CyberSecurity news

FlagThis - #powershell

Puja Srivastava@Sucuri Blog //
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.

The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views.

Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns.

Recommended read:
References :
  • Sucuri Blog: Fake Google Meet Page Tricks Users into Running PowerShell Malware
  • securityonline.info: Fake Google Meet Page Tricks Users into Running Malware
  • gbhackers.com: How Google Meet Pages Are Exploited to Deliver PowerShell Malware
  • securityaffairs.com: Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks.
  • securityonline.info: Threat actors have ramped up a new social engineering campaign, dubbed “ClickFix,†where fake CAPTCHA prompts embedded in
  • Know Your Adversary: I think you at least heard about fake CAPTCHA attacks. Yes, ClickFix again. The thing is - adversaries use fake CAPTCHA pages to trick users into executing malicious commands in Windows.

@blog.qualys.com //
A new fileless malware campaign is deploying the Remcos RAT (Remote Access Trojan) using a PowerShell-based shellcode loader, highlighting the evolving tactics of cybercriminals. The attack begins with malicious LNK files embedded within ZIP archives, often disguised as legitimate Office documents to entice users into opening them. Upon execution, the attack chain leverages mshta.exe, a legitimate Microsoft tool, for proxy execution, allowing it to bypass traditional antivirus and endpoint defenses by running HTML Applications (HTA).

The mshta.exe then executes an obfuscated HTA file hosted on a remote server, which contains Visual Basic Script code designed to download a PowerShell script, a decoy PDF file, and another HTA file. Critically, the HTA file also configures Windows Registry modifications to ensure that the downloaded HTA file is automatically launched upon system startup, guaranteeing persistence. Once the PowerShell script is executed, it reconstructs a shellcode loader that ultimately launches the Remcos RAT payload entirely in memory.

This fileless technique, where malicious code operates directly in the computer's memory, allows the malware to evade many traditional security solutions that rely on disk-based detection. Remcos RAT grants attackers full control over compromised systems, allowing for cyber espionage and data theft through features like keylogging, screenshot capture, and clipboard monitoring. The RAT establishes a TLS connection to a command-and-control server for persistent communication, enabling data exfiltration and remote control.

Recommended read:
References :
  • Anonymous ???????? :af:: Experts reveal a fileless malware attack using PowerShell to execute Remcos RAT, employing LNK files and mshta.exe to evade detection, raising alarms about advanced evasion techniques in cybercriminal activities.
  • securityonline.info: Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
  • The Hacker News: Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks

@www.recordedfuture.com //
A new malware loader called MintsLoader is being used to distribute a remote access trojan (RAT) known as GhostWeaver. According to a report by Recorded Future's Insikt Group, MintsLoader employs a multi-stage infection chain that involves obfuscated JavaScript and PowerShell scripts. This loader is designed to evade sandbox environments and virtual machines, making it more difficult to detect and analyze. It also utilizes a domain generation algorithm (DGA) to create daily-changing command-and-control (C2) domains, adding another layer of complexity to the attack.

MintsLoader has been observed in phishing and drive-by download campaigns since early 2023. It is known to deliver various follow-on payloads, including StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client. Threat actors are using MintsLoader in e-crime services like SocGholish and LandUpdate808, targeting the industrial, legal, and energy sectors through phishing emails and fake browser update prompts. Recent attacks have also incorporated the ClickFix social engineering tactic to trick users into executing malicious code.

GhostWeaver, the RAT distributed by MintsLoader, is designed to maintain persistent communication with its C2 server, which is secured through TLS encryption using an obfuscated, self-signed X.509 certificate. GhostWeaver can also deploy MintsLoader as an additional payload. The loader's primary strengths lie in its evasion techniques and DGA implementation, which allow it to bypass security measures and complicate detection efforts.

Recommended read:
References :
  • The Hacker News: MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks
  • www.recordedfuture.com: MintsLoader Malware Leverages DGA and Anti-Analysis Techniques to Deploy GhostWeaver RAT and Other Payloads

@securityonline.info //
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.

Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.

Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia
  • securityonline.info: SecurityOnline: Earth Kurma APT Targets Southeast Asia with Stealthy Cyberespionage
  • The Hacker News: TheHackNews: Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools
  • Know Your Adversary: Know Your Adversary: That's How Earth Kurma Abuses PowerShell for Data Collection
  • www.trendmicro.com: Trend Micro: Earth Kurma APT Campaign
  • Industrial Cyber: Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns.
  • industrialcyber.co: Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively
  • www.scworld.com: Trend Micro researchers have identified a sophisticated cyberespionage campaign orchestrated by the APT group, Earth Kurma, focusing on organizations in Southeast Asia, including Malaysia, Thailand, Vietnam, and the Philippines.
  • Security Risk Advisors: #EarthKurma #APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents. #CyberEspionage #ThreatIntel
  • securityonline.info: In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group,
  • sra.io: APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents.
  • Virus Bulletin: Trend Micro's Nick Dai & Sunny Lu look into the Earth Kurma APT campaign targeting government and telecommunications sectors in Southeast Asia. The campaign used advanced malware, rootkits, and trusted cloud services to conduct cyberespionage.

@techradar.com //
State-sponsored hacking groups from North Korea, Iran, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware. This technique, which tricks users into clicking malicious links or executing malicious commands, has been adopted by advanced persistent threat (APT) groups, demonstrating the evolving nature of cyber threats and the increasing fluidity of tactics in the threat landscape. Researchers have observed these groups incorporating ClickFix into their espionage operations between late 2024 and early 2025.

Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls.

Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors.

Recommended read:
References :
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
  • www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
  • BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • sra.io: Beware of ClickFix: A Growing Social Engineering Threat
  • The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
  • Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
  • Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
  • www.itpro.com: State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique for the first time – and to great success.
  • Proofpoint Threat Insight: Proofpoint researchers discovered state-sponsored actors from North Korea, Iran and Russia experimenting in multiple campaigns with the ClickFix social engineering technique as a stage in their infection chains.
  • www.it-daily.net: ClickFix: From cyber trick to spy weapon

Pierluigi Paganini@Security Affairs //
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.

The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.

GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.

Recommended read:
References :
  • bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
  • cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
  • The Hacker News: Shuckworm targets Western military mission
  • Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
  • gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
  • securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
  • BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
  • securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
  • Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
  • www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
  • www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
  • securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
  • The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
  • www.scworld.com: Infected removable drives were used to spread the malware.
  • Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
  • ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
  • Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
  • Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
  • Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.