The New OilNew #macOS #ClickFix attack silently mounts DMGs to push #infostealer
Analyst207Gizmodo Readers Targeted by ClickFix Malware After Account Compromise
If your Gizmodo account was compromised, be aware that you may have been targeted by the ClickFix malware, which showed up as suspicious prompts after the breach. Stay vigilant and take immediate action to protect your online security!
#Clickfix #MalwareOperations #AccountCompromise #EmergingThreats #Gizmodo
CyberVeille.ch📢 Attaque supply chain : le widget Okendo Reviews compromis pour diffuser SmartApeSG
📝 ## 🗓️ Contexte
Source : Zscaler ThreatLabz via Cyber Security News, publié le 19 juin 2026.
📖 cyberveille : https://cyberveille.ch/posts/2026-06-21-attaque-supply-chain-le-widget-okendo-reviews-compromis-pour-diffuser-smartapesg/
🌐 source : https://www.cryptika.com/hackers-abuse-third-party-okendo-reviews-script-to-spread-smartapesg-malware-campaign/
#ClickFix #IOC #Cyberveille
Attaque supply chain : le widget Okendo Reviews compromis pour diffuser SmartApeSG
🗓️ Contexte Source : Zscaler ThreatLabz via Cyber Security News, publié le 19 juin 2026. L’activité malveillante a été détectée pour la première fois le 14 mai 2026, lors d’un pic inhabituel de trafic lié au groupe SmartApeSG. 🎯 Nature de l’attaque Il s’agit d’une attaque de chaîne d’approvisionnement (supply chain attack) : les attaquants ont compromis le script JavaScript du widget Okendo Reviews, un outil tiers de gestion d’avis clients utilisé par plus de 18 000 marques dans le monde. En ciblant ce widget plutôt que chaque site individuellement, les attaquants ont maximisé leur portée sans avoir à compromettre chaque site séparément.
Reed MidekeAll that said, in this age of AI scrapers, it would be kinda hilarious implement a #ClickFix style thing that was really a bot defense and not malware 🤔
BrianKrebsDon't look now, but it seems Gizmodo's homepage is now serving up a Clickfix attack.
Basics of the Click-Fix exploit, which causes a pasted URL to fetch malware via Windows Powershell.
https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/
paul@Netskope Threat Labs is tracking an upgraded #ClickFix campaign targeting macOS, which includes a full-featured remote access #trojan instead of a simple stealer. The entire infection chain is completely fileless to avoid detection.
https://www.netskope.com/blog/macos-clickfix-lures-deploy-applescript-stealer-persistent-rat
B'ad Samurai 
TrendMicro has a decent article on Claude sharing links to deliver ClickFix. I forgot I subjected myself to a bunch of awful LLMs to build a URL share list—because no one has documentation on web pages anymore.
ChatGPT https://chatgpt.com/share/{id}
Claude https://claude.ai/share/{id}
Copilot https://copilot.microsoft.com/shares/{id}
DeepSeek https://chat.deepseek.com/share/{id}
Gemini https://g.co/gemini/share/{id}
Grok https://grok.com/share/{id}
Manus https://manus.im/share/{id}
Meta AI https://www.meta.ai/s/{id}
Poe https://poe.com/s/{id}
Qwen https://chat.qwen.ai/s/{id}
AI Lures in Malvertising Utilizing LOTS and Share URLs to Deliver ClickFix Attacks
Last Updated: 2026-06-18 What’s Happening Malvertising of AI tooling to direct users to geoshitties (my nickname of free subdomain web hosting) Gitlab[.]io (typically used to host a projects documentation) making it a high-regret block for IT users. In this article shared Claude chats were being utilized, making it abuse of a Living off a Trusted Site (LOTS). Actions Link to the article’s IOCs to hunt or block in your organization. https://documents.trendmicro.com/assets/txt/Indicators%2...
📢 ErrTraffic : analyse d'un framework ClickFix MaaS exploitant EtherHiding sur WordPress
📝 ## 🔍 Contexte
Publié le 16 juin 2026 par Sekoia TDR (Jeremy Scion et Quentin Bourgue), cet...
📖 cyberveille : https://cyberveille.ch/posts/2026-06-17-errtraffic-analyse-d-un-framework-clickfix-maas-exploitant-etherhiding-sur-wordpress/
🌐 source : https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/
#CVE_2020_25213 #ClickFix #Cyberveille
ErrTraffic : analyse d'un framework ClickFix MaaS exploitant EtherHiding sur WordPress
🔍 Contexte Publié le 16 juin 2026 par Sekoia TDR (Jeremy Scion et Quentin Bourgue), cet article est la version publique d’un rapport privé distribué aux clients le 2 juin 2026. Il documente en profondeur le framework ErrTraffic, un outil de distribution de malwares opéré sous modèle Malware-as-a-Service (MaaS). 🧩 Description du framework ErrTraffic ErrTraffic est un framework JavaScript injecté dans des sites WordPress compromis pour afficher des leurres ClickFix (faux BSOD, reCAPTCHA, Cloudflare Turnstile) et distribuer des malwares aux visiteurs. Il intègre un Traffic Distribution System (TDS) avec :
crep1xWe published an in-depth analysis on the #ErrTraffic framework, detailing two specific clusters ("Beer" and "Analytics"), campaigns compromising WordPress sites to deploy this malicious #ClickFix framework, as well as others impersonating AI platforms
Since that report was written, the operator "LenAI" has released ErrTraffic v4.
We shared some IoCs on our Community GitHub, and and I can share the latest ones, feel free to reach out!
https://github.com/SEKOIA-IO/Community/tree/main/IOCs/errtraffic
Sekoia#TDR analysts published a new report detailing #ErrTraffic, a widespread #ClickFix malware distribution framework.
ErrTraffic injects malicious JavaScript into compromised WordPress and malicious sites to serve ClickFix lures.
