Threats Tagged 'powershell'

A sophisticated phishing campaign leverages evolved ClickFix techniques to bypass modern endpoint security through victim-assisted execution. Targets receive emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack uses LNK shortcuts that redirect victims to landing pages, silently injecting PowerShell commands into their clipboard. Through social engineering, victims are tricked into manually executing commands via Win+R, circumventing traditional security filters. The campaign employs DNS TXT records for payload staging, avoiding HTTP detection. The threat infrastructure hosts multiple malicious components including obfuscated scripts, fake MSI installers masquerading as legitimate software like ConnectWise, and ISO images with spyware for persistent access. This represents a shift toward long-game tactics focused on establishing full post-compromise environmental control.

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

Threat actors are leveraging TikTok and Instagram Reels to distribute the Vidar infostealer through fake software tutorials. Two distinct campaigns use short-form videos disguised as tutorials for unlocking premium software like Spotify. The first campaign uses accounts mimicking official Windows profiles with AI-voiced clips instructing users to run PowerShell commands that download Vidar from lookalike domains. One video achieved over 100,000 views. The second campaign uses ordinary accounts posting music-backed clips that bait users in comments to receive malicious links via direct message. These campaigns exploit platform recommendation algorithms by encouraging saves and shares. Vidar is sold as a service for $300 lifetime license and harvests credentials, financial data and authentication tokens.