CyberSecurity news

FlagThis - #clickfix

Lawrence Abrams@BleepingComputer //

Compromised iClicker Site Used to Deliver Lumma Stealer - The iClicker website was compromised in a ClickFix attack using a fake CAPTCHA prompt, tricking users into installing Lumma Stealer malware.
iClicker, a widely-used student engagement platform, fell victim to a sophisticated ClickFix attack that compromised its website. The attack utilized a fake CAPTCHA prompt to deceive both students and instructors into unknowingly installing malware on their devices. This incident highlights the growing trend of cybercriminals exploiting user trust through social engineering tactics. iClicker, a subsidiary of Macmillan, serves approximately 5,000 instructors and 7 million students across numerous universities in the United States, making it a prime target for such malicious activities. The company has acknowledged the hijacking and issued a security bulletin advising affected users to take immediate action.

The ClickFix attack hinges on exploiting the familiarity users have with CAPTCHA verification processes. Instead of presenting a typical challenge to distinguish between humans and bots, the fake CAPTCHA prompts users to execute malicious scripts. This involves instructing users to open the Windows Run dialog, paste a provided script, and press Enter. Unbeknownst to the user, this action initiates a PowerShell script that retrieves and installs malware, granting attackers unauthorized access to their computer. The University of Michigan’s IT security team issued an early warning to students after discovering the malicious CAPTCHA.

Sophos X-Ops revealed that the malware being installed through this method is the notorious Lumma Stealer. Lumma Stealer is a Malware-as-a-Service (MaaS) offering typically sold via Telegram channels, allowing cybercriminals to steal sensitive data, including browser passwords, cookies, cryptocurrency wallets, and session tokens. iClicker advised users who interacted with the false CAPTCHA between April 12-16 to run antivirus software and change their passwords immediately. The attack demonstrates the need for heightened cybersecurity awareness and vigilance when interacting with online prompts, even on trusted websites.

Recommended read:
References :
Bill Toulas@BleepingComputer //

ClickFix Attacks Targeting Linux Systems - The new cyber espionage campaign 'ClickFix' is targeting Linux systems by exploiting vulnerabilities, marking a shift in focus by APT36, involving precision attacks and stealth.
A new cyber espionage campaign dubbed "ClickFix" is actively targeting Linux systems, marking a concerning shift in focus for threat actors. This campaign, characterized by its precision and stealth, is not a generic, scattershot attack, but rather a calculated effort by groups like APT36, known for their cyberespionage capabilities. Attackers are exploiting vulnerabilities within Linux environments, highlighting the increasing sophistication and reliance on Linux by critical infrastructure and enterprises worldwide. The rise of ClickFix attacks serves as a wake-up call, demonstrating that attackers are now willing to go deeper and target smarter, making it harder for administrators who may have previously felt secure with standard hardening measures.

The core technique of ClickFix attacks involves social engineering to deceive users into executing malicious commands. Attackers have utilized websites that mimic legitimate entities, such as India’s Ministry of Defence, to lure victims. When users visit these sites, they are profiled based on their operating system and redirected to a tailored attack flow. On Linux, this often involves presenting a CAPTCHA page that, when interacted with, copies a shell command to the user’s clipboard. The user is then instructed to execute this command, which can lead to the installation of malware. The command used in these attacks drops a payload on the target system, which, in its current form, fetches a JPEG image from the attacker’s server.

APT36 is reportedly linked to Pakistan and has been known to use sophisticated social engineering tactics to target Indian entities. Historically, APT36 primarily targeted Windows-based environments, but the ClickFix campaign signals a significant evolution in their strategy. This group focuses heavily on espionage, collecting information from government agencies, academic institutions, and defense sectors. What distinguishes APT36 from other advanced persistent threats is its knack for exploiting tools and techniques that leave systems vulnerable without raising immediate alarms. The cross-platform nature of ClickFix attacks, which now include Linux, highlights their versatility and the need for robust defensive measures.

Recommended read:
References :
  • linuxsecurity.com: A new campaign, slyly dubbed ''ClickFix,'' is burrowing into Linux environments. It's not some generic, scattershot attack; this is precise, calculated work by APT36, a group making waves with its knack for cyberespionage.
  • The DefendOps Diaries: The Rising Threat of ClickFix Attacks on Linux Systems
  • BleepingComputer: Hackers now testing ClickFix attacks against Linux targets
  • www.scworld.com: New ClickFix attacks seek to compromise Windows, Linux systems
@techradar.com //

State Actors Employ ClickFix Social Engineering Attacks - State-sponsored hacking groups from North Korea, Iran, and Russia are leveraging ClickFix social engineering tactics to deploy malware, tricking users into executing malicious commands disguised as legitimate solutions.
State-sponsored hacking groups from North Korea, Iran, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware. This technique, which tricks users into clicking malicious links or executing malicious commands, has been adopted by advanced persistent threat (APT) groups, demonstrating the evolving nature of cyber threats and the increasing fluidity of tactics in the threat landscape. Researchers have observed these groups incorporating ClickFix into their espionage operations between late 2024 and early 2025.

Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls.

Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors.

Recommended read:
References :
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
  • www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
  • BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • sra.io: Beware of ClickFix: A Growing Social Engineering Threat
  • The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
  • Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
  • Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
  • www.itpro.com: State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique for the first time – and to great success.
  • Proofpoint Threat Insight: Proofpoint researchers discovered state-sponsored actors from North Korea, Iran and Russia experimenting in multiple campaigns with the ClickFix social engineering technique as a stage in their infection chains.
  • www.it-daily.net: ClickFix: From cyber trick to spy weapon
@The DefendOps Diaries //

Interlock Ransomware Gang Uses ClickFix in Attacks - The Interlock ransomware gang uses ClickFix attacks to impersonate IT tools, breach networks, and deploy file-encrypting malware, evading traditional detection.
The Interlock ransomware gang is actively employing ClickFix attacks to infiltrate corporate networks and deploy file-encrypting malware. This social engineering tactic tricks users into executing malicious PowerShell commands, often under the guise of fixing an error or verifying their identity. By impersonating legitimate IT tools, Interlock bypasses traditional security measures that rely on automated detection, as the malicious code is executed manually by the victim. This represents a significant shift in the cyber threat landscape, highlighting the importance of understanding and defending against these evolving tactics.

ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process.

While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.

Recommended read:
References :
  • securityonline.info: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • The DefendOps Diaries: The Rise of ClickFix Attacks: Understanding the Interlock Ransomware Gang
  • BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks
  • www.scworld.com: ClickFix increasingly utilized in state-backed malware attacks
  • cyberpress.org: Interlock Ransomware Delivers Malicious Browser Updates via Multi-Stage Attack on Legitimate Websites
  • gbhackers.com: Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates
  • Cyber Security News: Reports show the latest ClickFix attack.
  • www.scworld.com: Interlock ransomware evolves tactics with ClickFix, infostealers
  • Talkback Resources: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • securityonline.info: Security Online discusses interlock ransomware using Evolving Tactics to Evade Detection.
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns
  • bsky.app: Interlock ransomware gang pushes fake IT tools in ClickFix attacks ift.tt/TqmAQIF
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • BleepingComputer: Interlock ransomware claims DaVita attack, leaks stolen data
do son@securityonline.info //

Fake Zoom Installer Leads to BlackSuit Ransomware - The Lazarus Group is targeting the cryptocurrency industry with a ClickFake Interview campaign, deploying the GolangGhost malware via fake job offers.
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.

The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.

Recommended read:
References :
  • bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
  • BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
  • Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
  • gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
  • Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
  • Osint10x: Fake Zoom Ends in BlackSuit Ransomware
  • securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
  • bsky.app: Lazarus adopts ClickFix technique.
  • : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.
Field Effect@Blog //

ClearFake Evolves with ClickFix to Distribute Malware - The ClearFake JavaScript framework uses 'ClickFix' tactics to trick users into executing malicious PowerShell code disguised as fake CAPTCHAs, distributing Lumma Stealer and Vidar Stealer malware.
References: Blog , Malware ? Graham Cluley , ...
A sophisticated cyber threat is rapidly evolving, exploiting user familiarity with CAPTCHAs to distribute malware through social engineering tactics. The ClearFake malicious JavaScript framework now utilizes 'ClickFix' techniques to trick users into executing malicious PowerShell commands, often disguised as fake reCAPTCHA or Cloudflare Turnstile verifications. This framework injects a fraudulent CAPTCHA on compromised websites, enticing visitors to unknowingly copy and paste malicious commands that lead to malware installation.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

This 'ClickFix' attack redirects victims to malicious webpages delivering fake CAPTCHA verifications, ultimately deploying information-stealing malware such as Lumma Stealer and Vidar Stealer. Over 100 car dealerships have already been impacted by a supply-chain attack involving injected malicious code, and Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry using the same 'ClickFix' technique. Security experts advise users to exercise extreme caution with unsolicited instructions, especially those prompting system commands.

Recommended read:
References :
  • Blog: Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry by masquerading as Booking.com communications. Initiated in December 2024, this campaign leverages a social engineering tactic known as ClickFix to disseminate credential-stealing malware.
  • Malware ? Graham Cluley: A security researcher has discovered that the websites of over 100 car dealerships have been compromised in a supply-chain attack that attempted to infect the PCs of internet visitors.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • : Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, according to HP
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • www.bleepingcomputer.com: Steam pulls game demo infecting Windows with info-stealing malware
Microsoft Threat@Microsoft Security Blog //

Phishing Campaign Impersonates Booking.com - A phishing campaign impersonating Booking.com targets hospitality employees with credential-stealing malware using ClickFix to conduct financial fraud.
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.

The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.

Recommended read:
References :
  • krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
  • Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
  • The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
  • The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
  • : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
  • The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
  • bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
  • www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
  • TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
  • bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
  • BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
  • eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
  • Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFixâ€� to Deliver Credential-Stealing Malware
  • Blog: Phishing campaign impersonates Booking.com, plants malware
  • Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
  • www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
  • www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
  • www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
  • thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
  • securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
  • gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
  • Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
  • Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
  • Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
@cyberalerts.io //

ClickFix Attack Deploys Havoc C2 via SharePoint - A ClickFix phishing campaign tricks victims into deploying the Havok framework, using SharePoint and the Microsoft Graph API to hide malicious communications within trusted Microsoft services.
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.

The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.

Recommended read:
References :
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • thehackernews.com: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites
  • BleepingComputer: BleepingComputer post about a new ClickFix phishing campaign.
  • Anonymous ???????? :af:: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Talkback Resources: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites [social] [mal]
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Virus Bulletin: Virus Bulletin covers campaign combining ClickFix & multi-stage malware to deploy a modified Havoc Demon Agent.
  • Email Security - Blog: Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use.

Posts

Blogs

Research Tools