CyberSecurity news

FlagThis - #supplychain

Pierluigi Paganini@securityaffairs.com //
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.

Recommended read:
References :
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
  • securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
  • The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

@cyble.com //
New research has exposed a significant security vulnerability stemming from the increasing use of AI in code generation. The issue, termed "slopsquatting," arises when AI models, such as ChatGPT and CodeLlama, generate code snippets that include references to non-existent software libraries. Security experts warn that this tendency of AIs to "hallucinate" packages opens the door for malicious actors to create and distribute malware under these fictional package names. This new type of supply chain attack could potentially lead developers to unknowingly install harmful code into their software.

A recent study analyzed over half a million Python and JavaScript code snippets generated by 16 different AI models. The findings revealed that approximately 20% of these snippets contained references to packages that do not actually exist. While established tools like ChatGPT-4 hallucinate packages about 5% of the time, other open-source models demonstrated significantly higher rates. Researchers have found that these hallucinated package names are often plausible, making it difficult for developers to distinguish them from legitimate libraries. Attackers can then register these fabricated names on popular repositories and populate them with malicious code.

This "slopsquatting" threat is further exacerbated by the fact that AI models often repeat the same hallucinated package names across different queries. The research demonstrated that 58% of hallucinated package names appeared multiple times, making them predictable and attractive targets for attackers. Experts warn that developers who rely on AI-generated code may inadvertently introduce these vulnerabilities into their projects, leading to widespread security breaches. The rise of AI in software development necessitates careful evaluation and implementation of security measures to mitigate these emerging risks.

Recommended read:
References :
  • the-decoder.com: Slopsquatting: One in five AI code snippets contains fake libraries
  • Help Net Security: LLMs’ tendency to “hallucinate†code packages that don’t exist could become the basis for a new type of supply chain attack dubbed “slopsquatting†(courtesy of Seth Larson, Security Developer-in-Residence at the Python Software Foundation).
  • The DefendOps Diaries: AI-Hallucinated Code Dependencies: A New Frontier in Software Supply Chain Security
  • The Register - Software: AI can't stop making up software dependencies and sabotaging everything
  • www.techradar.com: "Slopsquatting" attacks are using AI-hallucinated names resembling popular libraries to spread malware
  • hackread.com: New “Slopsquatting†Threat Emerges from AI-Generated Code Hallucinations
  • thecyberexpress.com: LLMs Create a New Supply Chain Threat: Code Package Hallucinations

Mandvi@Cyber Security News //
Cybersecurity researchers have recently identified several malicious Python packages on the Python Package Index (PyPI) repository that were designed to steal sensitive information, particularly credit card details and cryptocurrency-related data. These packages, downloaded over 39,000 times before their removal, demonstrate an increasing threat to software supply chains and the vulnerability of developers relying on open-source repositories. The malicious packages targeted both e-commerce platforms and cryptocurrency users, employing various techniques to evade detection and compromise sensitive data.

The most prevalent of these packages, "disgrasya," which translates to 'accident' or 'disaster' in Filipino, was downloaded over 34,000 times and functioned as a fully automated carding toolkit. This package specifically targeted WooCommerce stores integrated with CyberSource payment gateways, automating the process of validating stolen credit card information. It emulated legitimate shopping activity, programmatically adding items to a cart, navigating to the checkout page, and filling out the payment form, effectively bypassing fraud detection systems. Stolen card data, including numbers, expiration dates, and CVVs, was then exfiltrated to an external server controlled by the attacker.

Two other packages, "bitcoinlibdbfix" and "bitcoinlib-dev," masqueraded as fixes for issues in the legitimate "bitcoinlib" Python module. These packages attempted to overwrite the 'clw cli' command with malicious code designed to steal sensitive database files, potentially compromising cryptocurrency wallets and transactions. Researchers noted that the authors of these counterfeit libraries even engaged in GitHub issue discussions, attempting to trick users into downloading and running the malicious code. The discovery of these packages highlights the ongoing need for robust security measures and vigilance within the open-source software ecosystem.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information.
  • www.bleepingcomputer.com: A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
  • gbhackers.com: In a recent development, the ReversingLabs research team has uncovered a sophisticated software supply chain attack targeting developers of cryptocurrency applications.
  • www.scworld.com: Threat actors have sought to compromise credit card information and other sensitive data through three malicious Python Package Index packages, which have been downloaded almost 40,000 times before being removed from the PyPI repository, reports The Hacker News.
  • Cyber Security News: Malicious Python Packages Exploit Popular Cryptocurrency Library to Steal Sensitive Data
  • www.bleepingcomputer.com: A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
  • cyberpress.org: Malicious Python Packages Exploit Popular Cryptocurrency Library to Steal Sensitive Data
  • www.techradar.com: Malicious Python packages are stealing vital data, and have been downloaded thousands of times already

Ddos@Daily CyberSecurity //
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.

The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation.

Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats.

Recommended read:
References :
  • Security Risk Advisors: Socket Research Team's report
  • The Hacker News: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
  • ciso2ciso.com: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – Source:thehackernews.com
  • Talkback Resources: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages [net] [mal]
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • www.scworld.com: Malicious npm packages, BeaverTail malware leveraged in new North Korean attacks
  • Cyber Security News: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
  • cyberpress.org: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages. Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
  • Chris Wysopal: Infosec.Exchange post on new supply chain NPM package malware attacks found.

Bill Toulas@BleepingComputer //
A malicious Python package, "disgrasya," has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to e-commerce platforms. The package, which translates to "disaster" in Filipino slang, contains a fully automated carding script specifically designed to target WooCommerce stores that utilize the CyberSource payment gateway. This malicious tool allows attackers to test stolen credit card information against live e-commerce payment systems, streamlining the process of identifying valid cards for fraudulent activities. Unlike typical supply chain attacks, "disgrasya" made no attempt to conceal its malicious intent, openly serving as a distribution mechanism for fraudsters.

The "disgrasya" package automates the entire carding workflow, mimicking legitimate customer behavior to bypass fraud detection systems. The script starts by identifying a product on the targeted WooCommerce store and simulates adding items to the cart. It then gathers security tokens and proceeds to tokenize stolen credit card data using CyberSource's mechanisms, submitting it through WooCommerce's checkout endpoints. If the card is valid, the attacker receives confirmation without triggering typical fraud prevention measures like CAPTCHAs. Alarmingly, the script also exfiltrates stolen card data, including numbers, expiration dates, CVVs, and tokenized representations, to an external server controlled by the attacker.

Before its discovery and removal from PyPI, "disgrasya" was downloaded over 37,217 times, highlighting the scale of the potential threat. This widespread distribution suggests that the tool may already be in active use across numerous fraud campaigns, posing a growing financial risk to businesses. The carding attack facilitated by "disgrasya" contributes to the rising costs of online payment fraud, which is estimated to cost merchants over $362 billion globally between 2023 and 2028. Security measures such as monitoring traffic patterns, implementing CAPTCHAs, and rate limiting on checkout and payment endpoints can help mitigate the threat posed by "disgrasya" and similar malicious packages.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News //
The PoisonSeed phishing campaign represents a new and evolving cyber threat, targeting individuals with access to critical systems like Customer Relationship Management (CRM) platforms and bulk email services. This large-scale operation compromises corporate email marketing accounts to distribute emails containing crypto seed phrases, ultimately used to drain cryptocurrency wallets. Attackers focus on high-value targets, employing detailed reconnaissance to ensure their phishing emails reach the most impactful individuals. By mimicking legitimate services through carefully crafted emails and fake login pages, PoisonSeed exemplifies the evolving nature of phishing threats, deceiving victims into believing they are from legitimate sources.

PoisonSeed's attack methodology is distinguished by its sophisticated approach, targeting individuals with access to CRM systems and bulk email platforms. The first stage involves meticulous target identification, focusing on those with access to CRM systems and bulk email platforms, as these targets provide significant leverage for further attacks. The reconnaissance process includes analyzing the email services used by companies and identifying employees in relevant positions. Once targets are identified, the attackers craft professional phishing emails designed to deceive recipients, sending them from spoofed addresses to enhance their authenticity, often containing links to fake login pages hosted on carefully named domains.

The phishing pages deployed by PoisonSeed are designed to capture sensitive information, particularly cryptocurrency wallet seed phrases. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. Compromised accounts are then used to send bulk phishing emails, employing urgent lures, such as notifications about "restricted sending privileges" or fake wallet migration notices. Domains such as mail-chimpservices[.]com have been used to deceive MailChimp users, showcasing the campaign's attention to detail.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • www.bleepingcomputer.com: PoisonSeed phishing campaign distributing emails with wallet seed phrases.
  • bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
  • Cyber Security News: PoisonSeed Launches Supply Chain Phishing Attacks on CRM and Bulk Email Services
  • gbhackers.com: PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack
  • securityonline.info: PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • securityonline.info: Silent Push Threat Analysts have uncovered a sophisticated campaign targeting enterprise organizations, VIP individuals, and cryptocurrency holders, dubbed “PoisonSeed.â€
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • www.silentpush.com: Silent Push blog about PoisonSeed campaign.
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • Security Risk Advisors: #PoisonSeed campaign compromises email providers to launch crypto seed phrase poisoning attacks. Targets include #Mailchimp #SendGrid and #Coinbase users.

Waqas@hackread.com //
References: CyberInsider , hackread.com , bsky.app ...
Royal Mail is currently investigating a data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The breach is believed to have originated from a compromise at Spectos GmbH, a third-party data collection and analytics service provider for Royal Mail. The leaked data includes sensitive information such as customer personally identifiable information (PII), internal communications including Zoom meeting recordings, operational data like delivery routes, and marketing infrastructure data including Mailchimp mailing lists.

The investigation is ongoing to determine the full extent of the breach and its potential impact. Royal Mail has stated that there is currently no impact on operations. The incident serves as a stark reminder of the vulnerabilities inherent in modern supply chains and the critical need for robust vendor management and security protocols. The breach highlights the potential for identity theft, phishing attacks, and reputational damage arising from compromised vendor access.

Recommended read:
References :
  • CyberInsider: Royal Mail Group Breach Exposes 144GB of Sensitive Customer Data
  • hackread.com: Hacker leaks 144GB of sensitive Royal Mail Group data, including customer info and internal files, claiming access came via supplier Spectos. Investigation underway!
  • The DefendOps Diaries: Explore the Royal Mail data breach and learn vital lessons in supply chain security and vendor management.
  • bsky.app: Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems.
  • BleepingComputer: Royal Mail investigates data leak claims, no impact on operations
  • www.scworld.com: Massive Royal Mail breach alleged by threat actors
  • The Register - Security: Hacker leaks 144GB of sensitive Royal Mail Group data.
  • www.cysecurity.news: Royal Mail experienced a major security breach in which 144GB of sensitive data was leaked to the public.
  • : Royal Mail Investigates Data Breach Affecting Supplier
  • The Register - Security: Customer info allegedly stolen from Royal Mail, Samsung via compromised supplier
  • www.csoonline.com: Royal Mail Investigates Data Leak

lucija.valentic@reversinglabs.com (Lucija@Blog (Main) //
References: , Blog (Main) , hackread.com ...
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.

This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.

Recommended read:
References :
  • : Malicious npm Packages Deliver Sophisticated Reverse Shells
  • Blog (Main): Malware found on npm infecting local package with reverse shell
  • thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
  • hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
  • www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
  • The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
  • Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
  • www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
  • BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs
  • www.scworld.com: reports on NPM related infostealer campaigns
  • securityonline.info: A recent report by ReversingLabs (RL) has uncovered malicious packages on the npm repository that employ sophisticated techniques
  • www.techradar.com: Malicious npm packages use devious backdoors to target users

ross.kelly@futurenet.com (Ross@itpro.com //
On March 20, 2025, a user on the Breach Forums, identified as "rose87168," claimed to have stolen six million records from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services. The user offered the data for sale or in exchange for zero-day exploits. The compromised database allegedly contains sensitive information, including Java KeyStore (JKS) files, encrypted SSO and LDAP passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. This could impact over 140,000 tenants, potentially creating a significant supply chain compromise.

Oracle has denied any breach of its cloud infrastructure. According to Oracle a spokesperson stated, "There has been no breach of Oracle Cloud...The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, the attacker claimed to have planted evidence on Oracle's login server, specifically login.us2.oraclecloud.com, creating a text file captured by the Internet Archive's Wayback Machine as proof of access. Cybersecurity firm CloudSEK suggests that the US2 server might not have been patched against CVE-2021-35587, a known vulnerability in Oracle Access Manager within Fusion Middleware.

Recommended read:
References :
  • hackread.com: Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records
  • BleepingComputer: The threat actor who claimed to breach Oracle Cloud shared the following URL as proof of the breach showing what appears to be a file containing their email address uploaded to Oracle's servers
  • The DefendOps Diaries: Oracle Cloud Breach Allegations: Hacker Claims vs. Oracle's Denial
  • www.bleepingcomputer.com: Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
  • research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
  • The Register - Software: Oracle Cloud says it's not true someone broke into its login servers and stole data
  • BrianKrebs: CloudSEK’s XVigil discovered a threat actor, selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud
  • www.cybersecurity-insiders.com: Oracle Cloud denies data breach claims of 6 million data files leak
  • Patrick C Miller :donor:: Oracle denies breach after hacker claims theft of 6 million data records
  • www.csoonline.com: Oracle Cloud breach may impact 140,000 enterprise customers
  • www.it-daily.net: 6 million data records: Oracle was allegedly hacked
  • eSecurity Planet: Oracle Cloud breach exposed 6M records from 140k+ tenants. Learn how attackers exploited vulnerabilities and steps organizations must take to secure data. The post appeared first on
  • www.techradar.com: Oracle denies data breach after hacker claims to hold six million records
  • securityonline.info: BreachForums Claims: Millions of Oracle Cloud Records Stolen
  • Arctic Wolf: On March 20, 2025, a Breach Forums user, “rose87168,†claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
  • Information Security Buzz: Cybersecurity Firm Uncovers Major Oracle Cloud Breach—Oracle Denies It
  • Arctic Wolf: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
  • www.cybersecuritydive.com: Researchers back claim of Oracle Cloud breach despite company’s denials
  • www.scworld.com: A Breach Forums user claimed to have stolen six million records from Oracle Cloud's SSO and LDAP services and offered the data for sale.
  • www.scworld.com: Details of the alleged Oracle Cloud breach.
  • The DefendOps Diaries: Oracle Cloud Breach Allegations: Unraveling the Controversy
  • www.itpro.com: Oracle breach claims spark war of words with security researchers
  • SpiderLabs Blog: Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
  • The Register - Security: There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
  • Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
  • : A threat actor, known as “rose87168,â€� claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
  • Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
  • DataBreaches.Net: Oracle continues to deny it had any breach, but customers and researchers are claiming otherwise.
  • SpiderLabs Blog: On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to   , the attacker claimed that 6 million customer records were exfiltrated from Oracle's SSO and LDAP systems.
  • GreyNoise: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
  • www.cybersecuritydive.com: Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.
  • SecureWorld News: In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.
  • Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...

Field Effect@Blog //
References: Blog , Malware ? Graham Cluley , ...
A sophisticated cyber threat is rapidly evolving, exploiting user familiarity with CAPTCHAs to distribute malware through social engineering tactics. The ClearFake malicious JavaScript framework now utilizes 'ClickFix' techniques to trick users into executing malicious PowerShell commands, often disguised as fake reCAPTCHA or Cloudflare Turnstile verifications. This framework injects a fraudulent CAPTCHA on compromised websites, enticing visitors to unknowingly copy and paste malicious commands that lead to malware installation.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

This 'ClickFix' attack redirects victims to malicious webpages delivering fake CAPTCHA verifications, ultimately deploying information-stealing malware such as Lumma Stealer and Vidar Stealer. Over 100 car dealerships have already been impacted by a supply-chain attack involving injected malicious code, and Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry using the same 'ClickFix' technique. Security experts advise users to exercise extreme caution with unsolicited instructions, especially those prompting system commands.

Recommended read:
References :
  • Blog: Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry by masquerading as Booking.com communications. Initiated in December 2024, this campaign leverages a social engineering tactic known as ClickFix to disseminate credential-stealing malware.
  • Malware ? Graham Cluley: A security researcher has discovered that the websites of over 100 car dealerships have been compromised in a supply-chain attack that attempted to infect the PCs of internet visitors.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • : Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, according to HP
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • www.bleepingcomputer.com: Steam pulls game demo infecting Windows with info-stealing malware