ESET Research<p><a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> went from virtually non-existent to the second most common attack vector blocked by <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a>, surpassed only by <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a>. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. <a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETresearch</span></a><br>ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as <a href="https://infosec.exchange/tags/RATs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RATs</span></a>, infostealers, and cryptominers.<br>Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).<br>What makes <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including <a href="https://infosec.exchange/tags/DarkGate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DarkGate</span></a> or <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a>. <br>While <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and <a href="https://infosec.exchange/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>macOS</span></a> Keychain. <br><a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.<br>Read more in the <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>:<br>🔗 <a href="https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/eset-threat-report-h1-2025</span></a></p>
Administered by:
#darkgate
1 post1 participant0 posts today
eSentire reported two cases of DarkGate stealer targeting finance and manufacturing industries since August 2023. The stealer was delivered via drive-by downloads disguised as fake installers for Advanced IP Scanner and fake document reports. The loader is using PPID spoofing to evade detections, and deploys DanaBot. Technical analysis and IOC provided.
Link: https://www.esentire.com/blog/from-darkgate-to-danabot
eSentireFrom DarkGate to DanaBotLearn more about the DarkGate and Danabot malware and get security recommendations from our Threat Response Unit (TRU) to protect your business from this cyber threat.
Post I wrote for my employer at https://www.linkedin.com/posts/unit42_darkgate-timelythreatintel-wireshark-activity-7123453508560797697--dJn and
https://twitter.com/Unit42_Intel/status/1717687387025809465
2023-10-25 (Wednesday): #DarkGate malware distributed through fake invoice/billing emails with PDF attachments that spoof DocuSign.
As early as last week, these DarkGate loaders stopped retrieving a copy of Autoit3.exe and the .au3 file from the C2 server. Now, the copy of Autoit3.exe and the .au3 file is contained within a zip-ed .msi file that's hosted on a separate server.
The loader for DarkGate now grabs that .msi file instead.
We'll see how long that lasts.
Indicators from an infection run are available at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt
A #pcap of the infection traffic, along with the associated malware/artifacts are now available at https://malware-traffic-analysis.net/2023/10/25/index.html
Latest issue of my curated #cybersecurity and #infosec list of resources for week #42/2023 is out! It includes the following and much more:
➝ 
Tracking Unauthorized Access to #Okta's Support System
➝ 
#Casio discloses #databreach impacting customers in 149 countries
➝ 
Hacker leaks millions more #23andMe user records on #cybercrime forum
➝ 
D-Link confirms data breach after employee #phishing attack
➝ 
#Equifax Fined $13.5 Million Over 2017 Data Breach
➝ 
Ukrainian activists hack Trigona #ransomware gang, wipe servers
➝ 
FBI: Thousands of Remote IT Workers Sent Wages to #NorthKorea to Help Fund Weapons Program
➝ 
#India targets #Microsoft, #Amazon tech support #scammers in nationwide crackdown
➝ 
#Hamas-linked app offers window into cyber infrastructure, possible links to Iran
➝ 
Police seize #RagnarLocker leak site
➝ North Korean Hackers Exploiting Recent #TeamCity Vulnerability
➝ 
#China replaces #Russia as top #cyberthreat
➝ 
CERT-UA Reports: 11 Ukrainian Telecom Providers Hit by Cyberattacks
➝ 
#France frees the two biggest Spanish hackers
➝ 
️ Ex-Navy IT head gets 5 years for selling people’s data on #darkweb
➝ 
#Switzerland’s e-voting system has predictable implementation blunder
➝ 
Critical Vulnerabilities Expose #Weintek HMIs to Attacks
➝ #Milesight Industrial Router #Vulnerability Possibly Exploited in Attacks
➝ 
Fake #Corsair job offers on #LinkedIn push #DarkGate malware
➝ Google-hosted #malvertising leads to fake #Keepass site that looks genuine
➝ 
#Discord still a hotbed of #malware activity — Now APTs join the fun
➝ 
SpyNote: Beware of This Android #Trojan that Records Audio and Phone Calls
➝ 
#Android will now scan sideloaded apps for malware at install time
➝ 
#WhatsApp #passkeys on the way, but as usual, for Android first
➝ 
Pro-Russian Hackers Exploiting Recent #WinRAR Vulnerability in New Campaign
➝ 
Signal Pours Cold Water on Zero-Day Exploit Rumors
➝ 
#Cisco warns of new #IOS XE #zeroday actively exploited in attacks
This week's recommended reading is: "RTFM: Red Team Field Manual v2" by Ben Clark and Nicholas Downer
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-422023
X’s Infosec Newsletter · InfoSec MASHUP - Week 42/2023
Vietnamese hackers attack UK, US and Indian targets with DarkGate malware
Victims lured to download infected documents offering job descriptions and salary details
https://www.computing.co.uk/news/4137089/vietnamese-hackers-attack-uk-us-india-darkgate-malware
www.computing.co.uk · Vietnamese hackers attack UK, US and India with DarkGate malware In a recent surge of cyberattacks, malicious actors from Vietnam have been identified using a variety of Malware-as-a-Service (MaaS) infostealers and Remote Access Trojans (RATs) with an aim to target the digital marketing sector in the United States, United Kingdom and India.
Vietnamese threat actors linked to #DarkGate #malware campaign
https://securityaffairs.com/152886/malware/vietnamese-threat-actors-darkgate-malware.html
#securityaffairs #hacking
Security Affairs · Vietnamese threat actors linked to DarkGate malware campaignResearchers linked Vietnamese threat actors to the string of DarkGate malware attacks on entities in the U.K., the U.S., and India.