Sophisticated Cyberattack Abuses Artlist Subdomain to Distribute Remote Access Trojan
In mid-July 2026, cybersecurity researchers at Hudson Rock uncovered a multi-stage threat campaign exploiting the compromised Artlist subdomain new-blog.artlist[.]io to deploy a Remote Access Trojan (RAT) via a deceptive CAPTCHA prompt. The attack leveraged a combination of stolen credentials, blockchain-based infrastructure, and advanced evasion techniques to target visitors of the high-traffic platform, which attracts over 11 million monthly visits.
The initial breach stemmed from an infostealer infection in August 2023, when an Israeli freelance WordPress developer downloaded a pirated version of Adobe Acrobat Pro DC via uTorrent. The malware harvested browser-stored passwords, cookies, and session tokens, including credentials for new-blog.artlist[.]io reportedly belonging to a former Artlist content executive. Despite the password’s strength, the infostealer bypassed security by extracting it directly from the compromised endpoint.
Attackers used the stolen WordPress access to inject malicious JavaScript into the subdomain’s HTML templates. Rather than hosting the payload directly, the code employed EtherHiding, a technique querying a Polygon blockchain smart contract to dynamically retrieve the next-stage server (auth-code-check[.]info). This allowed threat actors to rotate infrastructure without modifying the compromised site repeatedly.
Visitors were presented with a fake reCAPTCHA overlay (ClickFix tactic), tricking them into executing a PowerShell command via a series of keystrokes (Windows + X, I, Ctrl + V, Enter). The command downloaded fdupdate.zip, a password-protected archive containing a legitimate StruSoft FEM-Design binary (fdupdate.exe) abused for DLL side-loading. The malware chain included multiple encrypted payloads, in-memory execution via EnumTimeFormatsEx, and a final Delphi-based RAT (act.exe) extracted from Face.dat.
The RAT, analyzed by researcher Matt Kirkland, employed hybrid RSA/AES encryption for command-and-control (C2) communications and featured Tor fallback capabilities, enabling persistence even if primary C2 servers were disrupted. Its functionalities included credential theft, keylogging, screen streaming, hidden-desktop interaction, and SOCKS proxying, facilitating both data exfiltration and further intrusion.
The incident highlights the long-term risks of infostealer infections, where stolen credentials from third-party devices can resurface years later to compromise corporate systems. Indicators of compromise (IOCs) include the Polygon smart contract address (0xB6bC9e1D0b2fB96Ab7C47E04Cb0BE477410bC1f2) and multiple C2 IP addresses (45.151.74[.]119:443, 109.172.95[.]184:443, among others).
Source: https://gbhackers.com/artlist-clickfix-campaign/
Artlist TPRM report: https://www.rankiteo.com/company/artlist
"id": "art1784096712",
"linkid": "artlist",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Visitors of new-blog.artlist.io '
'(over 11 million monthly '
'visits)',
'industry': 'Digital Media (Stock Music, Video, and '
'Sound Effects)',
'location': 'Israel',
'name': 'Artlist',
'type': 'Company'}],
'attack_vector': 'Compromised subdomain (new-blog.artlist.io), malicious '
'JavaScript injection, fake CAPTCHA overlay, PowerShell '
'execution',
'data_breach': {'data_encryption': 'Hybrid RSA/AES for C2 communications',
'data_exfiltration': 'Yes (via RAT)',
'personally_identifiable_information': 'Potential (via RAT '
'keylogging, screen '
'streaming)',
'sensitivity_of_data': 'High (credentials, session tokens, '
'potential PII)',
'type_of_data_compromised': ['Credentials',
'Session tokens',
'Potentially PII via RAT']},
'date_detected': '2026-07',
'description': 'In mid-July 2026, cybersecurity researchers at Hudson Rock '
'uncovered a multi-stage threat campaign exploiting the '
'compromised Artlist subdomain *new-blog.artlist[.]io* to '
'deploy a Remote Access Trojan (RAT) via a deceptive CAPTCHA '
'prompt. The attack leveraged stolen credentials, '
'blockchain-based infrastructure, and advanced evasion '
'techniques to target visitors of the high-traffic platform, '
'which attracts over 11 million monthly visits.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'malware distribution via trusted '
'subdomain',
'data_compromised': 'Credentials, session tokens, potentially '
'sensitive user data via RAT',
'identity_theft_risk': 'High (credential theft, PII exposure via '
'RAT)',
'operational_impact': 'Compromised subdomain used for malware '
'distribution',
'systems_affected': 'Artlist subdomain (new-blog.artlist.io), '
'visitor endpoints'},
'initial_access_broker': {'backdoors_established': 'Malicious JavaScript '
'injection, RAT deployment',
'entry_point': 'Stolen WordPress credentials from '
'infostealer-infected endpoint',
'high_value_targets': 'Visitors of '
'new-blog.artlist.io (11M+ '
'monthly visits)',
'reconnaissance_period': 'August 2023 (initial '
'infostealer infection) to '
'mid-2026 (attack '
'execution)'},
'investigation_status': 'Ongoing (as of disclosure)',
'lessons_learned': 'Long-term risks of infostealer infections, where stolen '
'credentials from third-party devices can resurface years '
'later to compromise corporate systems. Importance of '
'monitoring for credential leaks and implementing '
'multi-factor authentication (MFA).',
'motivation': 'Data exfiltration, credential theft, potential financial gain, '
'further intrusion',
'post_incident_analysis': {'corrective_actions': ['Rotate all compromised '
'credentials',
'Implement MFA for '
'WordPress and other '
'critical systems',
'Audit and remove '
'unauthorized JavaScript '
'injections',
'Enhance endpoint security '
'for third-party developers',
'Monitor for '
'blockchain-based '
'infrastructure abuse '
'(e.g., EtherHiding)'],
'root_causes': ['Infostealer infection on '
"third-party developer's endpoint "
'(August 2023)',
'Stolen WordPress credentials from '
'compromised endpoint',
'Lack of multi-factor '
'authentication (MFA) for '
'WordPress access',
'Use of pirated software (Adobe '
'Acrobat Pro DC via uTorrent)']},
'recommendations': ['Monitor for stolen credentials from infostealer '
'infections',
'Implement multi-factor authentication (MFA) for all '
'critical systems',
'Enhance endpoint security to prevent infostealer '
'infections',
'Regularly audit and rotate credentials, especially for '
'third-party developers',
'Deploy behavioral WAF and adaptive security measures to '
'detect malicious JavaScript injections',
'Educate employees and contractors on the risks of '
'pirated software and credential hygiene'],
'references': [{'source': 'Hudson Rock'},
{'source': 'Matt Kirkland (malware analysis)'}],
'response': {'third_party_assistance': 'Hudson Rock (cybersecurity '
'researchers), Matt Kirkland (malware '
'analysis)'},
'title': 'Sophisticated Cyberattack Abuses Artlist Subdomain to Distribute '
'Remote Access Trojan',
'type': 'Remote Access Trojan (RAT) Deployment',
'vulnerability_exploited': 'Stolen WordPress credentials, DLL side-loading, '
'infostealer malware'}