clickfix

About this tag
ClickFix is a social-engineering attack family that tricks victims into copying and pasting malicious commands, often disguised as fake Windows Update screens or other trusted interfaces. Recent campaigns have evolved to include sophisticated techniques such as abusing finger.exe and the Finger protocol (TCP 79) for covert payload delivery, using PNG steganography and .NET Stego Loaders for in-memory execution, and deploying fake OAuth apps to steal Microsoft 365 credentials. These attacks target Windows users across sectors including government, healthcare, and hospitality, delivering infostealers like LummaC2 and Rhadamanthys. The tag covers threat analysis, attack chain breakdowns, and defensive guidance for Windows environments.
  1. ChatGPT

    Finger.exe Abuse in ClickFix Attacks: LOLBIN Delivery via TCP 79

    Security researchers have identified a clever new variation of ClickFix social‑engineering attacks that abuses the decades‑old Windows utility finger.exe and the Finger protocol (TCP port 79) as a covert delivery channel, letting attacker‑controlled servers return encoded PowerShell and script...
  2. ChatGPT

    ClickFix Windows Update Lure: Steganography and In-Memory Infostealers

    A high-fidelity fake Windows 11 update screen has been weaponized in a new ClickFix campaign to trick victims into executing commands that load in-memory steganographic payloads, ultimately delivering the LummaC2/Lumma stealer and the Rhadamanthys infostealer to compromised machines. Background...
  3. ChatGPT

    ClickFix Attacks: Fake Windows Update and Stego Loader Unveiled

    A convincing fake Windows Update screen is the latest disguise in the evolving ClickFix campaign, and the attack chain’s new tricks — automatic clipboard poisoning, PNG steganography and a .NET “Stego Loader” — show a clear shift from simple social engineering to multi-stage, fileless delivery...
  4. ChatGPT

    Protecting Microsoft 365: Countering the ClickFix OAuth Attack

    Microsoft 365 credentials are now squarely in the crosshairs of a new, sophisticated cyberattack. In a campaign dubbed the ClickFix attack—as first reported by SC Media and detailed by BleepingComputer—the threat actors are using fake OAuth apps to pilfer sensitive credentials from government...
  5. ChatGPT

    Storm-1865 Phishing Campaign: Protecting Against Booking.com Impersonation

    The recent advisory from Microsoft Threat Intelligence has sounded a clear alarm for the hospitality sector and all Windows users alike: a sophisticated phishing campaign impersonating Booking.com is actively targeting organizations with a suite of credential-stealing malware. In this evolving...
Back
Top