Mastodawn

🧠 New phishing toolkit alert: IUAM ClickFix Generator

This kit mimics “browser verification” pages to trick users into copying malware commands - enabling low-skill attackers to deliver infostealers like Odyssey and DeerStealer.

A new phase of social engineering-as-a-service is here.

Would your users spot it before clicking?

💬 Discuss below & follow @technadu for the latest on cybercrime tool evolution.

#CyberSecurity #Infosec #ThreatIntel #Phishing #Malware #ClickFix #CyberAwareness #OdysseyInfostealer #DeerStealer #SocialEngineering

CyberVeille.ch Oct 9

📢 IUAM ClickFix Generator : un kit de phishing industrialise la technique ClickFix pour livrer des infostealers multi-plateformes
📝 Selon Unit 42 (Palo Alto Networks), un ki...
📖 cyberveille : https://cyberveille.ch/posts/2025-10-08-iuam-clickfix-generator-un-kit-de-phishing-industrialise-la-technique-clickfix-pour-livrer-des-infostealers-multi-plateformes/
🌐 source : https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/
#ClickFix #DeerStealer #Cyberveille

IUAM ClickFix Generator : un kit de phishing industrialise la technique ClickFix pour livrer des infostealers multi-plateformes

Selon Unit 42 (Palo Alto Networks), un kit de phishing automatisé nommé « IUAM ClickFix Generator » démocratise la technique de social engineering ClickFix en permettant à des acteurs peu qualifiés de créer des pages imitant des vérifications de navigateur afin d’amener les victimes à copier-coller des commandes malveillantes. Les chercheurs ont observé des campagnes actives diffusant les infostealers DeerStealer et Odyssey sur Windows et macOS, révélant un écosystème croissant de phishing-as-a-service et malware-as-a-service. 🎣

CyberVeille

ANY.RUN Jul 29, 2025

👾 Top threats in July 2025.
#DeerStealer via obfuscated .LNK + #LOLBin abuse, fake 7-Zip stealing AD files, and the most exploited Remote Access Tools of H1 2025.

Dive into analysis and actionable intel on the threats active right now ⬇️
https://any.run/cybersecurity-blog/cyber-attacks-july-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=cyber_attacks_july&utm_term=290725&utm_content=linktoblog

#cybersecurity #infosec

Major Cyber Attacks in July 2025 SOCs Cannot Ignore

Discover detailed breakdown of top cyberattacks in July 2025, from DeerStealer with LNK and LOLBin abuse to Remote Access Tools exploits.

ANY.RUN's Cybersecurity Blog

ANY.RUN Jul 17, 2025

🚨 #DeerStealer Delivered via Obfuscated .LNK and #LOLBin Abuse.
A new phishing campaign delivers #malware through a fake PDF shortcut (Report.lnk) that leverages mshta.exe for script execution, which is a known LOLBin technique (MITRE T1218.005).
⚠️ The attack begins with an .lnk file that covertly invokes mshta.exe to drop scripts for the next stages. The execution command is heavily obfuscated using wildcard paths.

🔗 Execution chain:
.lnk ➡️ mshta.exe ➡️ cmd.exe ➡️ PowerShell ➡️ DeerStealer

To evade signature-based detection, #PowerShell dynamically resolves the full path to mshta.exe in the System32 directory. It is launched with flags, followed by obfuscated Base64 strings. Both logging and profiling are disabled to reduce forensic visibility during execution.

🚀 #ANYRUN’s Script Tracer reveals the full chain, including wildcard LOLBin execution, encoded payloads, and network exfiltration, without requiring manual deobfuscation.

Characters are decoded in pairs, converted from hex to ASCII, reassembled into a script, and executed via IEX. This ensures the #malicious logic stays hidden until runtime.

👾 The script dynamically resolves URLs and binary content from obfuscated arrays, downloads a fake PDF to distract the user, writes the main executable into AppData, and silently runs it. The PDF is opened in Adobe Acrobat to distract the user.

👨‍💻 See analysis session:
https://app.any.run/tasks/02dd6096-b621-49a0-a7ef-4758cc957c0f?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725

🔍 Use these TI Lookup search requests to find similar threats to enrich your company's detection systems:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725#%7B%2522query%2522:%2522threatName:%255C%2522susp-lnk%255C%2522%2522,%2522dateRange%2522:180%7D%20
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725#%7B%2522query%2522:%2522commandLine:%255C%2522%7C%2520IEX%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725#%7B%2522query%2522:%2522commandLine:%255C%2522powershell*%2520-E%2520%255C%2522%2522,%2522dateRange%2522:180%7D%20

#IOC:
https[:]//tripplefury[.]com/
fd5a2f9eed065c5767d5323b8dd928ef8724ea2edeba3e4c83e211edf9ff0160
8f49254064d534459b7ec60bf4e21f75284fbabfaea511268c478e15f1ed0db9

⚡️ With real-time and deep visibility into script execution, process details, and network behavior, #ANYRUN simplifies dynamic analysis of evasive threats like DeerStealer.

#cybersecurity #infosec