Top Tweets for #Clickfix
#Security #breakglassaccount #ClickFix Gemeente Epe heeft een evaluatierapport gepubliceerd over het datalek van maart 2026. Daaruit blijkt dat aanvallers via een onvoldoende beveiligd break-glass-account vergaande rechten in het systeem verkregen.… https://t.co/4PnA6d99Wn
ClickFix loader that embeds a full LLVM MCJIT engine and JIT-compiles its terminal payload at runtime. VT 0/91 on the JIT'd stage.
#ClickFix #threatintel #malware
O MAC TOMOU CLICK FIX: A MAÇÃ MORDEU O PRÓPRIO VENENO
https://t.co/fOxSSeIxI7
#Cibersegurança #MacOS #ClickFix #InfoStealer #PequenoVacilao
ClickFix si mette in cerca di lavoro: falsi annunci LinkedIn e Indeed per distribuire CastleLoader e RAT Python
il blog: https://t.co/cKQLEa6bEO
#cybersecurity #backdoor #castleloader #clickfix #malware #phishing #pythonrat
Verizon DBIR 2026 confirms attacks are now living in the browser: Shadow AI, credential abuse, extensions, and ClickFix often bypass network and endpoint controls. Browser visibility is now essential. #VerizonDBIR #ShadowAI #ClickFix
https://t.co/vpp10kp2PP
We detected an evasive #ClickFix injection with a fake Lirunex payment platform lure tricking the user into requesting the SSL certificate path through a file dialog box but silently delivers a RAT disguised as image files. Details at https://t.co/3gOKYWrMLz
The active DriveSurge threat cluster is compromising thousands of websites. Discover how its customized Traffic Distribution System redirects victims.
#Cybersecurity #ThreatIntel #DriveSurge #Malware #TrafficDistribution #ClickFix #Infosec
https://t.co/juodwsVVaa
ClickFix Malware #clickfix
Zip Pass: iDXs9HOIpoTLZRE
XOR Pass: 7GR#f#p7
Malware Exe: iDXs9HOIpoTLZRE.exe
Possible interesting opendir: http://cloud-flare-authenticator[.]link/
🤷♂️
![malwrhunterteam's tweet photo. Possible interesting opendir: http://cloud-flare-authenticator[.]link/
🤷♂️ https://t.co/yylZTLdniX](https://pbs.twimg.com/media/HJ6NxmkXcAAXMqo.png)
Fake LumaNotch macOS app = #NovaStealer (#MioLab) 🧐
🎭 site = near 1:1 clone of dynamichorizon[.]app
🧾 #ClickFix shows apps[.]apple[.]com, hides the curl|bash
📣 propped up by X/TikTok + AI review bait
💀 "killall Terminal" on launch (hides the drop)
🧹 xattr -c → strips quarantine, skips Gatekeeper
🧱 same lineage → build_info_t + _g_serialized_build_info
🆕 but config now PBKDF2-HMAC-SHA1 + 3DES-CBC
↪️ older Nova/MioLab stealer used inline XOR/stream
🌐 open dir → 31.76.93[.]69
🏷️ self-tags "macos-stealer-v2"
![MarceloRivero's tweet photo. Fake LumaNotch macOS app = #NovaStealer (#MioLab) 🧐
🎭 site = near 1:1 clone of dynamichorizon[.]app
🧾 #ClickFix shows apps[.]apple[.]com, hides the curl|bash
📣 propped up by X/TikTok + AI review bait
💀 "killall Terminal" on launch (hides the drop)
🧹 xattr -c → strips quarantine, skips Gatekeeper
🧱 same lineage → build_info_t + _g_serialized_build_info
🆕 but config now PBKDF2-HMAC-SHA1 + 3DES-CBC
↪️ older Nova/MioLab stealer used inline XOR/stream
🌐 open dir → 31.76.93[.]69
🏷️ self-tags "macos-stealer-v2"](https://pbs.twimg.com/media/HJ69y0nWUAAhmBY.png)
![MarceloRivero's tweet photo. Fake LumaNotch macOS app = #NovaStealer (#MioLab) 🧐
🎭 site = near 1:1 clone of dynamichorizon[.]app
🧾 #ClickFix shows apps[.]apple[.]com, hides the curl|bash
📣 propped up by X/TikTok + AI review bait
💀 "killall Terminal" on launch (hides the drop)
🧹 xattr -c → strips quarantine, skips Gatekeeper
🧱 same lineage → build_info_t + _g_serialized_build_info
🆕 but config now PBKDF2-HMAC-SHA1 + 3DES-CBC
↪️ older Nova/MioLab stealer used inline XOR/stream
🌐 open dir → 31.76.93[.]69
🏷️ self-tags "macos-stealer-v2"](https://pbs.twimg.com/media/HJ69rybWQAA_r7I.jpg)
![MarceloRivero's tweet photo. Fake LumaNotch macOS app = #NovaStealer (#MioLab) 🧐
🎭 site = near 1:1 clone of dynamichorizon[.]app
🧾 #ClickFix shows apps[.]apple[.]com, hides the curl|bash
📣 propped up by X/TikTok + AI review bait
💀 "killall Terminal" on launch (hides the drop)
🧹 xattr -c → strips quarantine, skips Gatekeeper
🧱 same lineage → build_info_t + _g_serialized_build_info
🆕 but config now PBKDF2-HMAC-SHA1 + 3DES-CBC
↪️ older Nova/MioLab stealer used inline XOR/stream
🌐 open dir → 31.76.93[.]69
🏷️ self-tags "macos-stealer-v2"](https://pbs.twimg.com/media/HJ69dfrWwAIdab-.jpg)
@malwrhunterteam Compromised via iframe sites load #clickfix fake captcha from this host.
Related infra:
hXXp://193.111.117.6
adammanagement\.com
cloudfflareg\.com
firsttryeverydayoo\.com
6r.darkfadeson\.top
hmis-api.imenso\.in
ELF: https://t.co/eun8R9U959
machO: https://t.co/zCTIAmL5FW
🚨 𝗙𝗮𝗸𝗲 𝗖𝗹𝗮𝘂𝗱𝗲 & 𝗖𝗼𝗱𝗲𝘅 𝗗𝗲𝗹𝗶𝘃𝗲𝗿 𝗜𝗻-𝗠𝗲𝗺𝗼𝗿𝘆 𝗦𝘁𝗲𝗮𝗹𝗲𝗿: 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝗶𝘁𝗲𝘀
⚠️ We’re tracking a #ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure to deliver stealer #malware.
With no standalone executable dropped to disk and network activity appearing as legitimate powershell.exe traffic, the attack can significantly reduce visibility during the early stages of compromise.
❗️ Victims are directed to trusted sites[.]google[.]com pages and instructed to execute an mshta command. The attack results in in-memory stealer execution, theft of browser, email, and cryptocurrency wallet data, and outbound communication with attacker-controlled C2 infrastructure, while leaving fewer traditional detection opportunities for SOC teams.
Execution chain:
Trusted Google Sites lure ➡️ User-executed mshta command ➡️ Multi-stage PowerShell delivery ➡️ Steganographic payload extraction from image ➡️ Shellcode deployment ➡️ In-memory execution inside powershell.exe ➡️ Browser, email & wallet data theft ➡️ C2 exfiltration
👨💻 Using #ANYRUN Sandbox, investigate the full ClickFix execution chain, validate detection coverage, and observe PowerShell staging, steganographic payload delivery, and credential theft activity. Explore the analysis sessions and collect IOCs:
🔹 Codex lure: https://t.co/CFxvnqe6cv
🔹 Claude lure: https://t.co/zK62NUGmEa
🔍 Track related ClickFix activity in #ANYRUN TI Lookup, identify additional Codex and Claude lures, and uncover related AI-themed ClickFix activity and infrastructure:
🔹 https://t.co/o3ubjjQFaV
🔹 https://t.co/iKMxnTybXA
🚀 Equip your SOC with stronger phishing detection and contain incidents faster: https://t.co/pBdPsux2vZ
#ExploreWithANYRUN
![anyrun_app's tweet photo. 🚨 𝗙𝗮𝗸𝗲 𝗖𝗹𝗮𝘂𝗱𝗲 & 𝗖𝗼𝗱𝗲𝘅 𝗗𝗲𝗹𝗶𝘃𝗲𝗿 𝗜𝗻-𝗠𝗲𝗺𝗼𝗿𝘆 𝗦𝘁𝗲𝗮𝗹𝗲𝗿: 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝗶𝘁𝗲𝘀
⚠️ We’re tracking a #ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure to deliver stealer #malware.
With no standalone executable dropped to disk and network activity appearing as legitimate powershell.exe traffic, the attack can significantly reduce visibility during the early stages of compromise.
❗️ Victims are directed to trusted sites[.]google[.]com pages and instructed to execute an mshta command. The attack results in in-memory stealer execution, theft of browser, email, and cryptocurrency wallet data, and outbound communication with attacker-controlled C2 infrastructure, while leaving fewer traditional detection opportunities for SOC teams.
Execution chain:
Trusted Google Sites lure ➡️ User-executed mshta command ➡️ Multi-stage PowerShell delivery ➡️ Steganographic payload extraction from image ➡️ Shellcode deployment ➡️ In-memory execution inside powershell.exe ➡️ Browser, email & wallet data theft ➡️ C2 exfiltration
👨💻 Using #ANYRUN Sandbox, investigate the full ClickFix execution chain, validate detection coverage, and observe PowerShell staging, steganographic payload delivery, and credential theft activity. Explore the analysis sessions and collect IOCs:
🔹 Codex lure: https://t.co/CFxvnqe6cv
🔹 Claude lure: https://t.co/zK62NUGmEa
🔍 Track related ClickFix activity in #ANYRUN TI Lookup, identify additional Codex and Claude lures, and uncover related AI-themed ClickFix activity and infrastructure:
🔹 https://t.co/o3ubjjQFaV
🔹 https://t.co/iKMxnTybXA
🚀 Equip your SOC with stronger phishing detection and contain incidents faster: https://t.co/pBdPsux2vZ
#ExploreWithANYRUN](https://pbs.twimg.com/media/HJ5IFxcW8AAofr4.jpg)
Alert: The SmartApeSG campaign is using ClickFix scripts to deploy RAT malware on Windows systems. Stay vigilant and educate users to avoid executing untrusted scripts. Link: https://t.co/sWrXL3fa23 #SmartApeSG #ClickFix #RAT #Malware #Windows #Cybersecurity #Infosec #Threat #Attack #Phishing #Payload #Trojan #Script #Infection #Exploit #Defense #Awareness #Endpoint #Detection #Mitigation
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks https://t.co/9D0QqUw5PX
#hackers #hijack #clickfix #fakeupdateattacks #cyberattack
🚨 Hackers are hijacking websites to spread malware through ClickFix & FakeUpdate attacks.
Fake browser update pop-ups can steal credentials, infect devices, and disrupt businesses.
🔒 Verify before you click.
🌐 https://t.co/HFtZVEPo3H
#Vulnfi #CyberSecurity #Malware #ClickFix
Thousands of legitimate websites have been compromised to spread ClickFix and FakeUpdate malware.
Fake errors. Fake updates. Real infections. Even trusted websites can become attack vectors. Stay vigilant.
#CyberSecurity #Malware #ClickFix #FakeUpdate #IntrixCyberSecurity
DriveSurge is using hijacked websites, ClickFix and FakeUpdate lures, and zTDS traffic routing to spread malware through fake browser update prompts, impacting Windows and macOS users. #ClickFix #FakeUpdate #DriveSurge
https://t.co/oJFRfWW8Tz
Last Seen Hashtags on Sotwe
ometv
Seen from Indonesia
groommetwt
Seen from Netherlands
ควยบ้านๆ
Seen from Thailand
nolimit nolimit()*** +filter:native_video
Seen from Pakistan
adam_benchakroum
Seen from Algeria
สาวใหญ่ขี้เงี่ยน
Seen from Thailand
midnighthorrorschool
Seen from Indonesia
baitrequest
Seen from Germany
swathynaidu
Seen from India
دنيا_سمراني
Seen from Italy
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.6M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers