Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
First reported
Last updated
Happening score
H score 74
1 unique sources, 1 articles

Summary

Hide ▲

Analysis of ClickFix payload delivery shows operators moving to API-driven servers and a Downloads-folder orchestrator, increasing stealth across live campaigns. The backend returns a fresh disguise for each visitor, while the payload itself is unpacked from a downloaded file instead of being pasted directly. That design helps the chain slip past AMSI and leaves fewer obvious traces than the older Windows+R flow. The shift makes clipboard-based initial access harder to catch with conventional email and endpoint controls.

Related Happenings

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

Windows cryptocurrency clipper malware using USB LNK worming and Tor C2

Malware Activity
H score29 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...

Timeline

  1. 30.06.2026 03:00 2 articles · 1d ago

    ClickFix payload servers generate per-visitor disguises and a Downloads-folder orchestrator

    Technical Analysis Update

    Security researcher Bert-Jan Pals published findings on June 30 after analyzing roughly 3,000 live ClickFix payloads, showing API-driven servers that return a freshly disguised command for each visitor and a Downloads-folder delivery method that pastes only an orchestrator line so the hidden script can run while helping evade AMSI.

    Show sources