I have been seeing reverse engineering / malware analysis courses that cost thousands of dollars. Do you know you can actually learn that for free, right? There are also a bunch of other courses out there that are way cheaper or even free:
- https://t.co/x0CWhENuTj
- https://t.co/dAUX2IulA9
- https://t.co/XD7BMbQbQB
- https://t.co/HyAEehO3F9
- https://t.co/NffYBgFmWD
- https://t.co/pJUPZCLVWz
- https://t.co/DldwPTTz6N
- https://t.co/RdKdLqZp8H
PHISH ALERT: From a Simple Phishing Email to a Full Attack Arsenal: The Evolution of "ClickFix"
KnowBe4 Threat Labs is tracking a sophisticated phishing campaign that flips the script on traditional email security. What looks like a routine, urgency-driven OneDrive lure is actually a gateway to an entire multi-purpose hosting setup packed with credential harvesters, droppers, and spyware.
Here is exactly how the threat actors are evolving the notorious ClickFix technique to bypass modern endpoint security:
The Attack Flow Breakdown
The Lure: Targets receive an email with the subject or body claiming an urgent past-due document needs tracking: "We have an urgent past due, please review secure OneDrive attachment and let's rectify today." The email carries a malicious attachment named Review Past Due Doc. zip.
The Trigger: Inside the ZIP is a .lnk shortcut. Clicking it doesn't download a file instead, it redirects the victim to a landing page that silently injects a malicious PowerShell command directly into their clipboard.
The Social Engineering (ClickFix): A fake verification prompt tricks the user into manually pressing Win + R, pasting the command, and hitting enter. Because the victim manually interacts with the terminal, traditional attachment scanning and URL filters see nothing out of the ordinary.
DNS TXT Staging: The injected clipboard stager fetches its payload instructions using DNS TXT records. The actual payload instructions never touch HTTP requests or email headers they only exist in the DNS response at execution time.
The Attacker's Infrastructure & Payload Arsenal
Pivoting to the operator's parent domain revealed a massive hosting setup designed for large-scale operations
ZIP Archives: Obfuscated .js and .vbs scripts acting as initial droppers.
MSI Files: Masquerading as legitimate software installers (some even abusing names like ConnectWise) to drop password stealers and Remote Monitoring and Management (RMM) tools.
ISO Images: Bundled spyware that leverages background processes to maintain persistent access.
This campaign proves that threat actors are moving far beyond simple credential theft. They are playing the long game using victim-assisted execution and network-level evasion to establish full, post-compromise control over environments.
Indicators of Compromise (IOCs)
Domains:
document-auth[.]icu
italy-news[.]info
lootrioya[.]info
Key Hashes:
7b7981c99d59595fe15377df84695bb72ce0b85560a3935f930657b2d162e5ef (Review Past Due Doc. zip)
adcd15f3d6b87f84d106ea426fa824fd20c9d64f6d199ce92580884290785f30 (RMM / MSI Installer)
d7d2f0ee187549f3f4a114d716be12521fbf62d6d26e2ac23d2a32d521d08fd8 (Password Stealer)
#ThreatIntel #Phishing #Cybersecurity #ClickFix #InfoSec #KnowBe4 #M365 #OAuth
Threat Actors are "Bringing Their Own Forensics"
In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (https://t.co/Vq0vkvWutb) directly on victim machines.
Commonly a tool for defenders, the TAs are using it to:
The ClickFix Triage query has gotten an update with the recently used parameters from the ClickFix hunter project. If you haven't tried the query yet, give it a try in any ClickFix case, it collects the data you need to triage the incident in seconds.
https://t.co/4Gd5wNxPwq
This React2Shell exploit is being exploited in the wild by 🇨🇳, hop on it folks! 🔥
Bunch of links for you to get started on:
1. https://t.co/807ywVG88l
2. https://t.co/xXYWdikPc5
3. https://t.co/04vaF35GUe
4. https://t.co/Pi2sfhwKgj
5. https://t.co/aoNZhyaC9K
Cloudflare went down because a ClickHouse change made a metadata query return duplicate columns. That blew up the size of a config file, it spread across the network and one module couldn’t handle the larger file and crashed. Everything after that was basically fallout from this chain reaction 😅
https://t.co/R4IPMw05ig
An idea I had some time ago was to create an open-source project with community contributions to centralize different social engineering lure techniques & native GUI tools that could be leveraged for ClickFix... a LOLBins-style site w/ mitigations. Video: https://t.co/uAFMm2qkXn
Cisco ASA/FP - Be on the lookout for calls to these URLs 👇
GET /+CSCOU+/MacTunnelStart.jar
GET /+CSCOL+/csvrloader64.cab
GET /+CSCOL+/csvrloader.jar
- Contain the Cisco SSL VPN Relay Loader
- Likely used for version fingerprinting
(CVE-2025-20333 / CVE-2025-20362)