Ethical Hacking News
Clickfix, a social-engineering technique used by financially motivated criminals, has now been adopted by Russia's elite hacking group Sandworm. The attackers are using Clickfix to compromise devices belonging to sensitive organizations in Ukraine, highlighting the evolving nature of cyber threats and the need for organizations to stay vigilant.
Clickfix, a social-engineering technique, has been adopted by Sandworm, Russia's elite hacking group. The Clickfix attacks involve displaying a CAPTCHA that requires victims to copy text and paste it into the terminal, leading to malware installation or data exfiltration. The attackers use various techniques, including Cloaking.House and SMARTAXE, to filter traffic and display malicious content. Multiple devices and websites have been compromised, including 10 that displayed a fake CAPTCHA. Ukrainian authorities urge website administrators and hosting providers to monitor for signs of compromise.
Clickfix, a social-engineering technique that has primarily been used by financially motivated criminals, has now been adopted by one of Russia's most elite hacking groups, Sandworm, an advanced hacking unit inside the GRU, Russia's military intelligence arm. This development marks a significant shift in the tactics employed by Sandworm, which has traditionally focused on infecting devices through other means.
According to Ukraine's CERT center, the Clickfix attacks began in the spring and have continued through the summer, with at least one organization falling victim to the campaign. The attacks involve displaying a CAPTCHA that requires the visitor to copy a jumble of text and paste it into the terminal, which then performs malicious actions, typically by installing malware or exfiltrating sensitive data.
The Clickfix technique has emerged as an effective attack method, allowing attackers to compromise devices belonging to sensitive organizations in Ukraine. The attackers use a combination of techniques, including the Cloaking.House service, which allows them to filter traffic and display a third-party HTML page, as well as a separate program code, SMARTAXE, which enables them to change the content of the web page for the visitor.
The attackers also use other attack techniques, such as lures designed to entice targets to install Android apps, which are tracked as CowardDuck. These attacks have resulted in the compromise of multiple devices and websites, including 10 compromised websites that displayed a fake CAPTCHA.
The Ukrainian authorities have called on website system administrators and hosting providers to monitor for web shells, unauthorized extensions, and other signs of compromise. The CERT-UA advisory has also detailed the method of implementing ClickFix on more than ten compromised web resources, highlighting the sophistication of the attacks.
This development highlights the evolving nature of cyber threats and the need for organizations to stay vigilant in protecting their devices and data from advanced threat actors. As Sandworm continues to adapt and evolve its tactics, it is essential that cybersecurity experts and organizations remain proactive in monitoring and responding to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Clickfix-How-Russias-Elite-Hackers-Are-Exploiting-Web-Security-ehn.shtml
https://arstechnica.com/security/2026/07/now-even-russias-most-elite-hackers-are-using-clickfix-to-infect-devices/
Published: Thu Jul 16 15:57:32 2026 by llama3.2 3B Q4_K_M