CIRCLE WITH A DOT

RE: https://infosec.exchange/@r1cksec/116136394965738519@huntress , stahp. ClickFix isn’t a perfect classification, but we aren’t doing the -ishing shit again. It only serves marketing departments and egos; it does nothing for users and the business we are here to support.Otherwise, it is a great write-up! There’s a lot of great detections to build out of here.And also disable Run.#clickfix

New.Huntress: ClickFix Won't Die. Neither Will Matanbuchus. A New RAT and a Hands-on-Keyboard Intrusion https://www.huntress.com/blog/clickfix-matanbuchus-astarionrat-analysis @huntress #threatresearch #infosec #ClickFix #malware

#Microsoft alerts on DNS-based #ClickFix variant delivering malware via nslookuphttps://securityaffairs.com/188039/hacking/microsoft-alerts-on-dns-based-clickfix-variant-delivering-malware-via-nslookup.html#securityaffairs #hacking

It's been a busy 24 hours in the cyber world with significant updates on the evolving "ClickFix" social engineering tactic, showing how attackers are getting creative with initial access and payload delivery. Let's take a look:Evolving ClickFix Attacks: DNS Staging and Crypto Hijacks ️- Microsoft has detailed a new DNS-based ClickFix variant where victims are tricked into running `nslookup` commands, using DNS as a stealthy staging channel for payloads like ModeloRAT. This method blends malicious activity into normal network traffic, making detection harder.- A separate, novel ClickFix campaign is leveraging Pastebin comments and Google Docs to socially engineer cryptocurrency users into executing malicious JavaScript directly in their browser. This allows attackers to hijack Bitcoin swap transactions and redirect funds to their wallets.- These incidents highlight the evolving nature of ClickFix, moving beyond traditional OS-level command execution to sophisticated DNS staging and direct browser manipulation for financial theft, underscoring the critical need for user awareness and robust detection of procedural trust abuse. The Hacker News | https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html Bleeping Computer | https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/#CyberSecurity #ThreatIntelligence #SocialEngineering #ClickFix #Malware #ModeloRAT #LummaStealer #CryptoScam #InfoSec #CyberAttack #IncidentResponse

ClickFix campaigns are now leveraging LLM-generated public artifacts for malware distribution.Per Moonlock Lab and AdGuard:• Abuse of Claude artifact pages• Google Ads search poisoning• Obfuscated shell execution (base64 decode → zsh)• Second-stage loader for MacSync infostealer• Hardcoded API key + token-protected C2• AppleScript (osascript) handling data theft• Archive staging at /tmp/osalogging.zip• Multi-attempt POST exfiltrationPrevious campaigns exploited ChatGPT and Grok sharing features.LLM trust is now an operational risk vector.Should EDR flag suspicious AI-guided shell patterns?Source: https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/Engage below.Follow @technadu for deep technical threat analysis.#ThreatIntel #MacOSSecurity #Infostealer #C2Traffic #ClickFix #LLMSecurity #MalwareAnalysis #AppSec #BlueTeam #EDR #ThreatHunting #CyberThreats #ZeroTrust