Cutting Through the Noise: A Technique-Based Approach to Hunting Web-Delivered Malware

This report describes a technique-based Censys HTTP-body hunt that discovered a ClickFix social-engineering campaign hosted on orcanmedikal.com.tr which delivered a steganography-backed PhantomVAI .NET loader (embedded in a JPEG) that reverses and base64-decodes a staged payload and process-hollows to deploy XWorm V5.6; the analysis includes static recovery of the XWorm binary, extraction of its AES-encrypted configuration (C2: 86.106.85.194:9000), file hashes, IOCs, and recommended host/network detection priorities.