BreakglassIntelligence
Back to reports
highLoader

Operation CLICKSMOKE -- Deno-Based ClickFix MaaS Platform

InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:ProfileAssessmentTimeline
dakatawebstickc2ratmaascloudflaretorclickfix

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Malware-as-a-Service (MaaS) Source: @malwrhunterteam Twitter lead; ThreatFox IOC #1780556

Executive Summary

Investigation of dakatawebstick[.]com revealed a live, operational Deno-based ClickFix malware delivery platform operated by a threat actor using the alias "Smokest" (userId: 1943c7b8c0a029e2). The domain serves an obfuscated JavaScript payload (0/57 VT detection) that runs on the Deno runtime and implements a full implant lifecycle: victim fingerprinting, C2 session management, PowerShell-based persistence, and modular payload execution. The embedded JWT token exposed the entire build configuration, operator identity, and platform architecture. The infrastructure is hosted on Dedik Services Limited (AS207043), a bulletproof hosting provider registered in London by a Latvian individual, operating 16+ announced /24 prefixes. The C2 is confirmed LIVE as of 2026-04-03.

Key Findings

  • ZERO-DETECTION PAYLOAD: The JS implant (SHA256: 8ceb89e7e4c4cfe20ea5df2f0762967fa8f3f502f2696abbe2baa0c6b437841b) has 0/57 detections on VirusTotal as of 2026-04-03
  • JWT TOKEN EXPOSED: Hardcoded Bearer token decoded to reveal operator alias "Smokest", build ID, build type, and access token hash
  • MaaS PLATFORM: The build system uses structured JWT payloads with buildId, buildNote ("BatClickFixPS1NewV1"), buildType ("ps1"), and userId fields -- indicating a multi-tenant malware builder platform
  • DENO RUNTIME ABUSE: Uses the Deno JavaScript runtime for Windows implant execution, a relatively novel technique that bypasses traditional AV/EDR signatures
  • BULLETPROOF HOSTING: Hosted on Dedik Services Limited (AS207043), a known BPH provider with 16+ /24 prefixes, operated by Hramcovs Eduards (Latvia) from a London shell address
  • ADJACENT INFRASTRUCTURE: Port 1337 self-signed certificates across 94.26.90.0/24 expose Windows hostnames (DESKTOP-7J5DM9J, DESKTOP-7VF601O, WIN-DUJLB409JRK, DESKTOP-3KQVK7B, DESKTOP-AQEU99M) suggesting RDP/VNC-accessible Windows VPS fleet
  • FRESH CAMPAIGN: Domain registered 2026-03-25, JWT issued 2026-03-31, ThreatFox reported 2026-04-02 -- this campaign is less than 9 days old

What Was Found vs. What Was Known

AspectPrior ReportingOur Findings
DomainThreatFox IOC (tags: ClickFix, Deno, payload)Full JWT config, operator alias, build platform architecture
OperatorUnknown"Smokest" (userId: 1943c7b8c0a029e2)
InfrastructureSingle domainFull /24 subnet mapped, 5 Windows hostnames extracted, BPH provider identified
DetectionUnknown0/57 on VirusTotal (the payload is invisible to all AV engines)
Payload"Unknown malware" on ThreatFoxComplete behavioral analysis: persistence, fingerprinting, C2 protocol, module loader
PlatformNot identifiedMulti-tenant MaaS with JWT-based build management, health-check failover, session-based module delivery

Attack Chain

[1] Social Engineering (ClickFix)
 |  User tricked into running clipboard command
 v
[2] PowerShell / BAT Execution (T1059.001)
 |  buildType: "ps1" / "BatClickFixPS1NewV1"
 v
[3] Deno Runtime Download & Execution (T1059.007)
 |  Fetches 3c736f7304ddeadb.js from C2
 v
[4] Host Fingerprinting (T1082, T1033)
 |  USERNAME, hostname, memory, OS release -> HUID
 v
[5] TCP Mutex (127.0.0.1 bind)
 |  Prevents duplicate execution
 v
[6] Persistence Installation (T1547.001, T1053.005)
 |  Registry Run key + Scheduled Task + File copy to APPDATA/TEMP
 v
[7] C2 Session Establishment (T1071.001)
 |  GET /session with JWT auth + HUID + username + hostname
 v
[8] Module Download & Execution (T1105, T1106)
 |  Fetched module saved to disk, executed via Deno.Command()
 v
[9] Ongoing C2 Loop
    Retry with URL rotation on failure, sleep between cycles

Infrastructure Analysis

Network Infrastructure

IPASNProviderPortsServicesStatusNotes
94.26.90.100AS207043Dedik Services Ltd80HTTP (C2)LIVEPrimary C2, Cloudflare proxied
94.26.90.95AS207043Dedik Services Ltd1337Self-signed TLSLIVECN=WIN-DUJLB409JRK (created 2026-03-25)
94.26.90.91AS207043Dedik Services Ltd1337Self-signed TLSLIVECN=DESKTOP-7J5DM9J (created 2026-03-22)
94.26.90.96AS207043Dedik Services Ltd1337Self-signed TLSLIVECN=DESKTOP-7VF601O (created 2026-03-23)
94.26.90.101AS207043Dedik Services Ltd1337Self-signed TLSLIVECN=DESKTOP-3KQVK7B (created 2025-12-22)
94.26.90.102AS207043Dedik Services Ltd1337Self-signed TLSLIVECN=DESKTOP-AQEU99M (created 2025-12-22)
94.26.90.103AS207043Dedik Services Ltd80,445,1337,33060IIS 10.0 + SMB + MySQLLIVEWindows server, CVE-2020-0796 vuln
94.26.90.99AS207043Dedik Services Ltd22,80nginx 1.29.7 + SSHLIVELinux host
94.26.90.98AS207043Dedik Services Ltd22,2222OpenSSH 8.4/9.6LIVEDual SSH
94.26.90.105AS207043Dedik Services Ltd22,80,443HTTP/HTTPS + SSHLIVESelf-signed
94.26.90.114AS207043Dedik Services Ltd80,1337,3001HTTP + TLS + Node?LIVEPort 3001 suggests dev/panel

Domain Infrastructure

DomainRegistrarCreatedNSPurposeStatus
dakatawebstick[.]comCNOBIN Information Technology Ltd (HK)2026-03-25ram.ns.cloudflare.com / tess.ns.cloudflare.comClickFix C2 proxyLIVE

Certificate Analysis

CT Log Certificates (crt.sh):

IssuerSerialNot BeforeNot AfterSANs
Let's Encrypt E706e20d83c877f14e927f8509762a925d44732026-03-242026-06-22*.dakatawebstick[.]com, dakatawebstick[.]com
Sectigo DV E360095d8052741eb8475f0f42444cc4045d72026-03-252026-06-23*.dakatawebstick[.]com, dakatawebstick[.]com

Key observations:

  • Both wildcard and apex certs issued on registration day -- automated setup
  • Dual CA (Let's Encrypt + Sectigo) suggests Cloudflare Universal SSL + origin cert
  • Cloudflare NS pair (ram + tess) shared within a single Cloudflare account -- other domains on this account are potential related infrastructure

Self-Signed Certificates on Subnet (Port 1337):

IPCN (Hostname)CreatedPurpose
94.26.90.91DESKTOP-7J5DM9J2026-03-22Windows VPS (RDP?)
94.26.90.95WIN-DUJLB409JRK2026-03-25Windows VPS (RDP?)
94.26.90.96DESKTOP-7VF601O2026-03-23Windows VPS (RDP?)
94.26.90.101DESKTOP-3KQVK7B2025-12-22Windows VPS (older)
94.26.90.102DESKTOP-AQEU99M2025-12-22Windows VPS (older)

The hostnames follow Windows default naming patterns (DESKTOP-XXXXXXX, WIN-XXXXXXXXXXX), indicating freshly provisioned Windows VPS instances. Port 1337 is commonly used for remote management tools (RDP tunneling, remote access panels, C2 listeners).

Hosting Hierarchy

Tier 0 (Upstream): OVH SAS (AS16276)
    |
Tier 1 (Transit): Dedik Services Limited (AS207043)
    |               UK shell company, Latvian operator
    |               16+ announced /24 prefixes
    |               abuse@dedik.io
    |
Tier 2 (Operational): 94.26.90.0/24
    |                   Mix of Linux (SSH/nginx) and Windows (IIS/RDP) VPS
    |                   Port 1337 management plane
    |
Tier 3 (C2): 94.26.90.100 -> Cloudflare -> dakatawebstick[.]com

ASN 207043 Route Announcements

Dedik Services announces at least these prefixes (partial list):

  • 2.27.160.0/24, 2.27.248.0/24
  • 82.25.63.0/24
  • 85.11.161.0/24, 85.239.144.0/24, 85.239.149.0/24
  • 94.26.90.0/24
  • 109.160.37.0/24
  • 151.240.151.0/24, 151.243.18.0/24, 151.243.28.0/24, 151.243.113.0/24, 151.243.150.0/24
  • 151.247.228.0/24
  • 167.148.195.0/24
  • 193.111.117.0/24

Malware Analysis

Sample Details

PropertyValue
Filename3c736f7304ddeadb.js
SHA2568ceb89e7e4c4cfe20ea5df2f0762967fa8f3f502f2696abbe2baa0c6b437841b
MD5ed716e3c2565426559c31b66a9c897b6
Size14,762 bytes
TypeJavaScript (Deno runtime)
VT Detection0/57 (2026-04-03)
First Seen2026-04-02 (ThreatFox)
Build ID3c736f7304ddeadb
Build NoteBatClickFixPS1NewV1
Build Typeps1
FamilyClickFix/Deno MaaS

Obfuscation Layers

Layer 1: String Table Rotation

  • 252-entry array of base64-encoded strings (Settings array)
  • Array rotated by 198 positions at initialization
  • parseInt checksum validation loop ensures correct rotation

Layer 2: Custom Base64 Decoder

  • channel() function implements standard base64 with URI decoding
  • Lookup function maps hex indices (offset 0x121) to decoded strings

Layer 3: Variable/Function Name Mangling

  • All meaningful names replaced with generic names (Store, Stream, Token, etc.)
  • Object property access via computed hex indices

Extracted Configuration (from JWT)

{
  "buildId": "3c736f7304ddeadb",
  "buildNote": "BatClickFixPS1NewV1",
  "buildType": "ps1",
  "proxyUrls": ["http://dakatawebstick[.]com"],
  "userId": "1943c7b8c0a029e2",
  "userNote": "Smokest",
  "accessTokenHash": "2e9812a0dc5998a3f9a59fe64193884a67dadac05171494ffd2b81a711eb1359",
  "iat": 1774976839,
  "exp": 2090552839
}

JWT Timestamps:

  • Issued: 2026-03-31T17:07:19Z
  • Expires: 2036-03-31T05:07:19Z (10-year validity)
  • JWT Algorithm: HS256

Behavioral Analysis

1. Anti-Duplicate Execution (Mutex)

  • Binds TCP socket on 127.0.0.1 using Deno.listen()
  • If Deno.errors.AddrInUse caught, exits silently
  • Effective single-instance lock without file/registry mutex

2. Host Fingerprinting

  • Collects: USERNAME/USER env var, hostname, system memory, OS release
  • Generates hardware UID (HUID) via custom hash function U()
  • HUID sent with every C2 request for victim tracking

3. C2 Communication Protocol

  • Health Check: GET /health -- expects response body to trim to "ok"
  • Session Fetch: GET /session with headers:
    • x-module-request: main
    • authorization: Bearer <JWT>
    • x-huid: <hardware_uid>
    • x-username: <username>
    • x-hostname: <hostname>
  • Failover: Promise.any() across proxy URL list; rotate on failure
  • Retry: Infinite loop with sleep timer between attempts

4. Persistence Mechanisms

  • File Persistence: Copies self to %APPDATA%\<hash>.js and %TEMP%\<hash>.js
  • Registry Run Key: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\<hash>
    • Value: PowerShell command launching Deno with the implant script
  • Execution Method: conhost.exe --headless powershell.exe -WindowStyle Hidden -Command <deno_path> -A <script_path>
  • Scheduled Task: Persistence via Set-ItemProperty on Run key with -Force flag

5. Module Execution

  • Downloads module from /session endpoint
  • Saves to local file path
  • Executes via Deno.Command() with stdout: "inherit" and stderr: "inherit"
  • Module runs as child process of Deno runtime

Threat Actor Profile

Attribution Assessment

  • Confidence: MEDIUM
  • Alias: Smokest (from JWT userNote field)
  • User ID: 1943c7b8c0a029e2 (platform-assigned)
  • Motivation: Financial (MaaS customer / cybercrime)
  • OPSEC Failures:
    1. JWT token hardcoded in cleartext within obfuscated JS -- trivially extractable
    2. Operator alias "Smokest" embedded in production payload
    3. Platform userId leaked, enabling cross-campaign correlation
    4. accessTokenHash leaked (SHA256: 2e9812a0dc5998a3f9a59fe64193884a67dadac05171494ffd2b81a711eb1359), enabling auth token cracking
    5. Build metadata (BatClickFixPS1NewV1) reveals versioning scheme and TTPs
  • Platform Role: Smokest appears to be a customer/operator of a larger MaaS platform, not the platform developer. The structured JWT with userId, buildId, and buildType fields indicates a managed builder service.

Actor Timeline

DateEventEvidence
2026-03-22Adjacent Windows VPS provisioned (DESKTOP-7J5DM9J)Self-signed cert on 94.26.90.91:1337
2026-03-23Another Windows VPS provisioned (DESKTOP-7VF601O)Self-signed cert on 94.26.90.96:1337
2026-03-25Domain dakatawebstick[.]com registeredWHOIS creation date
2026-03-25TLS certificates issued (LE + Sectigo)crt.sh CT logs
2026-03-25Windows VPS provisioned (WIN-DUJLB409JRK)Self-signed cert on 94.26.90.95:1337
2026-03-31JWT token issued (build compiled)JWT iat claim
2026-04-02ThreatFox IOC submittedThreatFox #1780556 by HuntYethHounds
2026-04-02@malwrhunterteam tweets about domainTwitter OSINT
2026-04-03C2 confirmed LIVEBreakglass recon (GET /health -> "ok")

Victim Analysis

Confirmed Victims

No confirmed victims identified at this time. The C2 session endpoint requires valid HUID authentication, preventing passive victim enumeration.

Targeting Patterns

  • Delivery Method: ClickFix social engineering (trick users into copying/pasting malicious commands)
  • Target OS: Windows (PowerShell/BAT execution, Registry Run key, APPDATA/TEMP paths)
  • Build Type: ps1 (PowerShell) -- indicates targeting of standard Windows desktop users
  • Campaign Age: < 9 days -- likely still in early deployment phase

MITRE ATT&CK Mapping

TacticTechniqueIDApplication
Initial AccessUser Execution: Malicious LinkT1204.001ClickFix social engineering
ExecutionCommand and Scripting: PowerShellT1059.001PS1 build type, conhost --headless powershell
ExecutionCommand and Scripting: JavaScriptT1059.007Deno runtime JS implant
PersistenceBoot/Logon Autostart: Registry Run KeyT1547.001HKCU:...\Run registry persistence
PersistenceScheduled Task/JobT1053.005Scheduled task creation
Defense EvasionObfuscated Files or InformationT1027252-entry rotated string table + base64
Defense EvasionHide Artifacts: Hidden WindowT1564.003conhost --headless, -WindowStyle Hidden
DiscoverySystem Information DiscoveryT1082hostname, OS release, system memory
DiscoverySystem Owner/User DiscoveryT1033USERNAME/USER env var collection
C2Application Layer Protocol: HTTPT1071.001HTTP-based C2 on port 80
C2Data Encoding: Standard EncodingT1132.001JWT Bearer token auth
ExfiltrationIngress Tool TransferT1105Module download from /session

IOC Summary

Network Indicators

Domains:

  • dakatawebstick[.]com (ClickFix C2 proxy)

IP Addresses:

  • 94.26.90[.]100 (C2 origin, AS207043 Dedik Services)

URLs:

  • hxxp://dakatawebstick[.]com/3c736f7304ddeadb.js (JS implant delivery)
  • hxxp://dakatawebstick[.]com/health (C2 health check)
  • hxxp://dakatawebstick[.]com/session (C2 session/module endpoint)

Adjacent Infrastructure (94.26.90.0/24):

  • 94.26.90[.]91 (port 1337, CN=DESKTOP-7J5DM9J)
  • 94.26.90[.]95 (port 1337, CN=WIN-DUJLB409JRK)
  • 94.26.90[.]96 (port 1337, CN=DESKTOP-7VF601O)
  • 94.26.90[.]101 (port 1337, CN=DESKTOP-3KQVK7B)
  • 94.26.90[.]102 (port 1337, CN=DESKTOP-AQEU99M)
  • 94.26.90[.]103 (ports 80,445,1337,33060 -- IIS + SMB + MySQL)
  • 94.26.90[.]114 (ports 80,1337,3001)

File Indicators

HashTypeValue
SHA256JS Payload8ceb89e7e4c4cfe20ea5df2f0762967fa8f3f502f2696abbe2baa0c6b437841b
MD5JS Payloaded716e3c2565426559c31b66a9c897b6

Behavioral Indicators

Persistence Artifacts:

  • Registry: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\<8-char-hash>
  • File: %APPDATA%\<hash>.js
  • File: %TEMP%\<hash>.js

Network Signatures:

  • HTTP GET to /health expecting body ok
  • HTTP GET to /session with headers: x-module-request, x-huid, x-username, x-hostname
  • Authorization header: Bearer eyJhbGciOiJIUzI1NiI... (HS256 JWT)

Process Indicators:

  • conhost.exe --headless powershell.exe -WindowStyle Hidden
  • Deno runtime (deno.exe) executing .js files from APPDATA/TEMP
  • TCP listener on localhost (mutex)

JWT Build Identifiers:

  • buildId: 3c736f7304ddeadb
  • userId: 1943c7b8c0a029e2
  • userNote: Smokest
  • accessTokenHash: 2e9812a0dc5998a3f9a59fe64193884a67dadac05171494ffd2b81a711eb1359

YARA Rules

See yara_rules/clickfix_deno_smokest.yar

Suricata Rules

See suricata_rules.rules

Immediate (24-48 hours)

  1. Block dakatawebstick[.]com and 94.26.90[.]100 at DNS/firewall
  2. Hunt for deno.exe processes executing .js files from %APPDATA% or %TEMP%
  3. Hunt for Registry Run keys containing deno and .js file paths
  4. Hunt for conhost.exe --headless powershell.exe -WindowStyle Hidden process chains
  5. Deploy YARA and Suricata rules from this report

Short-term (1-2 weeks)

  1. Block the entire 94.26.90.0/24 range if feasible (Dedik Services BPH)
  2. Monitor for new domains on Cloudflare NS pair ram/tess
  3. Submit IOCs to MalwareBazaar, URLhaus, and PhishTank
  4. Report to Cloudflare abuse (CF proxying the C2)

Medium-term (1-3 months)

  1. Track userId 1943c7b8c0a029e2 and alias "Smokest" across platforms
  2. Monitor Dedik Services (AS207043) route announcements for new prefixes
  3. Develop detection for Deno runtime abuse patterns (novel delivery mechanism)
  4. Research the MaaS platform behind the JWT build system (BatClickFixPS1NewV1)

Abuse Reports

Cloudflare

Domain dakatawebstick[.]com is proxied through Cloudflare and serves as a ClickFix malware C2. The origin IP is 94.26.90[.]100 (Dedik Services AS207043). Request immediate suspension of DNS resolution.

Dedik Services (abuse@dedik.io)

IP 94.26.90[.]100 hosts an active ClickFix malware C2 server. Related infrastructure across the 94.26.90.0/24 subnet includes Windows VPS instances with self-signed certificates on port 1337. Request suspension of 94.26.90[.]100.

CNOBIN Information Technology (registrar)

Domain dakatawebstick[.]com (Registry ID: 3080420187_DOMAIN_COM-VRSN) registered 2026-03-25 is used exclusively for malware distribution. Request domain suspension.

References

  • ThreatFox IOC #1780556: dakatawebstick[.]com (ClickFix, Deno, payload)
  • ThreatFox IOC #1780557: hxxp://dakatawebstick[.]com/3c736f7304ddeadb.js
  • @malwrhunterteam Twitter lead (2026-04-02)
  • HuntYethHounds ThreatFox reporter
  • Dedik Services RIPE: ORG-DSL56-RIPE, AS207043

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."

Share