fake Archives

Tech Optimizer

June 27, 2025

ClickFix fake error message malware spikes over 500%, takes second place as the most abused attack vector

The ClickFix attack vector has increased by 517% since the latter half of 2024, becoming the second most exploited method for cyberattacks, following phishing. Hackers are using ClickFix to deploy various infostealing malware, including Lumma Stealer, VidarStealer, StealC, and Danabot. The ClickFix mechanism involves a counterfeit reCAPTCHA that misleads users into executing harmful Powershell commands. This method is primarily spread through phishing emails directing users to fraudulent websites. ESET’s Threat Report indicates that SnakeStealer has surpassed Agent Tesla as the most frequently detected infostealer, targeting businesses in the US and EU for credential theft. The ransomware landscape has been disrupted by internal conflicts among groups, with DragonForce launching defacement campaigns against other ransomware entities. On mobile devices, Kaleidoscope infections have caused a 160% increase in Android adware detections, and the SparkKitty malware has been found in both the Apple App Store and Google Play Store. Kaleidoscope generates revenue through intrusive ads while infecting devices with a malicious app from third-party stores.

Winsage

June 25, 2025

New FileFix attack brings ClickFix social engineering to Windows File Explorer — how to stay safe

Researcher mr. d0x has introduced a new variant of the ClickFix social engineering tool called FileFix, which uses the Windows File Explorer address bar as its interface to deceive users into executing harmful commands. FileFix targets corporate employees and employs familiar elements like reCAPTCHA prompts or error messages to spread malware, including infostealers and ransomware. The method integrates malicious commands directly into Windows File Explorer, enhancing its effectiveness by utilizing the environment users are comfortable with. The phishing scheme includes a deceptive ‘Open Fixe Explorer’ button that activates File Explorer and copies a PowerShell command to the clipboard, initially displaying a fake path in the address bar. ClickFix tactics are effective because they manipulate victims into compromising their own security, often exploiting urgency and existing online behaviors. Users are advised to be cautious of verification pop-ups and requests to open command windows, and to share this knowledge to help others navigate safely.

Winsage

June 24, 2025

FileFix attack weaponizes Windows File Explorer for stealthy commands

A cybersecurity researcher named mr.d0x has introduced a new attack method called FileFix, which is a variant of the ClickFix social engineering attack. FileFix allows malicious actors to execute harmful commands on a victim's system through the Windows File Explorer address bar, rather than using the traditional method of pasting commands into PowerShell. The attack still relies on a phishing page, which masquerades as a notification about a shared file, prompting users to paste a path into File Explorer. Attackers can conceal the malicious PowerShell command by embedding it within a dummy file path in a comment, making it invisible in the address bar. Mr.d0x has also implemented measures in the proof-of-concept code to prevent users from selecting files during the attack. The ClickFix method has been effective in deploying malware, including ransomware and state-sponsored operations, with notable examples involving the North Korean hacker group Kimsuky and cybercriminals impersonating Booking.com. FileFix represents an evolution in phishing attacks by providing a more user-friendly interface for executing commands.

AppWizard

June 24, 2025

Is your Android phone safe? ‘Godfather’ malware targets 500 Android apps

Cybersecurity firm Zimperium has reported a new variant of the Godfather malware targeting around 500 Android applications, mainly in banking, cryptocurrency, and e-commerce sectors. This version uses virtual spoofing to create deceptive replicas of the user's phone environment, misleading users and security measures. The malware installs a malicious "host" app that scans for banking applications and downloads counterfeit versions that operate in a concealed virtual space. When users access their banking apps, they interact with these fraudulent versions, which record sensitive information such as PINs, passwords, and two-factor authentication codes. It can also remotely control devices, execute money transfers, and exfiltrate confidential data. Most affected applications are based in Turkey, but the malware has the potential to spread globally.

AppWizard

June 21, 2025

Godfather Android trojan uses virtualization to hijack banking and crypto apps

Zimperium zLabs has identified a new version of the GodFather Android trojan, which uses on-device virtualization to hijack legitimate banking and cryptocurrency applications. This malware creates a sandbox environment on the victim's device to run actual applications while intercepting user input in real time, allowing for complete account takeovers and bypassing security measures. The current campaign primarily targets Turkish banks. The GodFather malware employs ZIP manipulation and obfuscation techniques to evade detection, concealing its payload within the assets folder and using session-based installation methods. It utilizes accessibility services to monitor user input, automatically grant permissions, and exfiltrate data to a command-and-control (C2) server via Base64-encoded URLs. The trojan leverages open-source tools like Virtualapp and Xposed to execute overlay attacks, virtualizing applications within a host container. It scans for specific banking applications, downloads Google Play components into a concealed virtual space, and creates a deceptive environment to execute genuine banking applications. When users access their legitimate banking apps, GodFather redirects them to counterfeit versions within its virtual space, capturing their interactions. The malware employs advanced hooking techniques tailored to banking applications, intercepting network connections and capturing sensitive information. It can also compromise lock screen credentials by displaying fake overlays. GodFather supports a wide range of commands, allowing attackers to simulate gestures, manipulate screen elements, and steal sensitive data while remaining hidden from users and security tools. The malware targets over 484 popular applications, including banking, cryptocurrency, e-commerce, and social media platforms, with a current focus on a dozen Turkish financial institutions. This discovery marks a significant advancement in mobile malware capabilities compared to previous threats.

AppWizard

June 20, 2025

Minecraft players warned of mods stealing passwords & personal data

A recent investigation by Check Point Research has revealed a campaign targeting Minecraft mods that could compromise players' personal information. The campaign, orchestrated by the Stargazers Ghost Network, exploits the modding ecosystem and platforms like GitHub to reach players. Malware disguised as popular scripts or cheats, specifically targeting mods like “Oringo” and “Taunahi,” is crafted in Java and requires the Minecraft runtime to execute. Once installed, these malicious files initiate a multi-stage attack, compromising systems and extracting sensitive data. Check Point Research has been monitoring fraudulent GitHub repositories since March 2025, noting their legitimacy and ability to evade antivirus detection. Potential data breaches include browser logins, cryptocurrency wallets, and private messages on platforms like Discord.

AppWizard

June 20, 2025

Godfather Android malware takes over banking apps

A new version of the Android malware Godfather creates isolated virtual environments on mobile devices to steal account details and transactions from banking apps. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, utilizing a fully virtual file system, virtual process IDs, intent spoofing, and a component called StubActivity. Godfather manifests as an APK app with a virtualization framework, scanning for targeted applications and encapsulating them within its virtual environment. It intercepts permissions for accessibility services, redirecting them to a StubActivity that launches the virtual version of the banking app, allowing it to capture sensitive information. The malware can record account details, passwords, and PIN codes using Xposed for API hooking. It employs a fake lock screen overlay to trick users into entering their credentials and can manipulate user interfaces and execute transactions within the legitimate banking app. Godfather first emerged in March 2021 and has evolved significantly since then, with the latest iteration demonstrating advancements from previous versions.

Tech Optimizer

June 19, 2025

Do You Need Antivirus for Chromebook?

Chromebooks are designed with robust security features, including sandboxing, verified boot, and automatic updates, which contribute to their reputation as secure devices. Despite these protections, vulnerabilities can still exist, particularly through phishing scams, risky extensions, and the use of Linux or Android apps. Security experts suggest that users who frequently engage in online shopping, download Android applications, connect to public Wi-Fi, or store sensitive information in the cloud should consider antivirus software for added protection. Recommended antivirus options for Chromebooks include TotalAV Essential Antivirus, Norton Mobile Security, and Avira Antivirus Security, each offering various features and benefits tailored for Chromebook users.

AppWizard

June 19, 2025

Godfather Android malware now uses virtualization to hijack banking apps

A new iteration of the Android malware "Godfather" has emerged, utilizing advanced techniques to create isolated virtual environments on mobile devices for stealthy account data theft and transaction manipulation from legitimate banking applications. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, employing a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a component called StubActivity. Godfather is delivered as an APK app with an embedded virtualization framework, scanning for installed target applications and launching them within its virtual environment. It intercepts user interactions with genuine banking apps, capturing sensitive data like credentials and PINs while presenting a legitimate interface. The malware can execute commands to unlock devices and initiate transactions while avoiding detection. Godfather first appeared in March 2021 and has evolved significantly since then, with the latest version representing a notable advancement over previous iterations. Users are advised to download apps only from trusted sources and remain cautious about app permissions to protect against this malware.

AppWizard

June 19, 2025

‘Stargazers’ use fake Minecraft mods to steal player passwords

A malware campaign targeting Minecraft players has been identified, utilizing malicious mods and cheats to infect Windows devices with infostealers that steal sensitive information, including credentials and cryptocurrency wallets. The campaign, orchestrated by the Stargazers Ghost Network, has been active on GitHub and has previously infected over 17,000 systems with a new type of malware. Researchers found around 500 GitHub repositories linked to this operation, disguised as Minecraft mods. The malware employs a Java-based loader that downloads a stealer targeting Minecraft account tokens and user data, as well as Discord and Telegram tokens. It also includes a .NET-based stealer called '44 CALIBER,' which collects data from browsers, VPNs, and applications like Steam and Discord. The stolen data is sent via Discord webhooks, indicating a potential Russian origin for the operators. To protect against these threats, players are advised to download mods from reputable sources and use separate accounts for testing.