laztnameMay 28

🚹 New #ClickFix IOC domains observed:

‱ bigblower[.]click
‱ ganiballektor[.]cfd
‱ lenders[.]digital
‱ pusanik[.]shop

Related research points to exposed / publicly accessible ClickFix infrastructure and operational dashboards tied to ongoing malware delivery and social engineering activity.

Read more: https://potato.id/en/posts/weak-secops-exposed-clickfix-dashboard/

#ThreatIntel #IOC #CyberSecurity #Infosec #DFIR #SOC #ThreatHunting #OSINT #Malware #Phishing #ClickFix #LummaStealer #DarkGate #CredentialTheft #BlueTeam #CTI #DetectionEngineering #IncidentResponse

How I Get Access ClickFix Dashboard Due to Bad SecOps

Discover how weak SecOps practices exposed a ClickFix admin dashboard. This cybersecurity case study covers reconnaissance techniques, security misconfigurations and key lessons learned.

Jonias Fortuna
CyberVeille.chApr 7

📱 Abus de Keitaro Tracker : tendances, licences crackĂ©es et collisions de cookies CTI
📝 ## 🔍 Contexte

Publié le 31 mars 2026 par Infoblox Threat Intel et Confiant...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-07-abus-de-keitaro-tracker-tendances-licences-crackees-et-collisions-de-cookies-cti/
🌐 source : https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/
#Adspect_Cloaker #DarkGate #Cyberveille

Abus de Keitaro Tracker : tendances, licences crackées et collisions de cookies CTI

🔍 Contexte PubliĂ© le 31 mars 2026 par Infoblox Threat Intel et Confiant, cet article constitue la partie 3 d’une sĂ©rie sur l’abus du Keitaro Tracker, un systĂšme de suivi publicitaire auto-hĂ©bergĂ© massivement dĂ©tournĂ© comme Traffic Distribution System (TDS) et outil de cloaking par des acteurs malveillants. 📊 Sources de donnĂ©es et tendances L’étude couvre la pĂ©riode du 1er octobre 2025 au 31 janvier 2026 et combine : TĂ©lĂ©mĂ©trie DNS passive (pDNS) d’Infoblox : ~226 000 requĂȘtes DNS sur ~13 500 domaines liĂ©s Ă  Keitaro Plus de 8 000 nouvelles inscriptions de domaines attribuĂ©es Ă  des acteurs malveillants, concentrĂ©es chez 5 registrars : Dynadot, Namecheap, Public Domain Registry, Global Domain Group, Sav 275 millions d’impressions publicitaires analysĂ©es via Confiant, rĂ©vĂ©lant ~2 000 domaines hĂ©bergeant des instances Keitaro dans des campagnes de malvertising 120+ campagnes spam distinctes, dont 96% liĂ©es Ă  des crypto wallet-drainers (AURA, SOL, Phantom, Jupiter) 📅 ÉvĂ©nements notables 7 octobre 2025 : Un acteur ciblant des russophones enregistre des centaines de domaines .com via une promotion Dynadot Ă  6,88$ 26 novembre 2025 (Black Friday) : Le mĂȘme acteur achĂšte en masse des domaines .icu, .click, .digital 30 octobre – 1er novembre 2025 : Pic massif de requĂȘtes DNS attribuĂ© Ă  un acteur utilisant Keitaro pour rediriger les utilisateurs ciblĂ©s (Android/Allemagne, Windows/USA/Suisse) vers des sites de jeux d’argent en ligne ⚙ FonctionnalitĂ©s Keitaro exploitĂ©es Routing via Campaigns/Flows : filtrage par gĂ©olocalisation IP, OS, navigateur, type d’appareil, rĂ©fĂ©rent, paramĂštres URI Cloaking : intĂ©gration avec des kits tiers comme IMKLO, HideClick, Adspect Cloaker (IA, contournement Google/TikTok/Meta) KClient JS : substitution de contenu cĂŽtĂ© client sans redirection visible Antibot : listes d’IP bloquĂ©es enrichies par des donnĂ©es tierces partagĂ©es sur GitHub et forums đŸȘ Collisions de cookies Les instances Keitaro posent des cookies de tracking (_token, _subid, cookie alphanumĂ©rique 5 caractĂšres pour v<11). Ces valeurs Ă©taient utilisĂ©es comme signatures d’acteurs, mais l’analyse a rĂ©vĂ©lĂ© des collisions :

CyberVeille
Hackread.comDec 17, 2025

⚠ New #ClickFix malware campaign is tricking users with a fake browser “fix” prompt that leads to #DarkGate being installed via clipboard PowerShell commands. 📋

Read: https://hackread.com/clickfix-attack-fake-browser-install-darkgate-malware/

#CyberSecurity #Malware #Windows #Scam #InfoSec

New ClickFix Attack Uses Fake Browser Fix to Install DarkGate Malware

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

ESET ResearchJul 18, 2025
#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025
Tech Cybersecurity NieuwsDec 19, 2024
Cybercriminelen misbruiken microsoft teams en anydesk voor malware-aanvallen https://www.trendingtech.news/trending-news/2024/12/50246/cybercriminelen-misbruiken-microsoft-teams-en-anydesk-voor-malware-aanvallen #cybercriminaliteit #Microsoft Teams #AnyDesk #DarkGate malware #beveiligingsmaatregelen #Trending #News #Nieuws
Cybercriminelen misbruiken microsoft teams en anydesk voor malware-aanvallen

Recentelijk zijn cybercriminelen betrapt op het misbruiken van populaire software zoals Microsoft Teams en AnyDesk om gevaarlijke malware te verspreiden. Dit a

Tech Nieuws
RedPacket SecurityDec 19, 2024

DarkGate Malware Distributed Through Microsoft Teams Vishing Attack - https://www.redpacketsecurity.com/attacker-distributes-darkgate-using-ms-teams-vishing-technique/

#threatintel #Microsoft_Teams #vishing #DarkGate

DarkGate Malware Distributed Through Microsoft Teams Vishing Attack - RedPacket Security

A threat actor has been observed utilizing vishing through Microsoft Teams as a method to distribute DarkGate malware, allowing them to take remote control

RedPacket Security
Kyle đŸ•”ïžâ€â™‚ïžđŸ’»Dec 17, 2024

Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware https://thehackernews.com/2024/12/attackers-exploit-microsoft-teams-and.html

#DarkGate #Malware #CyberSec

Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware

Attackers exploit Microsoft Teams calls to deploy DarkGate malware via AnyDesk. Security measures urged.

The Hacker News
SOC PrimeDec 17, 2024

A new malicious campaign uses impersonation via Microsoft Teams voice phishing (vishing), tricking the victims into downloading AnyDesk for remote access and deploying #DarkGate malware.

https://socprime.com/blog/darkgate-malware-detection/?utm_source=mastodon&utm_medium=social&utm_campaign=cert-ua&utm_content=blog-post

DarkGate Malware Attack Detection: Voice Phishing via Microsoft Teams Leads to Malware Distribution - SOC Prime

Detect DarkGate malware deployed via Microsoft Teams voice phishing using a set of dedicated Sigma rules from SOC Prime Platform.

SOC Prime
Tarnkappe.infoAug 30, 2024
📬 Keylogger versteckte sich in Erweiterung von Pidgin
#Cyberangriffe #Darkgate #Eset #Jabber #Keylogger #Pidgin https://sc.tarnkappe.info/b4019a
Keylogger versteckte sich in Erweiterung von Pidgin

Eine schĂ€dliche Erweiterung des Messengers Pidgin versteckte sich fĂŒr fast sechs Wochen in einem offiziell zum Download angebotenen Plug-in.

Tarnkappe.info
Jennifer Morency Aug 27, 2024
#Malware infiltrates #Pidgin messenger’s official plugin repository https://www.bleepingcomputer.com/news/security/malware-infiltrates-pidgin-messengers-official-plugin-repository/ I used to use Pidgin to communicate with friends on AIM and similar messenger apps. The malicious plugin was offered only as a binary, not open source code. Worryingly, it had valid signatures, and so did the malware it downloaded. #DarkGate #Jabber #messenger
Malware infiltrates Pidgin messenger’s official plugin repository

The Pidgin messaging app removed the ScreenShareOTR plugin from its official third-party plugin list after it was discovered that it was used to install keyloggers, information stealers, and malware commonly used to gain initial access to corporate networks.

BleepingComputer