New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint

A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the technique to use them on social media platforms like Telegram, where a fake identity verification service named 'Safeguard' was used to trick users into running PowerShell commands that install a Cobalt Strike beacon. However, as expected, the malicious PowerShell command will instead execute a script hosted on a remote site that downloads and installs malware on the devices. In a new ClickFix campaign discovered by Fortinet's Fortiguard Labs, threat actors are sending phishing emails stating that a "restricted notice" is available to review and that recipients should open the attached HTML document ('Documents.html') to view it. Clicking the button will copy a malicious PowerShell command into the Windows clipboard, which users are then prompted to paste into a command prompt to "fix" the error. ClickFix is a social-engineering tactic that emerged last year, where threat actors create websites or phishing attachments that display fake errors and then prompt the user to click a button to fix them. Finally, a Python script is downloaded from the same SharePoint site and executed to deploy the Havok post-exploitation command and control framework as an injected DLL. This PowerShell command will attempt to launch another PowerShell script hosted on the threat actor's SharePoint server. Clicking the "How to fix" button will automatically copy a PowerShell command to the Windows clipboard and then display instructions on how to execute it. In this campaign, Havok is configured to communicate back to the threat actor's services through Microsoft's Graph API, embedding malicious traffic within legitimate cloud services. Threat actors commonly use post-exploitation frameworks like Havoc to breach corporate networks and then spread laterally to other devices on the network. When opened, the HTML displays a fake 0x8004de86 error, stating that it "Failed to connect to the "One Drive" cloud service" and that users must fix the error by updating the DNS cache manually. Havoc is an open-source post-exploitation framework similar to Cobalt Strike, allowing attackers to remotely control compromised devices. ClickFix attacks have become increasingly popular among cybercriminals, who use them to deploy a wide variety of malware, including infostealers, DarkGate, and remote access trojans. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 03 Mar 2025 17:35:28 +0000


Cyber News related to New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint

New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
2 months ago Bleepingcomputer.com
State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns - While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to ...
1 month ago Cybersecuritynews.com Kimsuky MuddyWater
Interlock ransomware gang pushes fake IT tools in ClickFix attacks - The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, ...
1 month ago Bleepingcomputer.com
Hackers Using ClickFix Tactic to Attack Windows Machine - Unlike standard Havoc implementations, this variant uses Microsoft Graph API endpoints to communicate with attacker-controlled SharePoint files, blending malicious traffic with legitimate cloud service requests. A sophisticated phishing campaign in ...
2 months ago Cybersecuritynews.com
Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware - The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands. A sophisticated social engineering technique known as ClickFix has emerged, ...
2 months ago Cybersecuritynews.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
State-sponsored hackers embrace ClickFix social engineering tactic - Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining ...
1 month ago Bleepingcomputer.com APT28 Kimsuky MuddyWater
New SharePoint flaws help hackers evade detection when stealing files - Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. Microsoft SharePoint is a web-based collaborative platform that integrates with ...
1 year ago Bleepingcomputer.com
ClickFix attack delivers infostealers, RATs in fake Booking.com emails - Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs. In the phishing campaign discovered by ...
2 months ago Bleepingcomputer.com
Lampion Banking Malware Employs ClickFix Lures To Steal Banking Information - Once executed, the malware begins its covert operation to harvest banking credentials, credit card information, and other sensitive financial data from compromised systems. A sophisticated banking trojan known as Lampion has resurfaced with an ...
3 weeks ago Cybersecuritynews.com
iClicker hack targeted students with malware via fake CAPTCHA - The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the ...
2 weeks ago Bleepingcomputer.com
CVE-2015-0085 - Use-after-free vulnerability in Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Office 2013 Gold and SP1, Word 2013 Gold and SP1, Office 2013 RT Gold ...
6 years ago
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
Hackers now testing ClickFix attacks against Linux targets - A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. However, it is possible that APT36 is currently experimenting to ...
2 weeks ago Bleepingcomputer.com Transparent Tribe APT3
North Korean hackers adopt ClickFix attacks to target crypto firms - Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a ...
2 months ago Bleepingcomputer.com
ClickFix Captcha - A Creative Technique That Allow Attackers Deliver Malware and Ransomware on Windows - This technique, known as ClickFix Captcha, exploits users’ trust in familiar web elements to bypass traditional security measures and deliver malicious payloads to Windows systems. The researchers noted the commands typically invoke PowerShell ...
2 months ago Cybersecuritynews.com
CVE-2020-16944 - <p>This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.</p> ...
1 year ago
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
CVE-2008-3006 - Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP2 and SP3, and 2007 Gold and SP1; Office Excel Viewer 2003 Gold and SP3; Office Excel Viewer; Office Compatibility Pack 2007 Gold and SP1; Office SharePoint Server 2007 Gold and SP1; and Office 2004 ...
6 years ago
CVE-2018-0922 - Microsoft Office 2010 SP2, 2013 SP1, and 2016, Microsoft Office 2016 Click-to-Run Microsoft Office 2016 for Mac, Microsoft Office Compatibility Pack SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps 2013 SP1, Microsoft Office Word ...
4 years ago
New ClickFix Attack Mimics Ministry of Defense Website to Attack Windows & Linux Machines - The attack creates convincing replicas of Ministry of Defense websites across multiple countries, tricking users into downloading what appears to be required security updates or official documents. Initial analysis suggests the campaign began in ...
3 weeks ago Cybersecuritynews.com
Veeam adds BaaS capabilities for Veeam Backup for Microsoft 365 - Veeam Software has expanded its relationship with Microsoft. Veeam is making it easier for customers to protect Microsoft 365 with Cirrus by Veeam which brings the ease and flexibility of Backup-as-a-Service for Microsoft 365. Utilizing the power and ...
1 year ago Helpnetsecurity.com
New LUMMAC.V2 Stealer Using ClickFix Technique to Trick Users in Execute Malicious Commands - Cyber Security News - The LUMMAC.V2 campaign represents a significant threat not only due to its extensive data theft capabilities but also because it exploits human behavior rather than technical vulnerabilities, making traditional security measures less effective at ...
3 weeks ago Cybersecuritynews.com
CISA Urges Patching of Exploited SharePoint Server Vulnerability - The US cybersecurity agency CISA on Wednesday issued a warning on threat actors exploiting a critical Microsoft SharePoint Server vulnerability in the wild. The security defect, tracked as CVE-2023-29357 and patched on June 2023 Patch Tuesday, is ...
1 year ago Securityweek.com CVE-2023-29357