Campaign telemetry shows a significant uptick in infections across small-to-medium enterprises during June and early July 2025, with stolen browser cookies and cloud credentials appearing on dark-web markets within hours of compromise. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Updating signature-based rules to include execution-policy bypasses, monitoring child processes of msiexec.exe, and alerting on clipboard-sourced PowerShell are immediate steps defenders should consider. At the centre of the new wave is a booby-trapped CAPTCHA page dubbed ClickFix, which instructs victims to “verify” their session by pasting a PowerShell command. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Once executed, the command silently reaches out to hxxps://ypp-studio[.]com/update.txt, turns off execution-policy safeguards and fetches the next-stage payload in memory—completely fileless until the final drop. The ClickFix campaign underscores how effortlessly adversaries can fuse social engineering with low-friction LOLBins to bypass layered defences. Rhadamanthys first surfaced in 2022 as a modular stealer sold under the Malware-as-a-Service model, but its latest campaign shows how quickly it is innovating. This subtle shift breaks hard-coded IoCs used by many security tools while preserving the stealer’s delivery chain. The CAPTCHA screen offers a fake sense of legitimacy while precisely guiding the victim to press Win + R, paste the command, and hit Enter. Stage 1 lives only in memory; Stage 2 writes the MSI installer as PTRFHDGS.msi, which drops rh_0.9.0.exe and launches it with msiexec so that parent/child correlations appear benign. It follows with time-based anti-sandbox checks using QueryPerformanceCounter, then injects into WerFault.exe—a trusted Windows Error Reporting binary—to persist and exfiltrate. A single TCP stream to the hard-coded IP carries compressed archives containing browser databases, crypto-wallet files and KeePass vaults. The executable immediately enumerates running processes, hunting for debuggers such as x64dbg.exe, ida64.exe, or ProcessHacker.exe; if found, it terminates itself to frustrate analysis. That single action bypasses traditional e-mail gateway filters and avoids the macros most blue teams hunt for. Since Rhadamanthys resolves its C2 by literal IP, DNS-layer defences see nothing, and encrypted TLS over port 443 blends seamlessly with normal traffic. Yet the broader lesson is behavioural: any “verification” prompt that asks users to run code is suspect—especially when the only thing it fixes is the attacker’s foothold.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 09:10:17 +0000