@gbhackers.com
//
State-sponsored hacking groups from North Korea, Iran, and Russia are now widely employing the ClickFix social engineering tactic in their espionage campaigns. This technique, previously associated with cybercriminals, involves tricking users into copying, pasting, and running malicious commands, often through fake error messages and instructions. Proofpoint researchers first documented this shift over a three-month period from late 2024 to early 2025, noting that ClickFix has become an effective means of bypassing traditional security measures. This tactic replaces installation and execution stages in existing infection chains.
The adoption of ClickFix has been observed in various campaigns, each tailored to the specific objectives and targets of the respective state-sponsored actors. For instance, the North Korean actor TA427, also known as Kimsuky, utilized ClickFix in phishing campaigns targeting think tanks involved in North Korean affairs. By impersonating diplomatic personnel and leveraging spoofed document sharing platforms, TA427 successfully deployed the Quasar RAT, a remote access trojan. Meanwhile, Iranian group TA450 (MuddyWater) targeted organizations in the Middle East by masquerading as Microsoft security updates, deploying remote management tools for espionage and data exfiltration. Russian-linked groups, including UNK_RemoteRogue and TA422 (APT28), have also experimented with ClickFix, indicating its growing appeal across different nation-state actors. The simplicity and effectiveness of ClickFix, which relies on user interaction rather than sophisticated technical exploits, makes it a valuable tool for these groups. While not all groups have persistently used ClickFix after initial tests, its adoption by multiple state-sponsored actors underscores the evolving threat landscape and the need for heightened vigilance against social engineering tactics. This trend suggests that ClickFix, and similar user-interactive attack methods, will continue to pose a significant threat in the future. Recommended read:
References :
Aman Mishra@gbhackers.com
//
A sophisticated malware campaign impersonating PDFCandy.com is distributing the ArechClient2 information stealer, according to research from CloudSEK. Cybercriminals are creating fake websites that closely mimic the legitimate PDF conversion tool, tricking users into downloading malware. These deceptive sites are promoted through Google Ads and exploit the common need for online file conversion. By replicating the user interface and using similar domain names, attackers deceive unsuspecting users into believing they are interacting with a trusted service.
The attack unfolds through a series of social engineering tactics. Victims are prompted to upload a PDF file for conversion, after which a simulated loading sequence creates the illusion of genuine file processing. This builds trust and lowers the user’s guard. Subsequently, users are presented with a fake CAPTCHA verification dialog, designed to enhance the site’s perceived authenticity and create a sense of urgency, potentially rushing the user into action. The CAPTCHA acts as a pivotal interaction point to trigger the malicious payload. After the fake conversion process and CAPTCHA interaction, users are prompted to execute a PowerShell command. This command initiates a sophisticated redirection chain to obscure the malware delivery, ultimately leading to the distribution of the ArechClient2 infostealer. The malware is known for its ability to steal sensitive data, including browser credentials and cryptocurrency wallet information. Cybersecurity experts advise users to rely on verified tools from official websites, keep anti-malware software updated, and implement endpoint detection and response solutions to defend against these advanced threats. Recommended read:
References :
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications. GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team. Recommended read:
References :
@Talkback Resources
//
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.
Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone. Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace. Recommended read:
References :
do son@securityonline.info
//
A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.
The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks. Recommended read:
References :
Aman Mishra@gbhackers.com
//
References:
gbhackers.com
, www.bleepingcomputer.com
,
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.
Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures. Recommended read:
References :
@cyberalerts.io
//
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.
The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host. Recommended read:
References :
@techcrunch.com
//
New York-based venture capital and private equity firm Insight Partners has disclosed a security breach of its systems. The firm, which manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups globally over the past 30 years, revealed that the incident occurred in January. The breach involved unauthorized access to its information systems following what they are calling "a sophisticated social engineering attack."
Insight Partners confirmed that the attack took place on January 16, 2025. The company has taken steps to address the situation, notifying law enforcement in relevant jurisdictions and engaging third-party cybersecurity experts to investigate the full scope and impact of the breach. The investigation is ongoing to determine the extent of data exposure and to implement measures to prevent future incidents. Recommended read:
References :
@gbhackers.com
//
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft. Recommended read:
References :
|