ClickFix Attack Exploits AI Summaries to Deliver Ransomware

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

A new malware campaign using MostereRAT, a banking malware-turned-RAT, targets Japanese Windows users. The malware employs sophisticated evasion techniques, including the use of an obscure programming language and disabling of security tools, to maintain long-term access and control over compromised systems. The campaign begins with phishing emails that lure victims into downloading a malicious Word document. Once installed, MostereRAT deploys multiple modules to achieve persistence, privilege escalation, and remote access. The malware is designed to evade detection and disable various antivirus and endpoint detection and response (EDR) products, making it difficult for defenders to detect and mitigate the threat. The primary goal of MostereRAT is to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool. It can also perform Early Bird Injection to inject an EXE into svchost.exe.

A malware campaign uses SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system. The SVG files are distributed via email and execute a JavaScript payload to inject a phishing page. The campaign has been active since mid-August 2025, with 523 undetected SVG files identified by VirusTotal. The phishing pages simulate a document download process while downloading a ZIP archive in the background. The ZIP file contains a legitimate executable, a malicious DLL, and two encrypted files. The malicious DLL is sideloaded to install further malware on the system. The campaign highlights the evolving tactics of attackers, who use obfuscation and polymorphism to evade detection. The phishing pages target users by impersonating official government portals, increasing the likelihood of successful attacks. The disclosure coincides with reports of macOS systems being targeted by the Atomic macOS Stealer (AMOS), which steals a wide range of sensitive data. Attackers use cracked software and ClickFix-style tactics to infect macOS devices, exposing businesses to credential stuffing and financial theft.

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.

Threat actors are exploiting X's Grok AI assistant to bypass link posting restrictions and spread malicious links. They use Grok to extract and share hidden links within video ads, boosting their reach and credibility. This technique, dubbed 'Grokking,' has been used to amplify malicious ads to millions of impressions, leading users to scams and malware. The actors hide malicious links in the 'From:' metadata field of video ads, which X does not scan. Grok, when queried about the video, extracts and shares the hidden link, promoting the malicious content to a broader audience. The issue was discovered by Guardio Labs researchers Nati Tal and Shaked Chen, who proposed potential solutions to mitigate the abuse. The technique involves using adult content as bait to attract users. Malvertisers tag Grok in replies to display the hidden link, directing users to sketchy ad networks and malicious content. The domains are part of a Traffic Distribution System (TDS) used by malicious ad tech vendors. Hundreds of accounts are engaging in this behavior, posting continuously until suspension. The current AI space is a race to have the best model on release. Our guess is that X probably didn't spend a lot of time fine-tuning the model for security and safety because it requires a lot of time and resources but also damages its performance.