All news with #clickfix tag

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.

🔒 Bridewell's Cyber Threat Intelligence Report 2026 warns that attackers are abandoning traditional malware for browser- and identity-focused techniques such as ClickFix, FileFix and ConsentFix that trick users into approving commands or authentication prompts. These tactics bypass endpoint controls and MFA because they operate within trusted workflows and are harder to detect. The firm urges stronger identity protection, user awareness and threat-informed defence.

🛡️ReliaQuest researchers observed ClickFix intrusions that now leverage the open-source proxy PySoxy to establish a secondary encrypted C2 path alongside an initial PowerShell controller. The April campaign used scheduled tasks for persistence and deployed Python tooling to C:\ProgramData to execute compiled .pyc modules, turning endpoints into proxy relays. This dual-channel design preserves access if the PowerShell channel is disrupted, forcing broader containment and new hunting approaches.

🔐 ReliaQuest researchers describe a campaign where social-engineering ClickFix techniques were paired with the decade-old Python SOCKS5 proxy PySoxy to maintain persistent access on compromised hosts. Attackers staged the proxy after reconnaissance and used a scheduled task for re-execution, so blocking the initial ClickFix vector did not fully remove access. Analysts advise treating these incidents as active compromises and hunting for Python proxy artifacts, scheduled tasks, and staged components rather than assuming a blocked C2 equals containment.

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.

⚠️ The Australian Cyber Security Center (ACSC) warns of an ongoing campaign using the ClickFix social-engineering technique to deliver Vidar Stealer. Attackers compromise WordPress sites and redirect visitors to pages that display fake Cloudflare verification or CAPTCHA prompts instructing users to copy and execute malicious PowerShell commands. Once executed, the payload launches Vidar, which operates from memory and targets browser credentials, cookies, cryptocurrency wallets, autofill data, and system information. ACSC advises restricting PowerShell execution, applying application allow-listing, and keeping WordPress themes and plugins updated or removed when unused.

🔐 Microsoft describes an evolving ClickFix campaign targeting macOS users by hosting Base64-encoded instructions on blogs and content platforms to trick victims into running Terminal commands. Those one-line commands leverage native utilities (curl, osascript, Base64/Gzip) to fetch and execute infostealers such as Macsync, SHub, and AMOS largely in memory, bypassing Gatekeeper. The malware harvests Keychain entries, iCloud data, browser credentials, media files, and cryptocurrency wallets, and has in some cases replaced legitimate wallet apps with trojanized versions. Organizations should monitor command-line activity and enable EDR/XDR protections and Defender cloud features.

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.

🛡️ Researchers at Jamf Threat Labs report a ClickFix campaign that opens Script Editor via the applescript:// URL scheme, preloading a malicious script with a single browser click. This bypasses Terminal paste protections introduced in macOS Tahoe 26.4 and removes a major user decision point. The lightweight script decodes a hidden URL, uses curl to retrieve a payload, and launches a new Atomic Stealer variant. Script Editor behavior can vary by macOS version; recent builds may prompt to save before execution.

🛡️ Jamf Threat Labs has identified a macOS malware campaign delivering the Atomic Stealer (AMOS) infostealer/backdoor using a ClickFix social engineering technique that now leverages Script Editor instead of Terminal. Attackers display fake Apple guidance in a browser window to convince users to paste and run malicious commands, bypassing Terminal paste-scanning warnings added in the macOS 26.4 update. Network defenders are advised to restrict clipboard and run-dialog use, limit execution of untrusted binaries, and block suspicious adverts and sites.

⚠️ Researchers at Jamf observed a ClickFix variation that uses the built-in Script Editor and the applescript:// URL scheme to deliver the Atomic Stealer (AMOS) to macOS users. Victims are lured to fake Apple-themed pages that launch Script Editor with prefilled AppleScript executing an obfuscated "curl | zsh" chain, avoiding the need to open Terminal. The delivered code decodes a base64+gzip payload, writes a Mach-O binary to /tmp/helper, strips extended attributes with "xattr -c", makes it executable, and runs it. Treat Script Editor prompts as high risk and follow official Apple troubleshooting guidance rather than third-party guides.

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.

🔒 ReliaQuest researchers detail a new malware loader, DeepLoad, distributed via an ClickFix social-engineering lure that tricks users into pasting PowerShell commands into the Windows Run dialog. The chain leverages mshta.exe to execute an obfuscated PowerShell loader that likely uses AI-assisted obfuscation and conceals its payload in a LockAppHost.exe process while disabling PowerShell history to reduce traces. DeepLoad compiles transient C# DLLs in Temp, uses APC injection to run shellcode in suspended trusted processes without writing decoded payloads to disk, steals browser credentials and sessions, drops a persistent malicious browser extension, copies itself to USB devices via deceptive shortcuts, and employs WMI event subscriptions to reinfect cleaned systems.

⚠️ Apple has introduced a new security measure in macOS Tahoe 26.4 that delays execution when users paste commands into Terminal and displays a warning highlighting potential risks. The mechanism appears aimed at mitigating ClickFix social‑engineering attacks that trick users into pasting malicious commands. Users may cancel the paste or choose to proceed if they understand the command, and Apple has not yet published official documentation for the behavior.

⚠️ DeepLoad is a newly detailed malware campaign combining the ClickFix social-engineering trick with AI-assisted code padding to hide credential-stealing payloads and evade file-based scanners. ReliaQuest, on March 30, warned the campaign targets enterprise accounts, hides inside the Windows lock screen process, and can persist via a WMI-based reactivation three days after removal. Researchers also observed USB propagation and recommend enabling PowerShell Script Block Logging, auditing WMI subscriptions, and changing affected user passwords.

⚠️Researchers at Malwarebytes detail a macOS info-stealing campaign that uses a Python payload compiled into a native binary with Nuitka, delivered via a ClickFix page impersonating Cloudflare. Victims are tricked into pasting a base64-obfuscated curl command into Terminal, which boots a staged installer that removes quarantine flags and launches a Nuitka loader. The loader contains a compressed payload and performs anti-analysis checks before harvesting browser credentials, Keychain entries, cryptocurrency wallets and developer secrets.

🔍 Mandiant's M-Trends 2026 report finds the high-tech sector overtook finance as the most targeted industry in 2025, accounting for 17% of incident response investigations. The report also records a global median dwell time increase to 14 days and highlights widespread adoption of the ClickFix social-engineering technique. Analysts observed a surge in vishing and a strategic ransomware shift toward deliberate recovery denial, with attackers specifically targeting backups, identity services and virtualization management planes.

🔒 LeakNet has begun using ClickFix on compromised websites to trick users into running malicious msiexec commands, according to ReliaQuest. The group pairs this social-engineering tactic with a staged, Deno-based in-memory loader that executes Base64-encoded JavaScript and pulls additional stages directly into memory, minimizing on-disk evidence. Post-compromise behavior is consistent and repeatable, with DLL side-loading, lateral movement via PsExec, S3-backed exfiltration, system fingerprinting (including cmd.exe klist), and eventual ransomware deployment. ReliaQuest warns the approach reduces reliance on brokers, broadens access vectors, and is being seen across varied threat activity.

🔒LeakNet has adopted the social-engineering ClickFix lure to gain initial access and now deploys a loader that leverages the legitimate Deno runtime to decode and execute JavaScript in memory. By running signed Deno binaries, operators minimize disk artifacts and evade blocklists, often initiating activity via VBS and PowerShell scripts named like Romeo*.ps1 and Juliet*.vbs. Post-compromise actions include DLL sideloading, PsExec lateral movement, credential discovery, C2 beaconing, and data exfiltration to abused Amazon S3 buckets, offering clear detection opportunities for defenders.