The attack creates convincing replicas of Ministry of Defense websites across multiple countries, tricking users into downloading what appears to be required security updates or official documents. Initial analysis suggests the campaign began in early April 2025, primarily targeting government contractors, defense industry employees, and military personnel through spear-phishing emails containing links to the fraudulent websites. Hunt.io researchers recommend organizations implement additional verification steps for government communications and enhance endpoint protection with behavioral analysis capabilities to detect the distinctive patterns of ClickFix infections before data exfiltration occurs. Security agencies across multiple countries have issued alerts following confirmation that the campaign has successfully breached several mid-level defense contractors and at least two government agencies. Cybersecurity experts have identified a sophisticated new malware campaign dubbed “ClickFix” that employs advanced social engineering tactics to compromise both Windows and Linux systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The spoofed sites employ valid SSL certificates and domain names closely resembling legitimate government domains with minor typographical variations, such as replacing hyphens with underscores or using slight misspellings that often go unnoticed by casual visitors. Their investigation revealed the attackers leverage country-specific design elements and exact replications of legitimate ministry portals, complete with functioning links to authentic resources, making the deception extremely convincing. On Windows machines, it exploits a previously undocumented vulnerability in the Windows Management Instrumentation (WMI) service, while Linux systems face exploitation through a common dependency injection technique in shared libraries. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Upon execution, the malware establishes persistent access while employing multiple evasion techniques to remain undetected on infected systems. The spoofed Ministry of Defense login portal showing security certificate update notification. Hunt.io researchers noted the attack after observing unusual network traffic patterns from several defense contractor networks. In both cases, the malware establishes persistence, creates a backdoor, and begins harvesting sensitive information from the compromised systems. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 06 May 2025 11:00:09 +0000