FOCUS MODE
EXTRACT IOC
Threat Research

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

CloudSek
YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks
This report reveals a sophisticated malware campaign targeting YouTube creators through spearphishing, utilizing the Clickflix technique to deceive victims into executing malicious scripts. Attackers leverage brand impersonation and exploit interest in professional collaborations to spread malware via meticulously crafted phishing emails. Once activated, the malware steals sensitive data or allows remote access. Affected: YouTube creators, content creators, online influencers

Keypoints :

  • Malware campaign targets YouTube creators through spearphishing emails.
  • Attackers impersonate trusted brands and offer fake business proposals.
  • Clickflix technique is used for malware delivery via malicious attachments.
  • Victims are tricked into executing PowerShell scripts that run malicious commands.
  • Stolen data includes browser credentials, cookies, and cryptocurrency wallets.
  • Malware establishes communication with command and control servers for data exfiltration.
  • Operational methods include leveraging live user behavior and social engineering tactics.

MITRE Techniques :

  • Spearphishing Link (T1566.002) – Targets users with phishing emails containing malicious links.
  • Windows Management Instrumentation (T1047) – Accesses system data using WMI calls.
  • Obfuscated Files or Information (T1027) – Applies techniques to hide malicious code and data.
  • Deobfuscate/Decode Files or Information (T1140) – Decodes Base64-encoded data during execution.
  • System Information Discovery (T1082) – Gathers system information such as OS version and hostname.
  • File and Directory Discovery (T1083) – Enumerates files and directories on the system.
  • Process Discovery (T1057) – Lists active processes to identify specific targets.
  • Software Discovery (T1518) – Gathers information on installed software and processes.
  • Data from Information Repositories (T1213) – Extracts data through WMI queries.
  • C2 Communication (T1071) – Establishes a connection with a C2 server for instructions and data exfiltration.

Indicator of Compromise :

  • [Domain] flowers.what-is-game.xyz
  • [Domain] cdn.findfakesnake.xyz
  • [Domain] cat-watches-site.xyz
  • [Domain] cdn.cart-newlocate.xyz
  • [Email] [email protected]

Full Story: https://www.cloudsek.com/blog/youtube-creators-under-siege-again-clickflix-technique-fuels-malware-attacks

Tags: EMAIL, BROWSER, PATCH, EXFILTRATION, EXPLOIT, SOCIAL ENGINEERING, PERSISTENCE, PAYLOAD