📖 Overview
A newly observed domain, p2t.lo9q.online, has been linked to the ClearFake JavaScript-based payload delivery campaign. The page currently returns a 404 response, indicating the malicious file may have been removed or relocated. ClearFake is a browser-based social engineering toolkit that mimics legitimate security update prompts (e.g., Chrome, Edge, Firefox) to trick users into installing malware-laden executables. Confidence is assessed at 100%.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | p2t.lo9q[.]online |
| Threat Type | Payload Delivery |
| Malware | js.clearfake |
| Confidence | 100% |
| Date | 30 Oct 2025 – 18:54:31 UTC |
| Tags | ClearFake |
| Reporter | anonymous |
| Reference | None |
🔎 URLScan Result
- Verdict Score: 0
- Page Title: Not Found
- Screenshot: View Screenshot
- Result: Full Scan Report
🌐 Domain & Certificate Info
- DNS A Records: 172[.]67[.]181[.]199, 104[.]21[.]35[.]253
- Recent Certificates:
• C=US, O=Google Trust Services, CN=WE1 (valid: 2025-10-30 → 2026-01-28)
• C=US, O=Google Trust Services, CN=WR1 (valid: 2025-10-30 → 2026-01-28)
📡 Related Intelligence
- Certificate Transparency: crt.sh Report
- VirusTotal: VT Domain Report
- URLScan Domain Overview: urlscan.io
- DNS Analytics: dnslytics.com
🛡️ Defensive Guidance
- Block all traffic to p2t.lo9q[.]online and associated subdomains at the DNS or proxy layer.
- Deploy browser-based protection to detect and block fake update prompts and injected JavaScript payloads.
- Inspect recent web traffic and endpoint telemetry for execution of downloaded
.exe,.msi, or.batfiles tied to ClearFake indicators. - Consider deploying Content Security Policies (CSP) to restrict unauthorized external script execution.
⚠️ This IOC illustrates how ClearFake actors continue to exploit short-lived disposable domains with legitimate SSL certificates to deliver malicious JavaScript payloads that impersonate system updates and compromise end-user devices.
