// domain neutralized
This domain was an
active C2 asset host.
gettrumpmemestrendingtokens.com
This domain was identified as infrastructure used in a ClickFix malware campaign
targeting WordPress-based e-commerce sites. It served assets for a fake Cloudflare CAPTCHA widget
designed to trick visitors into self-installing malware via clipboard injection.
It has been registered and sinkholed by SecureLeaf threat operations.
No malicious assets are served here. If you arrived expecting something else — well. Hi.
[ INTERCEPT ] Shadow DOM ClickFix widget detected → neutralized
[ IOC ] asset host: gettrumpmemestrendingtokens.com
[ IOC ] C2 primary: ntdnewtds.shop
[ IOC ] C2 fallback: dnsnewtds.shop
[ STATUS ] all three domains neutralized
[ ADVISORY ] SL-ADV-2026-WP-001 · ClickFix / Shadow DOM · WordPress
[ OPERATOR ] SecureLeaf Threat Intelligence · dispensight.com ▌
Attack vector
ClickFix / Clipboard Inject
Technique
Shadow DOM CAPTCHA spoof
Domain status
sinkholed ✓
SecureLeaf advisory
SL-ADV-2026-WP-001
Interested in the full malware characteristics, IOC table, SHA256 hashes,
and remediation guidance? The complete threat advisory is available below.