ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

Analyzing a Full ClickFix Attack Chain - Part 1

A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit.

Pulse ID: 69ea2d5cd8732f2d8910fceb
Pulse Link: https://otx.alienvault.com/pulse/69ea2d5cd8732f2d8910fceb
Pulse Author: AlienVault
Created: 2026-04-23 14:31:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #Clipboard #CyberSecurity #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #RCE #SMS #SocialEngineering #Telegram #ZIP #bot #AlienVault

TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation

A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.

Pulse ID: 69e8c1fb96869b14e2c565a2
Pulse Link: https://otx.alienvault.com/pulse/69e8c1fb96869b14e2c565a2
Pulse Author: AlienVault
Created: 2026-04-22 12:41:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BitCoin #Browser #Clipboard #CyberSecurity #InfoSec #InfoStealer #Java #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #SocialEngineering #Telegram #Windows #bot #cryptocurrency #AlienVault

How to copy a string from GNOME Shell Looking Glass (lg) #2404 #gnomeshell #clipboard #lookingglass

https://askubuntu.com/q/1565857/612

Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with "Million OK !!!!" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.

Pulse ID: 69dd07742196e34ee1615b73
Pulse Link: https://otx.alienvault.com/pulse/69dd07742196e34ee1615b73
Pulse Author: AlienVault
Created: 2026-04-13 15:10:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #Clipboard #CyberSecurity #InfoSec #KeyLogger #Kimsuky #Korea #OTX #OpenThreatExchange #PHP #Phishing #PowerShell #RAT #RCE #UK #VBS #bot #AlienVault

REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation

An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.

Pulse ID: 69dd066f59e22e6d1ee7315b
Pulse Link: https://otx.alienvault.com/pulse/69dd066f59e22e6d1ee7315b
Pulse Author: AlienVault
Created: 2026-04-13 15:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Bulgaria #Clipboard #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #LNK #Nim #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RemoteAccessTrojan #Trojan #VBS #bot #cryptocurrency #AlienVault

Bilder einfügen mit Copy/Paste

Built in shortcuts let you copy text straight to clipboard fast.

#clipboard #shortcuts #tips

clipboard-mcp: даём AI-ассистентам доступ к буферу обмена

AI-ассистенты в 2026 году умеют писать код, анализировать данные и управлять инфраструктурой. Но попросите Claude прочитать то, что вы только что скопировали — и он разведёт руками. Буфер обмена — одна из самых базовых вещей в десктопном workflow, и AI к нему доступа не имеет. Я написал clipboard-mcp , чтобы это исправить.

https://habr.com/ru/articles/1015844/

#rust #mcp #clipboard #ai #claude #open_source #model_context_protocol