantillons de malware d\u00e9crits dans cet article en utilisant le <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-XDR\/Cortex-XDR-4.x-Documentation\/Malware-protection\" target=\"_blank\" rel=\"noopener\">moteur de pr\u00e9vention des malwares<\/a>. Cette approche combine plusieurs couches de protection, dont <a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-wildfire\" target=\"_blank\" rel=\"noopener\">Advanced WildFire<\/a>, la protection comportementale contre les menaces et le module Local Analysis afin de bloquer les malwares \u2013 connus ou non \u2013 avant qu\u2019ils ne puissent impacter les terminaux. Les m\u00e9thodes d\u2019att\u00e9nuation mettent en \u0153uvre une protection contre les malwares bas\u00e9e sur diff\u00e9rents syst\u00e8mes d\u2019exploitation : Windows, macOS et Linux.<\/li>\n<\/ul>\n<p>Si vous pensez que votre entreprise a pu \u00eatre compromise ou si vous faites face \u00e0 une urgence, contactez <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">l\u2019\u00e9quipe Unit\u00a042 de r\u00e9ponse \u00e0 incident<\/a> ou composez l\u2019un des num\u00e9ros suivants\u00a0:<\/p>\n<ul>\n<li>Am\u00e9rique du Nord\u00a0: Gratuit\u00a0: +1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>Royaume-Uni\u00a0: +44\u00a020\u00a03743\u00a03660<\/li>\n<li>Europe et Moyen-Orient\u00a0: +31.20.299.3130<\/li>\n<li>Asie\u00a0: +65.6983.8730<\/li>\n<li>Japon\u00a0: +81\u00a050\u00a01790\u00a00200<\/li>\n<li>Australie\u00a0: +61.2.4062.7950<\/li>\n<li>Inde\u00a0: 000 800 050 45107<\/li>\n<\/ul>\n<p>Palo\u00a0Alto\u00a0Networks a partag\u00e9 ces conclusions avec les autres membres de la Cyber\u00a0Threat\u00a0Alliance (CTA). Les membres de la CTA s\u2019appuient sur ces renseignements pour d\u00e9ployer rapidement des mesures de protection aupr\u00e8s de leurs clients et perturber de mani\u00e8re coordonn\u00e9e les activit\u00e9s des cybercriminels. Cliquez ici pour en savoir plus sur la <a href=\"https:\/\/www.cyberthreatalliance.org\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a>.<\/p>\n<h2><a id=\"post-160518-_v8176g40kstn\"><\/a>Indicateurs de compromission<\/h2>\n<p>Le Tableau\u202f1 r\u00e9pertorie les hachages SHA256 de 18\u00a0\u00e9chantillons de malware Odyssey et de huit \u00e9chantillons de DeerStealer associ\u00e9s \u00e0 l\u2019activit\u00e9 ClickFix pr\u00e9sent\u00e9e dans cet article de recherche sur les menaces.<\/p>\n<table style=\"width: 100.125%;\">\n<tbody>\n<tr>\n<td style=\"text-align: center; width: 86.7133%;\"><b>Hachage SHA256<\/b><\/td>\n<td style=\"text-align: center; width: 81.5385%;\"><b>Malware<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">7765e5e0a7622ff69bd2cee0a75f2aae05643179b4dd333d0e75f98a42894065<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">9c5920fa25239c0f116ce7818949ddce5fd2f31531786371541ccb4886c5aeb2<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">9090385242509a344efd734710e60a8f73719130176c726e58d32687b22067c8<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">8ed8880f40a114f58425e0a806b7d35d96aa18b2be83dede63eff0644fd7937d<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">7881a60ee0ad02130f447822d89e09352b084f596ec43ead78b51e331175450f<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">d375bb10adfd1057469682887ed0bc24b7414b7cec361031e0f8016049a143f9<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">039f82e92c592f8c39b9314eac1b2d4475209a240a7ad052b730f9ba0849a54a<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">82b73222629ce27531f57bae6800831a169dff71849e1d7e790d9bd9eb6e9ee7<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">d110059f5534360e58ff5f420851eb527c556badb8e5db87ddf52a42c1f1fe76<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">816bf9ef902251e7de73d57c4bf19a4de00311414a3e317472074ef05ab3d565<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">72633ddb45bfff1abeba3fc215077ba010ae233f8d0ceff88f7ac29c1c594ada<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cd78a77d40682311fd30d74462fb3e614cbc4ea79c3c0894ba856a01557fd7c0<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">00c953a678c1aa115dbe344af18c2704e23b11e6c6968c46127dd3433ea73bf2<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">fe8b1b5b0ca9e7a95b33d3fcced833c1852c5a16662f71ddea41a97181532b14<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">966108cf5f3e503672d90bca3df609f603bb023f1c51c14d06cc99d2ce40790c<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">029a5405bbb6e065c8422ecc0dea42bb2689781d03ef524d9374365ebb0542f9<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">081921671d15071723cfe979633a759a36d1d15411f0a6172719b521458a987d<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">6e4119fe4c8cf837dac27e2948ce74dc7af3b9d4e1e4b28d22c4cf039e18b993<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ba5305e944d84874bde603bf38008675503244dc09071d19c8c22ded9d4f6db4<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">3aee8ad1a30d09d7e40748fa36cd9f9429e698c28e2a1c3bcf88a062155eee8c<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 86.7133%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151<\/span><\/td>\n<td style=\"width: 81.5385%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 10pt;\"><em>Tableau\u00a01. \u00c9chantillons de malwares associ\u00e9s aux campagnes ClickFix de cet article.<\/em><\/span><\/p>\n<p>Le Tableau\u00a02 \u00e9num\u00e8re les adresses\u00a0IPv4 des serveurs\u00a0C2 utilis\u00e9s par les \u00e9chantillons de malwares Odyssey pr\u00e9sent\u00e9s dans cet article.<\/p>\n<table style=\"width: 97.2713%;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"text-align: center; height: 24px; width: 37.2642%;\"><b>Adresse\u00a0IP<\/b><\/td>\n<td style=\"text-align: center; height: 24px; width: 20.9906%;\"><b>Premi\u00e8re visite<\/b><\/td>\n<td style=\"text-align: center; height: 24px; width: 20.9906%;\"><b>Derni\u00e8re visite<\/b><\/td>\n<td style=\"text-align: center; height: 24px; width: 195.519%;\"><b>Malware<\/b><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">45.146.130[.]129<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-22<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-28<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">45.135.232[.]33<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-06-15<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-18<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">83.222.190[.]214<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-05-23<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-08-10<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">194.26.29[.]217<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-06-22<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-06-24<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">88.214.50[.]3<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-04-14<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-05-16<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">45.146.130[.]132<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-01<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-28<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">45.146.130[.]131<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-03<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-28<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: center; height: 25px; width: 37.2642%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">185.93.89[.]62<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-07-29<\/span><\/td>\n<td style=\"text-align: center; height: 25px; width: 20.9906%;\"><span style=\"font-weight: 400;\">2025-09-18<\/span><\/td>\n<td style=\"height: 25px; width: 195.519%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 10pt;\">Tableau\u00a02. Adresses\u00a0IPv4 pour les serveurs\u00a0C2.<\/span><\/p>\n<p>Le Tableau\u00a03 r\u00e9pertorie les noms de domaine pleinement qualifi\u00e9s (FQDN) associ\u00e9s aux malwares dont il est question dans cet article.<\/p>\n<table style=\"width: 97.9793%;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"text-align: center; height: 24px; width: 63.9175%;\"><b>Domaine<\/b><\/td>\n<td style=\"text-align: center; height: 24px; width: 181.031%;\"><b>Malwares associ\u00e9s<\/b><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Odyssey1[.]to<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Odyssey-st[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">sdojifsfiudgigfiv[.]to<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Charge0x[.]at<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">speedtestcheck[.]org<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">claudflurer[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">teamsonsoft[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Macosapp-apple[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">tradingview.connect-app.us[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">treadingveew.last-desk[.]org<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">tradingviewen[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">financementure[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Cryptoinfnews[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Emailreddit[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Macosxappstore[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Cryptoinfo-news[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Cryptoinfo-allnews[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">apposx[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ttxttx[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Greenpropertycert[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cloudlare-lndex[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Dactarhome[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ibs-express[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">Odyssey<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">favorite-hotels[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">watchlist-verizon[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Growsearch[.]in<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Creatorssky[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">quirkyrealty[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Sharanilodge[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">asmicareer[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">crm.jskymedia[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">coffeyelectric[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Sifld.rajeshmhegde[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 26px;\">\n<td style=\"height: 26px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Pixelline[.]in<\/span><\/td>\n<td style=\"height: 26px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">techinnovhub[.]co[.]za<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">fudgeshop[.]com[.]au<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">evodigital[.]com[.]au<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 63.9175%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">365-drive[.]com<\/span><\/td>\n<td style=\"height: 25px; width: 181.031%;\"><span style=\"font-weight: 400;\">DeerStealer<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 10pt;\">Tableau\u00a03. FQDN associ\u00e9s aux malwares dont il est question dans cet article.<\/span><\/p>\n<p><strong>Remarque<\/strong>\u00a0: dans certains cas, la page d\u2019hame\u00e7onnage de type ClickFix n\u2019est pas h\u00e9berg\u00e9e sur un domaine enregistr\u00e9 par l\u2019acteur de la menace, mais inject\u00e9e dans un site web l\u00e9gitime qu\u2019il a compromis. L\u2019acteur ajoute un extrait JavaScript malveillant qui effectue plusieurs manipulations de la structure DOM, y compris l\u2019injection du leurre d\u2019hame\u00e7onnage ClickFix. Il utilise Tailwind CSS qui remplace la mise en page et l\u2019apparence originales du site afin d\u2019afficher enti\u00e8rement le contenu d\u2019hame\u00e7onnage \u00e0 la place du contenu l\u00e9gitime.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 d\u00e9couvre les kits d\u2019hame\u00e7onnage ClickFix, qui trivialisent l\u2019ing\u00e9nierie sociale. Les attaquants peuvent d\u00e9sormais tromper facilement les utilisateurs pour qu\u2019ils ex\u00e9cutent manuellement des malwares.<\/p>\n","protected":false},"author":366,"featured_media":160149,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8715,8832],"tags":[9673,9437,9672,9232,9233],"product_categories":[8956,8973,8979,8955,9041,9053,9064],"coauthors":[3154],"class_list":["post-160518","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business-email-compromise-fr","category-threat-research-fr","tag-bash-fr","tag-clickfix-fr","tag-phishing-kit-fr","tag-powershell-fr","tag-remote-access-trojan-fr","product_categories-advanced-dns-security-fr","product_categories-advanced-url-filtering-fr","product_categories-advanced-wildfire-fr","product_categories-cloud-delivered-security-services-fr","product_categories-cortex-fr","product_categories-cortex-xdr-fr","product_categories-cortex-xsiam-fr"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator<\/title>\n<meta name=\"description\" content=\"Unit 42 d\u00e9couvre les kits d\u2019hame\u00e7onnage ClickFix, qui trivialisent l\u2019ing\u00e9nierie sociale. Les attaquants peuvent d\u00e9sormais tromper facilement les utilisateurs pour qu\u2019ils ex\u00e9cutent manuellement des malwares.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator\" \/>\n<meta property=\"og:description\" content=\"Unit 42 d\u00e9couvre les kits d\u2019hame\u00e7onnage ClickFix, qui trivialisent l\u2019ing\u00e9nierie sociale. Les attaquants peuvent d\u00e9sormais tromper facilement les utilisateurs pour qu\u2019ils ex\u00e9cutent manuellement des malwares.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-08T16:16:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-14T12:46:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/03_Malware_Category_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Amer Elsad\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator","description":"Unit 42 d\u00e9couvre les kits d\u2019hame\u00e7onnage ClickFix, qui trivialisent l\u2019ing\u00e9nierie sociale. Les attaquants peuvent d\u00e9sormais tromper facilement les utilisateurs pour qu\u2019ils ex\u00e9cutent manuellement des malwares.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/","og_locale":"fr_FR","og_type":"article","og_title":"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator","og_description":"Unit 42 d\u00e9couvre les kits d\u2019hame\u00e7onnage ClickFix, qui trivialisent l\u2019ing\u00e9nierie sociale. Les attaquants peuvent d\u00e9sormais tromper facilement les utilisateurs pour qu\u2019ils ex\u00e9cutent manuellement des malwares.","og_url":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/","og_site_name":"Unit 42","article_published_time":"2025-10-08T16:16:53+00:00","article_modified_time":"2025-10-14T12:46:47+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/03_Malware_Category_1920x900.jpg","type":"image\/jpeg"}],"author":"Amer Elsad","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/"},"author":{"name":"Sheida Azimi","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639"},"headline":"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator","datePublished":"2025-10-08T16:16:53+00:00","dateModified":"2025-10-14T12:46:47+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/"},"wordCount":3642,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/03_Malware_Category_1920x900.jpg","keywords":["bash","ClickFix","Phishing Kit","PowerShell","Remote Access Trojan"],"articleSection":["Compromission de messagerie professionnelle (BEC)","Recherche sur les menaces"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/","url":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/","name":"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/03_Malware_Category_1920x900.jpg","datePublished":"2025-10-08T16:16:53+00:00","dateModified":"2025-10-14T12:46:47+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639"},"description":"Unit 42 d\u00e9couvre les kits d\u2019hame\u00e7onnage ClickFix, qui trivialisent l\u2019ing\u00e9nierie sociale. Les attaquants peuvent d\u00e9sormais tromper facilement les utilisateurs pour qu\u2019ils ex\u00e9cutent manuellement des malwares.","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/03_Malware_Category_1920x900.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/10\/03_Malware_Category_1920x900.jpg","width":1920,"height":900,"caption":"Pictorial representation of a IUAM ClickFix generator. An artistic depiction of a digital workspace featuring an open laptop with a red virus on the screen, indicating malware."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/clickfix-generator-first-of-its-kind\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"L\u2019usine d\u2019hame\u00e7onnage : mise en lumi\u00e8re d\u2019IUAM ClickFix Generator"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639","name":"Sheida Azimi","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Sheida Azimi"},"url":"https:\/\/unit42.paloaltonetworks.com\/fr\/author\/sheida-azimi\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/160518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/users\/366"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/comments?post=160518"}],"version-history":[{"count":3,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/160518\/revisions"}],"predecessor-version":[{"id":160719,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/160518\/revisions\/160719"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media\/160149"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media?parent=160518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/categories?post=160518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/tags?post=160518"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/product_categories?post=160518"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/coauthors?post=160518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}