Summary: Since August 2024, state-sponsored hackers and cybercriminals have been using a technique called ClickFix to deploy information stealer malware. This method involves social engineering through malicious JavaScript that manipulates users into executing harmful commands. Group-IB reports an increase in this attack vector, particularly targeting users on various platforms that offer free content or software.

Affected: Users of compromised websites, particularly in the hospitality sector, software distribution platforms, and social media.

Keypoints:

• The ClickFix technique prompts users to perform actions that deliver malicious payloads, typically disguised as system updates or verification prompts.
• Malware associated with ClickFix includes Lumma, XWorm RAT, and DarkGate, among others.
• Threat actors are leveraging phishing, malvertising, and social media to direct victims to malicious sites, with observed attacks accelerating from late 2024 into 2025.