Threat Alerts

ClickFix has emerged as a highly effective social engineering technique in which threat actors disguise malicious actions as legitimate human verification prompts to trick victims into installing malware. This approach has been widely used to deliver infostealers and remote access trojans, frequently serving as an initial access vector that later enables ransomware deployment. Recent investigations show how ClickFix based campaigns can lead to large-scale credential theft and ultimately full ransomware incidents, highlighting the significant risk this technique poses to both organizations and individual users.

The infection chain begins when a victim visits a compromised legitimate website hosting embedded malicious scripts that fingerprint the system, generate tracking identifiers, and display a fake verification page via an invisible iframe overlay. Once the victim completes the spoofed verification step, a batch file downloads and installs a legitimate remote access tool commonly abused by attackers, which connects to a command-and-control server. The C2 infrastructure then delivers an infostealer using DLL sideloading, enabling the theft of credentials and sensitive data. In documented cases, stolen credentials were later used approximately one month after initial compromise to access corporate networks via VPN, move laterally, and deploy ransomware with data exfiltration for double extortion. The ransomware group linked to this activity has claimed more than 1,100 victims, underscoring how ClickFix-driven social engineering can escalate into high-impact ransomware operations.

A sophisticated malware campaign called GhostPoster has compromised over 50,000 Firefox users by embedding malicious JavaScript code within PNG logo files of browser extensions. The attack uses steganography to hide executable payloads in seemingly innocent extension icons, bypassing traditional security scans and marketplace reviews.

The attack begins when infected extensions load their logo files and scan for a specific marker sequence of three equals signs. Code hidden after this marker acts as a loader that contacts command-and-control servers to retrieve the main payload. The malware employs sophisticated evasion techniques, waiting 48 hours between check-ins and only fetching payloads 10% of the time to avoid detection. When delivered, payloads undergo custom encoding involving character case swapping and Base64 decoding before XOR encryption using the extension’s runtime ID.

The final payload monetizes infected browsers through affiliate link hijacking on e-commerce platforms, tracking injection using Google Analytics, and security header stripping that removes Content-Security-Policy and X-Frame-Options protections. The malware also includes CAPTCHA bypass mechanisms and hidden iframe injection for ad fraud operations. The campaign spans 17 Firefox extensions masquerading as VPN services, translation tools, and ad blockers, with the oldest dating back to October 2024. This represents a growing trend of malicious VPN extensions that promise privacy while delivering surveillance capabilities.

Google has released a security update for Chrome addressing two vulnerabilities that are being treated as critical due to their potential for remote code execution through malicious web content. Both flaws affect core browser components and could allow attackers to crash the browser, access sensitive memory, or execute arbitrary code simply by directing users to a crafted webpage, making them suitable for broad, opportunistic exploitation.

CVE-2025-14765 is a use-after-free vulnerability in Chrome’s WebGPU component that enables memory corruption and potential code execution, while CVE-2025-14766 impacts the V8 JavaScript engine and allows out-of-bounds memory access that could result in sandbox escape or data leakage. Although CVSS scores have not yet been published, both issues are being handled as critical given their location in widely exposed browser functionality and their impact on end-user systems across Windows, macOS, and Linux.

A 16-terabyte MongoDB database containing approximately 4.3 billion records of LinkedIn-style professional data was found exposed on the public internet, representing one of the largest unsecured datasets reported to date. The database—believed to originate from a third-party lead-generation firm rather than LinkedIn itself—included names, email addresses, job titles, photos, and other professional contact details, and was accessible without authentication before being secured. Given its scale and depth, the exposed data could enable large-scale phishing, identity-theft, and social-engineering campaigns if accessed during the exposure period.

A social engineering attack dubbed “GhostPairing” has emerged targeting WhatsApp users by exploiting the platform’s device pairing functionality to gain unauthorized access to accounts without requiring passwords or credentials. The attack, recently detected in Czechia, operates by tricking users into clicking malicious links disguised as Facebook photo notifications, then manipulating them into entering an 8-digit pairing code that adds the attacker’s browser session as a trusted device. Once paired, attackers gain full access to message history, real-time conversations, and the ability to impersonate victims to spread the campaign further through contacts and groups, effectively bypassing WhatsApp’s end-to-end encryption protections. The technique exploits the convenience features that have made WhatsApp popular—particularly the phone number-based authentication and multi-device pairing capabilities—turning these user-friendly functions into attack vectors. This development follows a pattern of recent WhatsApp vulnerabilities, including a flaw enabling mobile number discovery across the platform’s 3.5 billion users and a Windows-targeting weakness in WhatsApp Desktop, demonstrating continued attacker interest in compromising the messaging platform’s security architecture.

A newly identified malware-as-a-service (MaaS) infostealer has surfaced in the cybercrime underground. Targeting Windows systems, the malware focuses on stealing credentials, browser data, cryptocurrency wallets, documents and messaging application information using in-memory execution to evade file-based detection. Its service-based distribution model lowers the barrier for adoption among multiple threat actors, amplifying risks such as credential theft, session hijacking, financial fraud and unauthorized access to compromised browsers and digital wallets across both consumer and enterprise environments.

Analysis shows the infostealer is a modular, multi-threaded application written in C that leverages widely available tools and techniques. It includes functionality to bypass Chromium browser encryption, enabling access to protected credential stores and collects stolen data entirely in memory before compressing it into archives, splitting it into segments and exfiltrating it to command-and-control servers over unencrypted HTTP. While marketed as stealthy and polymorphic, the current build exposes numerous plaintext strings, exported symbols, and static configuration elements, indicating limited anti-analysis maturity. Promoted via messaging platforms and underground forums, the malware is commonly delivered through fake verification prompts, pirated software, and malicious downloads, positioning it for rapid scaling and continued evolution as adoption spreads among cybercriminal affiliates.