ClickFix RockFest

23.03.2026 00:00

ClickFix RockFest

Shout out to RedTeamRonin from DC612 for sending me this sample!

Incident Overview

Rock Fest is the largest rock and camping event in the United States. They use a WordPress domain that contains several potentially vulnerable plugins. This includes plugins vulnerable to multiple types of cross site scripting attacks. It is likely that the domain was compromised through a vulnerable plugin or exposed admin credentials.

The ClickFix page utilizes the Windows Terminal variant lure. Instead of asking users to use the Windows Run menu (Win+R), this lure variant asks users to open PowerShell or the Terminal with Win+X, select an Admin shell, and paste & submit the copied command.

Evil AI Talk

03.03.2026 00:00

Slides from a short talk on Evil AI I gave in February at DC612.

Direct Link

EvilAI Update

04.02.2026 00:00

EvilAI Update

EvilAI is back at it again! Nothing significant has hanged with the payload or the Node abuse, but the campaign has developed a new Advanced Installer MSI lure that unpacks and executes a WebView2 .Net application loader. This loader creates a temporary directory and downloads the Inno Installer that contains the Node payload and configuration files. Like previous campaigns, the Node payload is executed via Scheduled Task.

Huorong Security Management Weaponized in ClickFix Attacks

30.01.2026 00:00

Huorong Security Management Weaponized in ClickFix Attacks

Huorong is a Beijing based security company that offers an Endpoint Security Management Systems suite for enterprise and government customers. In newly observed ClickFix attacks, the Huorong EDR product is abused as an entry point into compromised systems. The Huorong Configuration Manager is bundled into an Advanced Installer MSI and installed on victim devices, giving malicious actors complete control over the device. The installer is deployed through compromised domains serving ClickFix (FakeCAPTCHA) lures.

KongTuke: ClickFix on Steroids

21.01.2026 00:00

KongTuke: ClickFix on Steroids

KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).

SSA AI Phishing

08.01.2026 00:00

SSA AI Phishing

In another episode of ChatGPT-ass malware, we have this beautiful sample from a Social Security Administration phishing page taken from an incident on January 8th, 2026. If this is your phishing page, you should probably feel bad.

The phishing page itself is hosted on a XAMPP (Apache + MariaDB + PHP + Perl) stack on a Windows server using a free Cloudflare tunnel. Of course, they didn’t put any effort into configuring their server, so the default pages are easily accesible.

Introduction to Malware Analysis Workshop

03.01.2026 00:00

Slides from the Introduction to Malware Analysis workshop held on January 3rd, 2026. Samples are linked in the slides, but can also be acquired at Introduction to Malware Analysis Workshop Samples.

Direct Link

AceLauncher

15.12.2025 00:00

AceLauncher

AceLauncher is a Potentially Unwanted Program (PUP) similar to Wave Browser, OneStart, and OneLaunch. It’s a Chromium based browser that creates several tasks, AppData directories, and registry keys to maintain persistence on a device. While not overtly malicious, users will likely want to remove the browser as it does redirect and serve potentially malicious content. This includes functions that link to ManualsLib domains and references to Wave Browser and Recipe Lister. The browser also uses Yahoo’s Hosted Search platform to serve sponsored content driving revenue to the AceLauncher organization.

Phishing

25.11.2025 00:00

Phishing

I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.

Examining the email in a text editor revealed that the headers had been manipulated.

The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.

LogMeIn Unattended Installer

05.11.2025 00:00

LogMeIn Unattended Installer

A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).

The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.

1 of 5 Next Page