Our latest TDR report on the #IClickFix framework:

📊 3,800+ WordPress sites compromised worldwide
⚙️ Multi-stage JavaScript loader
🚦 Abusing YOURLS as TDS
🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure
🦠 #NetSupport RAT payload

https://infosec.exchange/@sekoia_io/115977607660963600

Open directory at 104.168.81.]229/BJ/ containing phishing pages for Zimbra, Outlook, Adobe, and various Chinese services

104.168.81.]229

microsoftstorage.duckdns[.]org
outllook.duckdns[.]org
outlookspace.duckdns[.]org
patnerrshipp.duckdns[.]org
spaceoptimize.duckdns[.]org
spaceup.duckdns[.]org
spaceupstorage.duckdns[.]org
webmaii.duckdns[.]org
webmailstorage.duckdns[.]org
webmil.duckdns[.]org
zimbrastorage.duckdns[.]org
zirmbra.duckdns[.]org
zlmbrastorage.duckdns[.]org
spaceupzimbra.chickenkiller[.]com
...

Outlook and Zimbra phishing pages are distributed via email using malicious SVG files that contain obfuscated JavaScript (common phishing TTP nowadays), e.g.

ec7a3247bc86636c6b08bef9a1568b63c289a2d72464c9adebcf16ccfc2ce0f3 > zimbrastorage.duckdns.]org/BJ/zimbra/

Check out our new blog post by the TDR team, presenting the latest TTPs used by the #Interlock ransomware group!

It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor ⬇️

https://infosec.exchange/@sekoia_io/114346873677895469

By the way, Microsoft Threat Intelligence published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?)

https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/

As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub: https://github.com/SEKOIA-IO/Community/tree/main/IOCs/Interlock

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page

e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/

Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:

https://urlscan.io/search/#page.title%3A(%22Portfolio%20%26%20Agency%20-%20Modern%20Design%22%20OR%20%22EduVision%20-%20Transforming%20Education%22%20OR%20%22Tech%20Solutions%20-%20Innovating%20the%20Future%22)

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.

ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.

CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!

As usual, feedback is greatly appreciated!

https://infosec.exchange/@sekoia_io/114189330631698208

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @sekoia_io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box

4. Downloading Emmenhtal from:

bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)

5. Further downloading and executing Rhadamanthys from:

bytes.microstorage.]shop/code.bin (https://virustotal.com/gui/file/a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7)

6. Communicating with C2 at:

91.240.118.]2:9769

Public analysis of the recent ClearFake variant: https://security.szustak.pl/etherhide/etherhide.html