ThreatFox IOC Database

You are viewing the ThreatFox database entry for sha256_hash 20977e3f485f2e39b6af9c472903651a09768d869d0f4e6fe068ac0b59c98bde.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1783922
IOC: 20977e3f485f2e39b6af9c472903651a09768d869d0f4e6fe068ac0b59c98bde
IOC Type :sha256_hash
Threat Type :payload
Malware: IClickFix
Confidence Level : Confidence level is high (100%)
Is compromised? : False
First seen:2026-04-11 07:06:01 UTC
Last seen:never
UUID:d5e4f131-34fb-11f1-9af6-42010aa4000a
Reporter Lenny_3BO
Reward 5 credits from ThreatFox
Tags:CastleLoader ClickFix finger shellcode

Avatar
Lenny_3BO
CastleLoader PE extracted from ClickFix finger protocol chain. Triple-encrypted: XOR(Python) -> RC4(shellcode, self-keyed) -> XOR(stub). Delivered via finger.linked-people.com:79, stager from dapala.net. YARA: Windows_Trojan_CastleLoader_173548b8.