In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot.
As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information.
Danabot was targeted by the #FBI and #DCIS, alongside #OperationEndgame led by #Europol and #Eurojust. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers.
Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.
For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the #ClickFix social engineering attacks that we also cover in this issue of the #ESETThreatReport. In recent months, we have seen Danabot being delivered via ClickFix as well.
For more details on these two operations and on the ClickFix attacks, read the latest #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

#ClickFix is a social engineering technique that uses fake verification pages and clipboard hijacking to convince people to click and keyboard stroke their way to an infection. So let's categorize #FileFix properly in the pantheon of ClickFix Attacks.

FileFix: A ClickFix page that asks you to past script into a File Manager window.

#RunFix: A ClickFix page that asks you to paste script into a Run window

#TermFix: A ClickFix page that asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).

We cool with that? Any others types I'm missing?

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards – Source: www.darkreading.com https://ciso2ciso.com/clickfix-spin-off-attack-bypasses-key-browser-safeguards-source-www-darkreading-com/ #rssfeedpostgeneratorecho #DarkReadingSecurity #CyberSecurityNews #DARKReading #ClickFix

Are we still on about the MotW flaws? I'm not sure anyone pays attention to that anyway.

https://www.darkreading.com/endpoint-security/clickfix-spin-off-bypassing-key-browser-safeguards

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

ESET Threat Report H1 2025: #ClickFix attacks surge 500%, SnakeStealer tops infostealer charts, and NFC fraud jumps 35x. Plus, chaos in the ransomware underworld and a new Android adware menace—Kaleidoscope. Dive into the full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf #ESETresearch

New #FileFix attack weaponizes #Windows #FileExplorer for stealthy commands

https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-windows-file-explorer-for-stealthy-powershell-commands/

New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/ #Cybersecurity #MochaManakin #CyberAttack #FakeCAPTCHA #NodeInitRAT #Security #ClickFix #Malware

New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack – Source:hackread.com https://ciso2ciso.com/new-mocha-manakin-malware-deploys-nodeinitrat-via-clickfix-attack-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #MochaManakin #CyberAttack #FakeCAPTCHA #NodeInitRAT #ClickFix #Hackread #security #malware

New malware alert: Mocha Manakin uses #Clickfix (fakeCAPTCHA) to trick users into deploying a custom backdoor called NodeInitRAT. Red Canary warns it could lead to ransomware!

https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack

2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2

A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.

Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack https://www.securityweek.com/new-clickfix-malware-variant-lightperlgirl-targets-users-in-stealthy-hack/ #Malware&Threats #LightPerlGirl #ClickFix #malware

New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack https://www.securityweek.com/new-clickfix-malware-variant-lightperlgirl-targets-users-in-stealthy-hack/ #Malware&Threats #LightPerlGirl #ClickFix #malware

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware https://hackread.com/clickfix-email-scam-fake-booking-com-emails-malware/ #CyberAttack #Bookingcom #CyberCrime #Security #ClickFix #Malware #Fraud #Scam

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware – Source:hackread.com https://ciso2ciso.com/clickfix-email-scam-alert-fake-booking-com-emails-deliver-malware-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #CyberAttack #Bookingcom #CyberCrime #ClickFix #Hackread #security #malware #Fraud #Scam

ClickFix Attack Exploits Fake Cloudflare Turnstile to Deliver Malware – Source: www.securityweek.com https://ciso2ciso.com/clickfix-attack-exploits-fake-cloudflare-turnstile-to-deliver-malware-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Malware&Threats #securityweekcom #securityweek #Cloudflare #ClickFix