New malware alert: Mocha Manakin uses #Clickfix (fakeCAPTCHA) to trick users into deploying a custom backdoor called NodeInitRAT. Red Canary warns it could lead to ransomware!
https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack
2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.
Today's the 12th anniversary of my first blog post on malware-taffic-analysis.net, so I made this post a bit more old school.
Researchers warn of a surge in #ClickFix scams impersonating #Booking.com. Fake CAPTCHAs trick users into running malware like XWorm and DanaBot.
Read: https://hackread.com/clickfix-email-scam-fake-booking-com-emails-malware/
"We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks.
Learn more about what you need to know about Interlock in my article on the Tripwire blog.
https://www.tripwire.com/state-of-security/interlock-ransomware-what-you-need-know
TikTok staat bekend als platform voor creatieve content maar wordt nu ook gebruikt als lokaas voor cybercriminelen.
Podcast Youtube: https://youtu.be/cPADO5G5kJ0?si=7n-L01IBSzdX67DL
Podcast Spotify: https://open.spotify.com/episode/2ZcrbUvXIOfBpPuaq7VQt7?si=61ccef7960ac43c7
Artikel Cybercrimeinfo: https://www.ccinfo.nl/menu-onderwijs-ontwikkeling/cybercrime/malware/2527960_hoe-tiktok-verandert-in-een-digitale-valstrik-infostealer-malware-via-virale-video-s
Fake software activation videos on TikTok spread Vidar, StealC – Source: securityaffairs.com https://ciso2ciso.com/fake-software-activation-videos-on-tiktok-spread-vidar-stealc-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #Stealcstealer #BreakingNews #SecurityNews #hackingnews #CyberCrime #Cybercrime #ClickFix #Security #hacking #Malware #TikTok #AI
Infostealery rozprzestrzeniają się przez TikTok i technikę ClickFix – szczegóły techniczne kampanii
W ostatnich tygodniach badacze bezpieczeństwa zaobserwowali nietypową, skuteczną kampanię malware, w której cyberprzestępcy wykorzystują popularność TikToka do dystrybucji złośliwego oprogramowania typu infostealer (m.in. Vidar, StealC, Latrodectus). Atak opiera się na tzw. technice ClickFix, polegającej na nakłanianiu użytkowników do samodzielnego uruchamiania złośliwych poleceń PowerShell. Poniżej przedstawiamy szczegółową analizę tej kampanii oraz...
Ich weiß ja nicht, wo ihr euch so herumtreibt, aber das könnte eventuell wichtig sein.
ClickFix-Malware über TikTok: Infostealer im Influencer-Gewand
#ITSicherheit #Malware #ClickFix #Infostealer #MalwareVerbreitung #RedLineStealer #TikTok #VidarMalware https://sc.tarnkappe.info/4922e5
State-sponsored threat actors often leverage techniques first developed and deployed by cybercriminal actors. One example is #ClickFix, a highly effective technique that involves clever #socialengineering.
Listen as Proofpoint threat research experts Selena Larson, Sarah Sabotka, and Saher Naumaan deep dive into how modern #espionage and #cybercrime are increasingly blurring lines.
Stream DISCARDED now:
Apple Podcasts: https://brnw.ch/21wSNbM
Spotify: https://brnw.ch/21wSNbL
Web player: https://brnw.ch/21wSNbN
I think I have a nice compromise #ClickFix ...fix for those places that just can't live without some Explorer niceties.
There is an alternative to the "Disable Windows shortcuts" GPO, which not only disables Win+ shortcuts, but also things like using UNC paths in the Explorer address bar.
Of course, Geoff Chappell lights the way.
I believe that GPO applies the REST_NORUN reg key and not REST_NOWINKEYS policies—despite the name.
If I apply the REST_NORUN reg setting directly, I get the same behavior as the GPO. The popup pictured here appears.
But if I instead set the REST_NOWINKEYS dialog, the Win+R shortcut is disabled, but other stuff (like UNC paths in explorer) still works! Now, this doesn't remove the Run command from the start menu, but it is at least a safety. Oh and one more thing: because that shortcut is now unregistered, you can register it yourself for something like a lil daemon that pops a message box saying Hey did a website tell you to do this? Don't!
You can try both settings.
REST_NORUN: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
REST_NOWINKEYS: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys
Popular student engagement platform iClicker’s website was hacked with a fake "I'm not a robot" check which is a textbook example of a ClickFix attack.
Read: https://hackread.com/iclicker-website-hacked-fake-captcha-clickfix-attack/
Google scopre LostKeys: malware russo per lo spionaggio
#ClickFix #COLDRIVER #CyberEspionage #Cybercrime #FSB #Geopolitica #Google #LostKeys #Malware #Notizie #Russia #Sicurezza #Spionaggio #StateSponsoredHacking #TechNews #Tecnologia #ThreatIntelligence #VBS
https://www.ceotech.it/google-scopre-lostkeys-malware-russo-per-lo-spionaggio/
iClicker Hack: A Cautionary Tale of ClickFix Malware Targeting Students
In a concerning breach, the iClicker platform was compromised by a ClickFix attack, leading to a sophisticated malware distribution scheme targeting students and educators. This incident highlights th...
https://news.lavx.hu/article/iclicker-hack-a-cautionary-tale-of-clickfix-malware-targeting-students
FWIW, 100% of #ClickFix attacks I've seen have added some kind of inline comment at the end of the command string like I am not a robot to sell the ruse. Definitely worth a threat hunt on command line history.
North Korea, Iran, and Russia-backed hackers are using a social engineering trick called ClickFix to run malicious code on victims’ machines.
Read: https://hackread.com/north-korea-iran-russia-hackers-clickfix-attacks/
