ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.

Pulse ID: 6a2201a331661aba15d362d1
Pulse Link: https://otx.alienvault.com/pulse/6a2201a331661aba15d362d1
Pulse Author: AlienVault
Created: 2026-06-04 22:52:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChaCha20 #CyberSecurity #Encryption #Google #GoogleAds #InfoSec #LinkedIn #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteAccessTrojan #SMS #ShellCode #SocialEngineering #Trojan #Windows #bot #AlienVault

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.

Pulse ID: 6a189defc88ad66cd0a9d87d
Pulse Link: https://otx.alienvault.com/pulse/6a189defc88ad66cd0a9d87d
Pulse Author: AlienVault
Created: 2026-05-28 19:56:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ChaCha20 #CyberSecurity #ELF #Education #Encryption #Extortion #Healthcare #ICS #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #PsExec #RAT #RaaS #RansomWare #RansomwareAsAService #bot #AlienVault

📢 Analyse technique du ransomware Payload : chiffrement ChaCha20/Curve25519 et anti-forensics avancés
📝 ## 🔍 Contexte

Source : DarkAtlas (https://darkatlas.io/blog/behind-payload-in-de...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-28-analyse-technique-du-ransomware-payload-chiffrement-chacha20-curve25519-et-anti-forensics-avances/
🌐 source : https://darkatlas.io/blog/behind-payload-in-depth-technical-analysis-of-payload-ransomware
#ChaCha20 #Curve25519 #Cyberveille

📢 VECT 2.0 : un ransomware RaaS qui détruit irrémédiablement les fichiers par défaut de conception
📝 ## 🔍 Contexte

Publié le 28 avril 2026 par Check Point Research (CPR), cet article présente une analys...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-29-vect-2-0-un-ransomware-raas-qui-detruit-irremediablement-les-fichiers-par-defaut-de-conception/
🌐 source : https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
#ChaCha20 #ESXi #Cyberveille

📢 CrystalX RAT : un nouveau cheval de Troie MaaS combinant espionnage, vol de crypto et fonctions de canular
📝 ## 🔍 Contexte

Publié le 1 avril 2026 par l'équipe GReAT de Kaspersky, cet article présente l'a...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-02-crystalx-rat-un-nouveau-cheval-de-troie-maas-combinant-espionnage-vol-de-crypto-et-fonctions-de-canular/
🌐 source : https://www.kaspersky.com/blog/prankware-crystalx-rat-maas/55537/
#ChaCha20 #CrystalX #Cyberveille

¯\_(ツ)_/¯

#cryptography #cypherpunk #chacha #pgp #gpg #chacha20 #xchacha20_poly1305 #aes #des #camellia #aegis256

https://techlife.blog/posts/2025-vpn-list/#the-digital-privacy-landscape-in-2025

#vpn #vpns #protonvpn #proton_vpn #nordvpn #cyberghost #CyberGhostVPN #vpnguide #vpn2025 #vpnprovider #vpnproviders #protocol #protocols #security #privacy #wireguard #wireguard_vpn #WireGuardVPN #openvpn #ikev2 #ikev2 #ipsec #vpn_ipsec #AES256 #aes_256 #chacha20 #expressvpn #mullvad #MullvadVPN #Surfshark #surfsharkvpn

Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf

Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...

#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware

https://sekurak.pl/szyfrowanie-danych-usuwanie-backupow-zacieranie-sladow-analiza-ransomware-dire-wolf/