CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Use of ClickFix Attacks by Threat Actors

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. A new variant of ClickFix attacks has emerged, targeting cryptocurrency users by abusing Pastebin comments to distribute malicious JavaScript. This attack tricks users into executing code that hijacks Bitcoin swap transactions, redirecting funds to attacker-controlled wallets. The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser. The attacks exploit user behavior and technical gaps in detection to evade security measures and are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Timeline

  1. 15.02.2026 17:17 1 articles · 7h ago

    New ClickFix Variant Targets Cryptocurrency Users

    A new variant of ClickFix attacks has emerged, targeting cryptocurrency users by abusing Pastebin comments to distribute malicious JavaScript. This attack tricks users into executing code that hijacks Bitcoin swap transactions, redirecting funds to attacker-controlled wallets. The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser.

    Show sources
    Open in new tab
  2. 20.10.2025 14:55 2 articles · 3mo ago

    ClickFix Attacks Linked to Multiple Recent Data Breaches

    Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. These attacks exploit user behavior and technical gaps in detection to evade security measures. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab

Matrix Push C2 Malware Delivery via Browser Push Notifications

Cybercriminals are exploiting browser push notifications to deliver malware through a newly discovered command-and-control (C2) platform called Matrix Push C2. This platform tricks users into allowing notifications, which are then used to redirect them to malicious sites, monitor infected clients in real time, and scan for cryptocurrency wallets. The attack is fileless, operating through the browser's notification system without requiring traditional malware files on the system. The campaign is orchestrated via a web-based dashboard that provides real-time intelligence on victims, including detailed information on each infected client. The platform includes analytics and link management tools to measure campaign effectiveness and adjust tactics. Social engineering templates for brands like MetaMask, Netflix, and PayPal are used to maximize the credibility of fake messages. Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, sold under a tiered subscription model with payments accepted in cryptocurrency. The platform was first observed in October 2025 and has been active since then.

Open in new tab

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

Open in new tab

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab