ClickFix
-
Microsoft warns of surge in ACR Stealer attacks on enterprise customers
Microsoft said ACR Stealer attacks rose against enterprise customers between late April and mid-June. The malware used ClickFix, WebDAV, MSHTA and other tools to steal browser data and sensitive files.
-
Mistic backdoor tied to ransomware access broker in attacks on multiple sectors
A new backdoor called Mistic has been used since April in attacks on insurance, education, IT and professional services firms, with researchers linking it to a ransomware access broker that sells network access.
-
Ghost CMS flaw exploited in large-scale ClickFix campaign
A campaign is using a critical Ghost CMS SQL injection flaw to inject malicious JavaScript and drive ClickFix attacks, with researchers saying more than 700 domains were affected.
-
Australia warns of ClickFix attacks spreading Vidar Stealer malware
Australia’s cyber security agency warned of a ClickFix campaign using compromised WordPress sites to push Vidar Stealer. The advisory recommends restricting PowerShell, using allow-listing and updating WordPress plugins and themes.
-
Atomic Stealer campaign abuses macOS Script Editor in ClickFix variation
A new macOS malware campaign is using Script Editor in a ClickFix-style attack to deliver Atomic Stealer, avoiding Terminal prompts and relying on fake Apple-themed pages that push users to run malicious code.
-
DeepLoad malware uses ClickFix lure and WMI to spread and steal credentials
A new DeepLoad malware campaign is using ClickFix lures, Windows tools and WMI to steal credentials, hide activity and reinfect cleaned hosts, according to a technical analysis from ReliaQuest.
-
LeakNet adopts ClickFix via compromised websites and runs Deno in memory
ReliaQuest’s technical report says LeakNet now uses ClickFix fake CAPTCHA pages on compromised sites to trick users and a Deno-based in-memory loader. Post-compromise steps include DLL side-loading, PsExec lateral movement and S3 exfiltration.
-
ClickFix campaign uses compromised sites to deliver new MIMICRAT remote access trojan
A ClickFix campaign abused compromised legitimate sites to install MIMICRAT, a previously undocumented C++ remote access trojan. The multi-stage PowerShell chain drops a Lua loader and the RAT supports 22 commands.







