< ciso
brief />
Tag Banner

All news with #clickfix tag

79 articles

ConsentFix and ClickFix: Microsoft 365 hijacks

🔒 Modern phishing variants like ClickFix and the newer ConsentFix convert routine user actions into account takeover opportunities. Attackers trick victims into executing keyboard shortcuts or dragging callback links, which hands over OAuth tokens and session access to Microsoft 365 services without passwords or MFA bypass. The technique relies on familiar workflows and readily available tooling, with public sharing of blueprints lowering the barrier to entry.
read more →

Opera adds Paste Protect to block ClickFix attacks

🛡️ Opera has added Paste Protect, a feature that intercepts and blocks ClickFix-style attacks which trick users into copying and running malicious commands. The mechanism builds on existing Hijack protection and a new Injection protection to detect and prevent harmful content from reaching the browser clipboard across Windows, macOS, and Linux. When suspicious content is blocked, Opera shows a warning, a red indicator in the address bar, and permits viewing the first 120 characters or approving the copy after a 5-second delay. The feature is enabled by default and can be managed via Settings → Privacy & Security → Paste Protect.
read more →

ClickFix Emerges as Dominant Malware Delivery Method

🔒 Analysis by ReliaQuest shows the ClickFix social engineering technique dominated malware delivery from March to May 2026. ClickFix tricks users into pasting attacker-supplied commands into trusted dialogs like Run, Terminal, or Script Editor, allowing payloads such as infostealers to execute while evading many defenses. The method has been used to deliver Windows malware and, notably, to deploy AMOS/Atomic Stealer to macOS via Script Editor. ReliaQuest urges equal monitoring for macOS and recommends user training and administrative restrictions to mitigate ClickFix risks.
read more →

ClickFix: New social engineering that forces execution

🛡️ The ClickFix technique tricks users into executing malicious commands themselves by presenting convincing prompts like fake CAPTCHAs, Cloudflare checks, or “browser update” notices. Attackers rely on clipboard copy and instruct victims to paste commands into the Windows Run dialog, bypassing endpoint defenses that see the activity as legitimate user action. Check Point’s ThreatCloud AI team developed the ClickFix Engine, integrated into Gateways, Email Security, and Browse Security, to detect behavioral signals in page HTML and block such attacks irrespective of domain reputation.
read more →

Mistic backdoor linked to KongTuke access broker

🛡️ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
read more →

Attackers exploit trusted AI platforms and ads

🔐 Threat actors abused trusted services — Google Ads, GitLab Pages, and Claude’s shared-chat feature — to trick developers into executing malicious PowerShell and terminal commands via ClickFix social engineering. Researchers at TrendAI observed a six-wave campaign that funnelled over 2,000 victims from sponsored search results to malicious pages and then to weaponized Claude shared chats. By impersonating popular developer tools and brands, the attackers leveraged reputation stacking to make their lures appear legitimate and evade detection.
read more →

ClickFix campaigns expand modular malware delivery

🛡️ Multiple ClickFix campaigns have been linked to three distinct loaders — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — delivering information stealers, backdoors, RATs, and other payloads against diverse sectors. The attacks rely on social-engineered ClickFix lures that trick victims into running PowerShell or command sequences, then use staged techniques such as hidden PowerShell, DLL side-loading, in-memory shellcode, and external payload storage to evade detection. Researchers from Morphisec, BlueVoyant, and Huntress attribute the campaigns to evolving, modular loader frameworks that separate delivery, storage, execution, and payload deployment for greater stealth.
read more →

SilabRAT malware targets crypto via session hijacks

🛡️ Group-IB reports a new MaaS remote access trojan called SilabRAT, advertised since late 2025 and offered on dark web forums. The malware uses a hidden VNC (HVNC) and browser-profile cloning to hijack logged-in sessions and evade passwords and MFA, while operators spread it via spam and ClickFix lures. Its capabilities include keystroke logging, clipboard clippers, COM elevation to bypass Chrome app-bound encryption, and persistent access aimed at stealing cryptocurrency.
read more →

ThreatsDay bulletin: escalating cyber intrusion trends

🛡️ Cisco patched a high-severity SSRF in Unified Communications Manager, while Russia reported large-scale mobile spyware targeting officials and ongoing investigations. Threat actors continue to distribute VIP Keylogger via layered social engineering and JavaScript loaders, and DriveSurge operates a widespread malware delivery network using ClickFix and FakeUpdates. U.S. sanctions hit major Iranian crypto exchanges; RMM and trusted tools are increasingly abused for persistence and privilege escalation.
read more →

Greyvibe: Russian-linked group using AI in attacks

🛡️ Researchers from WithSecure uncovered a Russian-aligned group dubbed Greyvibe that extensively leverages large language models across its campaigns targeting private, government, and military organizations in Ukraine. The group uses spear phishing, fake websites, malicious archives, and ClickFix-style CAPTCHAs to deliver custom malware such as PhantomRelay, LegionRelay, and Android spyware FallSpy. Observed tooling and infrastructure indicate systematic use of generative AI for lure creation, code development, and backend setup, blurring lines between state-aligned activity and cybercrime ecosystem actors.
read more →

Critical Ghost CMS SQLi Exploited in ClickFix Campaign

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.
read more →

SHub Reaper: macOS infostealer impersonates vendors

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.
read more →

Attackers Bypass Security Tools via Browser and Identity

🔒 Bridewell's Cyber Threat Intelligence Report 2026 warns that attackers are abandoning traditional malware for browser- and identity-focused techniques such as ClickFix, FileFix and ConsentFix that trick users into approving commands or authentication prompts. These tactics bypass endpoint controls and MFA because they operate within trusted workflows and are harder to detect. The firm urges stronger identity protection, user awareness and threat-informed defence.
read more →

ClickFix Abuses PySoxy for Dual-Channel Persistence

🛡️ReliaQuest researchers observed ClickFix intrusions that now leverage the open-source proxy PySoxy to establish a secondary encrypted C2 path alongside an initial PowerShell controller. The April campaign used scheduled tasks for persistence and deployed Python tooling to C:\ProgramData to execute compiled .pyc modules, turning endpoints into proxy relays. This dual-channel design preserves access if the PowerShell channel is disrupted, forcing broader containment and new hunting approaches.
read more →

ClickFix and PySoxy Combined to Maintain Persistence

🔐 ReliaQuest researchers describe a campaign where social-engineering ClickFix techniques were paired with the decade-old Python SOCKS5 proxy PySoxy to maintain persistent access on compromised hosts. Attackers staged the proxy after reconnaissance and used a scheduled task for re-execution, so blocking the initial ClickFix vector did not fully remove access. Analysts advise treating these incidents as active compromises and hunting for Python proxy artifacts, scheduled tasks, and staged components rather than assuming a blocked C2 equals containment.
read more →

ACSC Alerts on ClickFix Campaign Delivering Vidar Stealer

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.
read more →

Australia Alerts to ClickFix Campaign Distributing Vidar

⚠️ The Australian Cyber Security Center (ACSC) warns of an ongoing campaign using the ClickFix social-engineering technique to deliver Vidar Stealer. Attackers compromise WordPress sites and redirect visitors to pages that display fake Cloudflare verification or CAPTCHA prompts instructing users to copy and execute malicious PowerShell commands. Once executed, the payload launches Vidar, which operates from memory and targets browser credentials, cookies, cryptocurrency wallets, autofill data, and system information. ACSC advises restricting PowerShell execution, applying application allow-listing, and keeping WordPress themes and plugins updated or removed when unused.
read more →

ClickFix macOS Campaign Uses Terminal, Delivers Infostealers

🔐 Microsoft describes an evolving ClickFix campaign targeting macOS users by hosting Base64-encoded instructions on blogs and content platforms to trick victims into running Terminal commands. Those one-line commands leverage native utilities (curl, osascript, Base64/Gzip) to fetch and execute infostealers such as Macsync, SHub, and AMOS largely in memory, bypassing Gatekeeper. The malware harvests Keychain entries, iCloud data, browser credentials, media files, and cryptocurrency wallets, and has in some cases replaced legitimate wallet apps with trojanized versions. Organizations should monitor command-line activity and enable EDR/XDR protections and Defender cloud features.
read more →

Top Techniques Attackers Use to Infiltrate Systems

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.
read more →

ClickFix variant uses one-click Script Editor exploit

🛡️ Researchers at Jamf Threat Labs report a ClickFix campaign that opens Script Editor via the applescript:// URL scheme, preloading a malicious script with a single browser click. This bypasses Terminal paste protections introduced in macOS Tahoe 26.4 and removes a major user decision point. The lightweight script decodes a hidden URL, uses curl to retrieve a payload, and launches a new Atomic Stealer variant. Script Editor behavior can vary by macOS version; recent builds may prompt to save before execution.
read more →