CyberSecurity news
FlagThis
@The DefendOps Diaries
//
The Interlock ransomware gang is actively employing ClickFix attacks to infiltrate corporate networks and deploy file-encrypting malware. This social engineering tactic tricks users into executing malicious PowerShell commands, often under the guise of fixing an error or verifying their identity. By impersonating legitimate IT tools, Interlock bypasses traditional security measures that rely on automated detection, as the malicious code is executed manually by the victim. This represents a significant shift in the cyber threat landscape, highlighting the importance of understanding and defending against these evolving tactics.
ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process.
While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.
ImgSrc: thedefendopsdia
References :
ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process.
While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.
ImgSrc: thedefendopsdia
Share:
References :
- securityonline.info: Interlock Ransomware Uses Evolving Tactics to Evade Detection
- The DefendOps Diaries: The Rise of ClickFix Attacks: Understanding the Interlock Ransomware Gang
- BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks
- www.scworld.com: ClickFix increasingly utilized in state-backed malware attacks
- cyberpress.org: Interlock Ransomware Delivers Malicious Browser Updates via Multi-Stage Attack on Legitimate Websites
- gbhackers.com: Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates
- Cyber Security News: Reports show the latest ClickFix attack.
- www.scworld.com: Interlock ransomware evolves tactics with ClickFix, infostealers
- Talkback Resources: Interlock Ransomware Uses Evolving Tactics to Evade Detection
- securityonline.info: Security Online discusses interlock ransomware using Evolving Tactics to Evade Detection.
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- The Hacker News: State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns
- bsky.app: Interlock ransomware gang pushes fake IT tools in ClickFix attacks ift.tt/TqmAQIF
- securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
- BleepingComputer: Interlock ransomware claims DaVita attack, leaks stolen data
Classification:
- HashTags: #Ransomware #ClickFix #Interlock
- Company: Sekoia Threat Detection
- Target: Corporate Networks
- Attacker: Interlock
- Product: Interlock
- Feature: ClickFix
- Malware: Interlock
- Type: Ransomware
- Severity: High