Overview
Cybercriminals continue to evolve their delivery techniques by combining compromised websites, obfuscated JavaScript, and blockchain technology. In a recent campaign, we observed threat actors compromising legitimate WordPress websites to inject malicious ClickFix code that ultimately delivers malware to unsuspecting visitors.
What makes this campaign particularly interesting is that the malicious infrastructure is not hardcoded within the injected JavaScript. Instead, the script retrieves its configuration from a Polygon smart contract at runtime, allowing the threat actor to rotate infrastructure without modifying every compromised website.
This approach significantly increases the resilience of the campaign while making traditional static detection far less effective. Figure 1 illustrates the attack flow of the observed campaign.

Figure 1: Clickfix Attack Flow
Attack Overview
The attack begins with a legitimate WordPress website that has been compromised. Instead of redirecting visitors immediately to a phishing or malware site, the attacker injects an obfuscated JavaScript payload into the page. Figure 2 illustrates the injected code of a domain.

Figure 2: Malicious Code Injected into Infected Website
The injected code is encoded using Base64 and runtime XOR decryption techniques, making it difficult for analysts and security tools to determine its true purpose through static inspection.
Once executed inside the visitor's browser, the JavaScript performs an Ethereum JSON-RPC eth_call against a Polygon smart contract as shown in Figure 3. The response contains the hex values of the active domain that hosts the latest ClickFix payload. Figure 4 shows the decoded C2.

Figure 3: Retrieving C2 Using ETH_CALL

Figure 4: Decoded C2
The script then dynamically injects that domain into the page and loads the next-stage JavaScript directly from the attacker-controlled infrastructure.
At no point is the final payload URL permanently stored inside the compromised WordPress site.
C2 Payload Retrieval
Once the C2 domain is retrieved, the malicious code dynamically injects a <script> tag that references the returned domain. This causes the compromised website to automatically download the next-stage payload and execute the ClickFix code. Figure 5 shows the injected script.
Malicious URL:
hxxps://authorization-cdn-press-enter.info/api.php?s=7590ecff04b7cf42db53aa9cdc02bd41af9499874c3c6ba5

Figure 5: Inject Code
The payload is encoded and encrypted using XOR encryption. Once decrypted, it reveals the ClickFix code responsible for injecting the appropriate malicious script based on the victim's operating system. Figure 6 shows the decrypted code.

Figure 6: ClickFix – Deobfuscated Injected JavaScript
Why Use a Smart Contract?
Using a Polygon smart contract as a configuration source provides several operational advantages.
- Infrastructure Rotation - The attacker can change payload domains without modifying every compromised website.
- Resilience - The smart contract address remains constant while the associated infrastructure evolves.
- Separation of Components - The compromised WordPress site never permanently contains the active payload domain.
- Reduced Static Indicators - Static scanners inspecting the HTML or JavaScript may never observe the final malicious domain.
- Decentralized Availability - Any public Polygon RPC endpoint can return the current configuration, reducing reliance on a single web server.

Figure 7: ClickFix – Polygon Smart Contract C2 Domains
Challenges for Defenders
Traditional web scanning often focuses on:
- Known malicious URLs
- Suspicious JavaScript
- Hardcoded C2 domains
This campaign deliberately avoids embedding those indicators.
Instead, defenders should monitor for:
- Browser-side Ethereum JSON-RPC requests
- Unexpected
eth_calloperations - Runtime Base64 decoding
- Dynamic script injection
- Calls to public blockchain RPC endpoints from websites that normally should not interact with blockchain infrastructure
These behavioral indicators are far more valuable than searching for individual domains.
Detection Recommendations
Organizations should consider monitoring for:
- Newly modified WordPress theme or plugin files
- Unauthorized administrator accounts
- JavaScript containing large Base64 blobs
- Use of
eval(),Function(), or similar dynamic execution patterns - Browser requests to Polygon RPC providers
- Dynamic creation of
<script>elements - Runtime retrieval of remote JavaScript after blockchain queries
Security teams should also inspect web server logs for unauthorized modifications and verify the integrity of WordPress installations regularly.
Conclusion
This campaign demonstrates how attackers continue to modernize their infrastructure.
Rather than embedding payload locations directly into compromised websites, they use blockchain as a resilient configuration layer that returns the active payload domain on demand. Combined with runtime JavaScript decryption and ClickFix social engineering, this architecture reduces static indicators and allows the attacker to update infrastructure with minimal effort.
For defenders, the lesson is clear: detecting modern web-based malware requires looking beyond hardcoded URLs. Runtime behavior, blockchain interactions, dynamic script loading, and unusual browser activity provide stronger signals than static signatures alone.
As threat actors continue to experiment with decentralized technologies, defenders should expect blockchain-backed configuration techniques to become increasingly common in phishing and malware delivery campaigns.
IOCs
178.16.52.101www[.]authorization-cdn-press-enter[.]infoauthorization-cdn-press-enter[.]infowww[.]authorization-id-code[.]infoauthorization-id-code[.]infowww[.]authorization-code[.]infowww[.]authorization-code[.]beerwww[.]codeverificatrorcl[.]infoauthorization-code[.]beermail[.]thewellformedwoman[.]coms1[.]thewellformedwoman[.]comftp[.]thewellformedwoman[.]comautodiscover[.]thewellformedwoman[.]comautoconfig[.]thewellformedwoman[.]comcodeverificatrorcl[.]infoauthorization-code[.]infowww[.]idverification-cdn[.]infoidverification-cdn[.]infowww[.]verificationscodes[.]beerverificationscodes[.]beerwww[.]verification-claude-cdn[.]beerverification-claude-cdn[.]beercode[.]verification-claude-cdn[.]beerwww[.]claudverification-id[.]beerclaudverification-id[.]beerwww[.]idverification-code[.]beeridverification-code[.]beerwww[.]codecerification[.]beerwww[.]code-verification-js[.]beerwww[.]verification-code-js[.]beercodecerification[.]beercode-verification-js[.]beerverification-code-js[.]beerwww[.]svs-verificationdate[.]beersvs-verificationdate[.]beerwww[.]cdn-verification-cloud[.]boatscdn-verification-cloud[.]boatswww[.]verification-js-cdn[.]boatsverification-js-cdn[.]boatswww[.]framework-css-styles-js[.]beerwww[.]thewellformedwoman[.]comframework-css-styles-js[.]beerwww[.]ethercdnns[.]beerethercdnns[.]beerwww[.]clhfgcomacdn[.]beerclhfgcomacdn[.]beerwww[.]ladydosug[.]lovewww[.]istounscnnd[.]beerwww[.]trunnsns[.]beerwww[.]mstclaudens[.]beerwww[.]xdavnode[.]proistounscnnd[.]beermstclaudens[.]beertrunnsns[.]beerwww[.]hftplcnsns[.]beerwww[.]lskannsserv[.]beerthewellformedwoman[.]comhftplcnsns[.]beerlskannsserv[.]beerwww[.]hasmeverdcdn[.]beerxdavnode[.]prohasmeverdcdn[.]beerwww[.]claufancdn[.]beerwww[.]srtydnnc[.]beerwww[.]bhfgtrns-js[.]beersrtydnnc[.]beerbhfgtrns-js[.]beerclaufancdn[.]beerwww[.]tescdnlast[.]beerwww[.]smfcdnbb[.]beerwww[.]shssshdscn[.]beerwww[.]snccdn-framework[.]beerwww[.]testapi34726[.]sbstescdnlast[.]beertestapi34726[.]sbssmfcdnbb[.]beerwww[.]nstdcs[.]beersnccdn-framework[.]beershssshdscn[.]beernstdcs[.]beerwww[.]framework-jsoncdn[.]beerwww[.]gppcdnns[.]beerframework-jsoncdn[.]beerwww[.]ladydosug[.]livewww[.]ladydosug[.]topwww[.]hpscdn[.]beergppcdnns[.]beerladydosug[.]liveladydosug[.]lovehpscdn[.]beerwww[.]nvbfcdnclaud[.]beerwww[.]lnfcdnclad[.]beerladydosug[.]topnvbfcdnclaud[.]beerlnfcdnclad[.]beerwww[.]clainasns[.]beerwww[.]nshtjscdn[.]beerwww[.]nfstsrcdn[.]beernshtjscdn[.]beerclainasns[.]beerwww[.]gdnssljs[.]beerwww[.]biyaconserver[.]beerwww[.]npanssltejs[.]beernfstsrcdn[.]beerwww[.]bootstrup-framework-js[.]beerbiyaconserver[.]beergdnssljs[.]beernpanssltejs[.]beerwww[.]nshostvps[.]beerwww[.]chekbrow[.]beernshostvps[.]beerbootstrup-framework-js[.]beerwww[.]smtnscerver[.]beersmtnscerver[.]beerchekbrow[.]beerwww[.]sns-clauder-cdn[.]beerwww[.]anlytic-js-cloud[.]beerwww[.]visual-ns-portal[.]beervisual-ns-portal[.]beersns-clauder-cdn[.]beerwww[.]slndcdnclaud[.]beeranlytic-js-cloud[.]beerwww[.]bootstrup-cdnmaper[.]beerwww[.]nsserv-bootstru[.]beerwww[.]ns1cdnclaude[.]beerslndcdnclaud[.]beerbootstrup-cdnmaper[.]beernsserv-bootstru[.]beerns1cdnclaude[.]beerwww[.]slngftr[.]beerslngftr[.]beerwww[.]travel-js-ns[.]beerwww[.]smetana-js[.]beerwww[.]mistraljs[.]beersmetana-js[.]beertravel-js-ns[.]beerwww[.]lsikjsns[.]beerwww[.]ssns-cdn-ns[.]beerlsikjsns[.]beermistraljs[.]beerssns-cdn-ns[.]beerwww[.]sane-cdn-js[.]beerwww[.]sr-hostes-js[.]beerwww[.]darndcs-js[.]beerwww[.]bkscndclou[.]beersr-hostes-js[.]beersane-cdn-js[.]beerbkscndclou[.]beerdarndcs-js[.]beerwww[.]bcncdncl-ns[.]beerbcncdncl-ns[.]beerwww[.]viscdnclaud[.]beerwww[.]ldnscreatejs[.]beerviscdnclaud[.]beerwww[.]testerlau[.]latldnscreatejs[.]beertesterlau[.]latwww[.]nfsclaudecdn[.]beernfsclaudecdn[.]beerwww[.]ssjscrybootstrup[.]beerssjscrybootstrup[.]beerwww[.]clacndjsvulnarbi[.]beerclacndjsvulnarbi[.]beerwww[.]las-js-claud[.]beerwww[.]claudjaframework[.]beerlas-js-claud[.]beerclaudjaframework[.]beerwww[.]framesavecloudjs[.]beerframesavecloudjs[.]beerwww[.]olnsclaud[.]beerwww[.]frameworkjsbns[.]beerframeworkjsbns[.]beerwww[.]nsserdns[.]beerwww[.]claudesave[.]beerwww[.]nsbdnscloud[.]beerolnsclaud[.]beerclaudesave[.]beernsbdnscloud[.]beernsserdns[.]beerwww[.]cloude-js-server[.]beerwww[.]best-claudns-js[.]beerbest-claudns-js[.]beercloude-js-server[.]beerwww[.]awesomeisojs[.]beerawesomeisojs[.]beerwww[.]ns-claude-js[.]beerwww[.]ntsnsdns[.]beerns-claude-js[.]beerntsnsdns[.]beerwww[.]vjscloudjsns[.]beerwww[.]nslsconscloud[.]beervjscloudjsns[.]beernslsconscloud[.]beerwww[.]ns-server-jscdn[.]beerwww[.]lcstdnsns[.]beerns-server-jscdn[.]beerlcstdnsns[.]beerwww[.]cloudcdnginx[.]beercloudcdnginx[.]beerwww[.]bootstrap-maxcdn[.]beerwww[.]dhnsdns[.]beerbootstrap-maxcdn[.]beerdhnsdns[.]beerwww[.]fijscdn[.]beerwww[.]bootstrup-cdn-ns[.]beerwww[.]bbdsnssserver[.]beerwww[.]lsnsdns[.]beerwww[.]fontawesome-js-cdn[.]beerwww[.]bilfojsclod[.]beerbootstrup-cdn-ns[.]beerfontawesome-js-cdn[.]beerbbdsnssserver[.]beerlsnsdns[.]beerfijscdn[.]beerbilfojsclod[.]beerwww[.]dreff-nsdns[.]beerdreff-nsdns[.]beerwww[.]vsactivens[.]beervsactivens[.]beerwww[.]jsframeworkns[.]beerwww[.]nsservclod[.]beerwww[.]clnsdns[.]beernsservclod[.]beerjsframeworkns[.]beerclnsdns[.]beerwww[.]bnnsbdsdn-js[.]beerwww[.]polygon-date[.]beerwww[.]mnoskemp[.]beerwww[.]bnsclod[.]beerbnnsbdsdn-js[.]beerwww[.]vnmstokns[.]beermnoskemp[.]beerbnsclod[.]beerpolygon-date[.]beervnmstokns[.]beerwww[.]ghdnsserverns[.]beerghdnsserverns[.]beerwww[.]smnsdns[.]beerwww[.]sssndns[.]beerwww[.]vnmdnns[.]beersmnsdns[.]beersssndns[.]beervnmdnns[.]beerwww[.]neiwteamcdn[.]beerneiwteamcdn[.]beerwww[.]cgfuryclaud[.]shopcgfuryclaud[.]shopwww[.]exdanteam[.]beerwww[.]l3cdnns[.]beerexdanteam[.]beerl3cdnns[.]beerwww[.]lenteam[.]beerwww[.]dncloteam[.]beerlenteam[.]beerwww[.]sdnssmdf-js[.]beerwww[.]vsbnsbootstrup[.]beerdncloteam[.]beerwww[.]teamcss[.]beerwww[.]siteamnsserv[.]beersiteamnsserv[.]beervsbnsbootstrup[.]beersdnssmdf-js[.]beerteamcss[.]beerwww[.]wpteamcdn[.]beerwww[.]js-server[.]beerwww[.]lndteam[.]beerjs-server[.]beerwww[.]sdhscndnssl[.]beerwww[.]stabcdnvlc[.]beerwww[.]lckcdnjs[.]beerlndteam[.]beerwpteamcdn[.]beerlckcdnjs[.]beersdhscndnssl[.]beerstabcdnvlc[.]beerwww[.]workcdnmass[.]beerworkcdnmass[.]beerwww[.]capcha-cdn-js[.]beerwww[.]cdn-plugin-js[.]beerwww[.]ssg-cdn[.]beerssg-cdn[.]beercapcha-cdn-js[.]beercdn-plugin-js[.]beerwww[.]rpc-cloud[.]beerrpc-cloud[.]beerwww[.]localcloudcss[.]sbslocalcloudcss[.]sbswww[.]cdn-yethounds[.]beercdn-yethounds[.]beerwww[.]verification-cdn-cloud[.]beerwww[.]lcates-vs[.]beerverification-cdn-cloud[.]beerlcates-vs[.]beerwww[.]cloud-save-image[.]sbscloud-save-image[.]sbswww[.]virtual-cdncloud[.]sbsvirtual-cdncloud[.]sbswww[.]winecdn[.]sbswww[.]cdn-2faclov[.]sbscdn-2faclov[.]sbswinecdn[.]sbswww[.]mandare[.]lifemandare[.]liferpc-polygon[.]beerwww[.]rpc-polygon[.]beerstr-smcontrcats[.]cfdwww[.]ai-nexora[.]sbsai-nexora[.]sbswww[.]all-imager-hst[.]clickwww[.]store-image[.]shopall-imager-hst[.]clickstore-image[.]shopwww[.]nexus-server[.]clicknexus-server[.]click
Want to detect threats 8+ months earlier?
See how DarkArmor's PreBreach intelligence can protect your organization.



