CyberSecurityBoard
Sponsor Register Login

Hackers are Using ClickFix Techniques to Deliver NetSupport RAT, Latrodectus and Lumma Stealer Malware - Cyber Security News

A carefully crafted landing page instructs victims to open the Run dialog (Win+R) and paste an injected PowerShell command, which subsequently downloads a ZIP archive containing a malicious DLL loader. At the heart of the ClickFix vector is pastejacking: JavaScript on a malicious webpage overwrites the user’s clipboard with an obfuscated command string and displays innocuous instructions to “verify” or “fix” an issue. Emerging in late 2024 and surging throughout the first half of 2025, ClickFix has become a pervasive social-engineering vector in which threat actors trick users into executing malicious commands under the guise of “quick fixes” for common computer issues. When executed, the command uses curl.exe to fetch a JavaScript downloader that retrieves an MSI installer, which sideloads Latrodectus as a malicious DLL (libcef.dll) within a legitimate process. As Palo Alto Networks researchers noted, each victim receives a unique MSHTA command that downloads a heavily obfuscated, Base64-encoded PowerShell script. This script drops and executes an AutoIt-based loader (PartyContinued.exe), which unpacks a CAB archive (Boat.pst) and constructs an AutoIt3 engine binary (Slovenia.com) to launch the Lumma payload. Rather than relying on exploit kits or malicious attachments, attackers employ clipboard hijacking—injecting obfuscated commands into the victim’s clipboard—and instructing them to paste and run these commands via Windows shell shortcuts such as Win+R or Win+X. This DLL sideloads itself via a legitimate Java executable (jp2launcher.exe), retrieves encrypted payloads (data_3.bin and data_4.bin) using curl.exe, and ultimately launches NetSupport RAT’s client32.exe in memory. Victims visiting compromised websites are redirected to fake verification pages that inject an encoded PowerShell command into the clipboard. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once executed, the script reaches out to the attacker’s C2, retrieves the next-stage loader, and initiates the multi-stage infection chain. The loader then executes a series of command-line operations (cmd /c md, copy /b, choice) to extract, assemble, and run the stealer without further user interaction. Upon pasting into the Run dialog or terminal, the victim unwittingly executes a script that downloads and stages additional components.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 08:35:30 +0000


Cyber News related to Hackers are Using ClickFix Techniques to Deliver NetSupport RAT, Latrodectus and Lumma Stealer Malware - Cyber Security News

Lumma Stealer Evolves with New PowerShell Tools & Advanced Techniques - “The variations we saw in Lumma Stealer behavior are significant to defenders,” noted the Sophos Managed Detection and Response team in their report, emphasizing that these delivery techniques could easily be adapted for other malware ...
2 months ago Cybersecuritynews.com Kimsuky
Hackers are Using ClickFix Techniques to Deliver NetSupport RAT, Latrodectus and Lumma Stealer Malware - Cyber Security News - A carefully crafted landing page instructs victims to open the Run dialog (Win+R) and paste an injected PowerShell command, which subsequently downloads a ZIP archive containing a malicious DLL loader. At the heart of the ClickFix vector is ...
1 week ago Cybersecuritynews.com
ClickFix Attack Emerges by Over 500% - Hackers Actively Using This Technique to Trick Users - The attack presents victims with fake error messages or verification prompts that appear legitimate, instructing them to copy and paste seemingly harmless commands to resolve fictitious technical issues. Unlike traditional attack methods, ClickFix ...
4 weeks ago Cybersecuritynews.com Kimsuky Lazarus Group MuddyWater APT3
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
1 year ago Cyberdefensemagazine.com
Lumma malware can allegedly restore expired Google auth cookies - The Lumma information-stealer malware is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Session cookies are specific web cookies used to allow a browsing ...
1 year ago Bleepingcomputer.com
Deceptive Cracked Software Spreads Lumma Variant on YouTube - FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and ...
1 year ago Feeds.fortinet.com
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
4 weeks ago Cybersecuritynews.com
Lumma Stealer Via Fake Cracked Software Steals Login Credentials and Private Files - Cyber Security News - Security teams must combine user education about pirated software with behavioral telemetry that flags suspicious child-process creation and outbound TLS beacons to unfamiliar domains if they hope to close the window that Lumma Stealer so deftly ...
2 days ago Cybersecuritynews.com
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
1 year ago Darkreading.com
ESET Threat Report: ChatGPT Name Abuses, Lumma Stealer Malware Increases, Android SpinOk SDK Spyware's Prevalence - Cybersecurity company ESET released its H2 2023 threat report, and we're highlighting three particularly interesting topics in it: the abuse of the ChatGPT name by cybercriminals, the rise of the Lumma Stealer malware and the Android SpinOk SDK ...
1 year ago Techrepublic.com
Weaponized PDF Documents Deliver Lumma InfoStealer Attacking Educational Institutions - Security analysts at Cloudsek noted that the malware employs advanced evasion techniques like obfuscated scripts and encrypted communications with Command-and-Control (C2) servers. This sophisticated campaign exploits malicious LNK (shortcut) files ...
5 months ago Cybersecuritynews.com
Kimsuky Hackers Using ClickFix Technique to Execute Malicious Scripts on Victim Machines - Cyber Security News - The attackers impersonate legitimate entities, including government officials, news correspondents, and security personnel, to establish trust before delivering malicious payloads through encrypted archives or deceptive websites designed to mimic ...
3 weeks ago Cybersecuritynews.com Kimsuky
Lumma Infostealer Steal All Data Stored in Browsers and Selling Them in Underground Markets as Logs - Upon extraction, victims encounter a Nullsoft Scriptable Install System (NSIS) installer, typically named setup.exe or set-up.exe, which executes the Lumma payload packed with the CypherIT crypter—a tool designed to obfuscate malware signatures and ...
6 days ago Cybersecuritynews.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
1 year ago Cysecurity.news
Hackers Use ClickFix Technique to Deploy NetSupport RAT via Compromised WordPress Sites - The Cybereason Global Security Operations Center (GSOC) discovered the campaign in May 2025, revealing how threat actors are weaponizing legitimate remote access tools to gain unauthorized control over victim computers. “This technique is ...
2 weeks ago Cybersecuritynews.com
Lumma Stealer Exploits Fake CAPTCHA Pages to Harvest Sensitive Data - Organizations should implement robust endpoint protection solutions and user awareness training to mitigate the risk posed by this increasingly prevalent threat, as even corporate environments have fallen victim to Lumma Stealer infections that may ...
3 months ago Cybersecuritynews.com
Octalyn Stealer Steals VPN Configurations, Passwords and Cookies in Structured Folders - A sophisticated new credential stealer disguised as a legitimate forensic toolkit has emerged on GitHub, targeting sensitive user data including VPN configurations, browser credentials, and cryptocurrency wallet information. The Octalyn Stealer, ...
1 week ago Cybersecuritynews.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)