malware deployment Archives

Winsage

January 6, 2026

ClickFix attack uses fake Windows BSOD screens to push malware

A new social engineering attack campaign called ClickFix is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into executing malware. Initially identified in December by Securonix as "PHALT#BLYX," the campaign involves phishing emails that appear to be notifications from Booking.com, often mentioning significant refunds to create urgency. Victims are directed to a counterfeit Booking.com site that mimics the legitimate one and displays a fake error message prompting them to execute a malicious command. This command launches a PowerShell script that downloads and compiles malware known as DCRAT, a remote access Trojan that allows attackers to control infected devices, exfiltrate data, and spread within networks.

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Winsage

November 4, 2025

Russian spies pack custom malware into hidden VMs on Windows

Bitdefender's senior security researcher, Victor Vrabie, reported that the Russian cyber group Curly COMrades is using Microsoft's Hyper-V hypervisor to conduct sophisticated attacks on compromised Windows machines. They create a concealed Alpine Linux-based virtual machine (VM) that bypasses traditional endpoint security, allowing prolonged access for espionage and malware deployment. This VM is lightweight, requiring only 120MB of disk space and 256MB of memory, and hosts a reverse shell called CurlyShell and a reverse proxy named CurlCat. The group's operations have targeted judicial and governmental institutions in Georgia and an energy company in Moldova. Their current campaign, starting in July, involved activating Hyper-V and downloading the VM with custom malware. The VM uses the Default Switch network adaptor, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell maintains root-level persistence and communicates with a command-and-control server over HTTPS, while CurlCat manages an SSH reverse proxy tunnel disguised as standard HTTP traffic. Additionally, two PowerShell scripts linked to the group enable remote authentication and establish persistent access across domain-joined machines. Vrabie highlighted the evolving tactics of cybercriminals to bypass endpoint detection and response (EDR) systems, emphasizing the need for a multi-layered security strategy.

Winsage

October 31, 2025

Windows LNK File UI Misrepresentation Enables Remote Code Execution Attacks

A vulnerability in the Windows operating system, identified as ZDI-CAN-25373 and disclosed in March 2025, allows advanced persistent threat (APT) actors to deploy malware by manipulating whitespace in Windows LNK files. This technique has been adopted by espionage groups from North Korea, China, Russia, and Iran for data theft and intelligence-gathering. The flaw enables malicious PowerShell commands to be concealed within seemingly legitimate shortcut files, which execute automatically when opened. The exploitation involves weaponized LNK files that initiate obfuscated PowerShell commands to decode embedded TAR archives containing a legitimate Canon printer utility, a malicious loader DLL, and an RC4-encrypted payload with remote access trojan malware. The legitimate executable, although signed with an expired certificate, is trusted by Windows due to its valid timestamp. As of October 2025, Microsoft has not released a patch for this vulnerability, prompting organizations to implement defensive measures against its exploitation.

Winsage

August 28, 2025

Windows Users: Global UpCrypter Phishing Attack is Expanding

Cybersecurity experts have reported a significant increase in phishing emails targeting Microsoft Windows devices, linked to UpCrypter, a loader that installs remote access tools (RATs) for long-term access to compromised systems. These phishing emails often appear as missed voicemails or purchase orders, leading victims to counterfeit websites that prompt them to download a ZIP file containing a JavaScript dropper. This script executes PowerShell commands to connect to attacker-controlled servers, initiating further malware deployment. UpCrypter scans the system for security monitoring and can reboot to disrupt investigations if detected. If not, it downloads additional payloads, including PureHVNC for remote desktop access, DCRat for spying and data theft, and Babylon RAT for complete control over infected devices. Attackers use techniques like steganography, string obfuscation, and in-memory execution to evade detection. This phishing campaign, active since early August 2025, has affected various sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality, with significant activity reported in countries like Austria, Belarus, Canada, Egypt, India, and Pakistan. Detections of this malware have doubled in two weeks, indicating a rapid escalation of the operation. Organizations are urged to implement robust email filtering and train employees to recognize these threats.