Star Blizzard ClickFix social-engineering campaign against Western targets
Campaign
Summary
Hide ▲
Show ▼
The Star Blizzard/ColdRiver operation used ClickFix fake-CAPTCHA lures and evolving delivery chains to push malware against Western-government and other interest targets, extending activity from May through September 2025. The group rapidly replaced LostKeys with NOROBOT, YESROBOT, and MAYBEROBOT, showing sustained retooling to stay effective. The repeated changes matter because the chain mixed rundll32 execution, persistence, and split-key payload delivery to make analysis and detection harder. Targeting included governments, journalists, think tanks, and NGOs, consistent with an espionage-focused operation.
Related Happenings
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
DarkSword operators phishing and watering-hole campaign
Campaign
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...
DarkSword operators phishing and watering-hole campaign
CampaignAbout this happening: **DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...
Dust Specter Iraq Foreign Affairs AI impersonation campaign
Campaign
First: 03.03.2026 12:30
Last: 03.03.2026 12:30
Sources 1
About this happening:
**Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
Dust Specter Iraq Foreign Affairs AI impersonation campaign
CampaignAbout this happening: **Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
KongTuke NexShield CrashFix malvertising campaign
Campaign
First: 20.01.2026 00:49
Last: 20.01.2026 00:49
Sources 1
About this happening:
The **KongTuke** malvertising operation is using **NexShield** to crash **Chrome and Edge**, pushing victims into **ClickFix** activity that can trigger malicious command executio...
KongTuke NexShield CrashFix malvertising campaign
CampaignAbout this happening: The **KongTuke** malvertising operation is using **NexShield** to crash **Chrome and Edge**, pushing victims into **ClickFix** activity that can trigger malicious command executio...
SHADOW#REACTOR Remcos RAT delivery campaign
Campaign
First: 13.01.2026 11:08
Last: 13.01.2026 11:08
Sources 1
About this happening:
The **SHADOW#REACTOR** campaign now matters because it uses a **multi-stage Windows attack chain** to deliver **Remcos RAT** and maintain **persistent, covert remote access**. The...
SHADOW#REACTOR Remcos RAT delivery campaign
CampaignAbout this happening: The **SHADOW#REACTOR** campaign now matters because it uses a **multi-stage Windows attack chain** to deliver **Remcos RAT** and maintain **persistent, covert remote access**. The...
Timeline
-
21.10.2025 18:13 3 articles · 7mo ago
Star Blizzard ClickFix social-engineering campaign against Western targets
Initial DisclosureIn **May 2025**, the group pivoted from **LostKeys** to **NOROBOT** and began seeding infections with **ClickFix** fake-CAPTCHA prompts. Early chains relied on a command run through **rundll32** to start the malware.
Show sources
- Russian hackers evolve malware pushed in "I am not a robot" captchas — www.bleepingcomputer.com — 21.10.2025 18:13
- Russian hackers evolve malware pushed in "I am not a robot" captchas — www.bleepingcomputer.com — 21.10.2025 18:13
- Russian APT Switches to New Backdoor After Malware Exposed by Researchers — www.securityweek.com — 22.10.2025 15:03