Recent searches

No recent searches

Search options

Only available when logged in.
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.6K
active users

techhub.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#clickfix

4 posts3 participants0 posts today
Pyrzout :vm:<p>Microsoft Most Phished Brand in Q2 2025, Check Point Research – Source:hackread.com <a href="https://ciso2ciso.com/microsoft-most-phished-brand-in-q2-2025-check-point-research-sourcehackread-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/microsoft-most-p</span><span class="invisible">hished-brand-in-q2-2025-check-point-research-sourcehackread-com/</span></a> <a href="https://social.skynetcloud.site/tags/1CyberSecurityNewsPost" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>1CyberSecurityNewsPost</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://social.skynetcloud.site/tags/PhishingScam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhishingScam</span></a> <a href="https://social.skynetcloud.site/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberAttack</span></a> <a href="https://social.skynetcloud.site/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> <a href="https://social.skynetcloud.site/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> <a href="https://social.skynetcloud.site/tags/Hackread" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackread</span></a> <a href="https://social.skynetcloud.site/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://social.skynetcloud.site/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://social.skynetcloud.site/tags/Spotify" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spotify</span></a> <a href="https://social.skynetcloud.site/tags/Fraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fraud</span></a> <a href="https://social.skynetcloud.site/tags/Scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Scam</span></a></p>
Pyrzout :vm:<p>Microsoft Most Phished Brand in Q2 2025, Check Point Research <a href="https://hackread.com/microsoft-most-phished-brand-q2-2025-check-point/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackread.com/microsoft-most-ph</span><span class="invisible">ished-brand-q2-2025-check-point/</span></a> <a href="https://social.skynetcloud.site/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://social.skynetcloud.site/tags/PhishingScam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhishingScam</span></a> <a href="https://social.skynetcloud.site/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberAttack</span></a> <a href="https://social.skynetcloud.site/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> <a href="https://social.skynetcloud.site/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://social.skynetcloud.site/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> <a href="https://social.skynetcloud.site/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://social.skynetcloud.site/tags/Spotify" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spotify</span></a> <a href="https://social.skynetcloud.site/tags/Fraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fraud</span></a> <a href="https://social.skynetcloud.site/tags/Scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Scam</span></a></p>
lazarusholic<p>"Lazarus’ latest tactics: Deceptive development and ClickFix" published by GenDigital. <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a>, <a href="https://infosec.exchange/tags/Lazarus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lazarus</span></a>, <a href="https://infosec.exchange/tags/DPRK" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DPRK</span></a>, <a href="https://infosec.exchange/tags/CTI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CTI</span></a> <a href="https://www.gendigital.com/blog/insights/research/deceptive-nvidia-attack" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">gendigital.com/blog/insights/r</span><span class="invisible">esearch/deceptive-nvidia-attack</span></a></p>
Anna Wasilewska-Śpioch

🇵🇱 Szczegółowa analiza techniczna nowej kampanii ukierunkowanych ataków wykorzystujących metodę #ClickFix w celu dostarczenia złośliwego oprogramowania, przygotowana przez Irka Tarnowskiego, który swego czasu napisał sporo dobrych tekstów do @zaufanatrzeciastrona

🇬🇧 A detailed technical analysis of a new campaign of targeted attacks using the ClickFix method to deliver malware

medium.com/@ireneusz.tarnowski

Medium · Dissecting the ClickFix User-Execution Attack and Its Sophisticated Persistence via ADSBy Ireneusz Tarnowski
ESET Research

#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 welivesecurity.com/en/eset-res

Replied in thread
Randy

@filippo the copy/paste technique is called #ClickFix . the site in the image is infected by TA2726's Keitaro which is well known for sending Windows folks to #SocGholish . what they do with macOS folks has changed over the years. i see they sent you to something that delivered what looks like Poseidon Stealer.

medium.com/@MateoPappa/letsdef

Medium · LetsDefend — Poseidon macOS Stealer (Hard) - 𝐌𝐚𝐭𝐞𝐨 𝐏𝐚𝐩𝐩𝐚 - MediumBy 𝐌𝐚𝐭𝐞𝐨 𝐏𝐚𝐩𝐩𝐚
*
Brad

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

ℒӱḏɩę :blahaj: 💾

I finally stumbled upon a real #ClickFix attack in the wild. My favorite weather page presented the screen as shown. It doesn't take much tech knowledge to know these instructions are pure bullshit.

Now here's what's interesting. I reloaded the page, normal page came up. Cleared the cookies, normal page. Tried a different browser, normal page. So is it random? Should I alert the site owner?

#malware#phishing#infosec
Brad

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

ESET Research

In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot.
As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information.
Danabot was targeted by the #FBI and #DCIS, alongside #OperationEndgame led by #Europol and #Eurojust. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers.
Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.
For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the #ClickFix social engineering attacks that we also cover in this issue of the #ESETThreatReport. In recent months, we have seen Danabot being delivered via ClickFix as well.
For more details on these two operations and on the ClickFix attacks, read the latest #ESETThreatReport: welivesecurity.com/en/eset-res

Brad

#ClickFix is a social engineering technique that uses fake verification pages and clipboard hijacking to convince people to click and keyboard stroke their way to an infection. So let's categorize #FileFix properly in the pantheon of ClickFix Attacks.

FileFix: A ClickFix page that asks you to past script into a File Manager window.

#RunFix: A ClickFix page that asks you to paste script into a Run window

#TermFix: A ClickFix page that asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).

We cool with that? Any others types I'm missing?

TrendingLive feeds
About