DarkReading

ClickFix Attacks Fuel UAC-0145 Cyber Campaigns In Ukraine


The ClickFix attacks technique has become a key initial access method for the UAC-0145 cyber threat cluster, according to a new report from Ukraine’s Computer Emergency Response Team (CERT-UA). The agency said the threat group, also tracked as Sandworm, APT44, Seashell Blizzard, and a subcluster of UAC-0002, has shifted its tactics during 2026, increasingly relying on fake CAPTCHA prompts and social engineering to compromise systems.

CERT-UA said it has worked with Ukrainian cybersecurity agencies for several years to investigate the activities of UAC-0145. While the group previously relied on infected software installers distributed through torrent websites, recent campaigns have increasingly used ClickFix to trick users into executing malicious PowerShell commands.

ClickFix Attacks Emerging as Primary Initial Access Vector

According to CERT-UA, infections recorded during the spring and summer of 2026 frequently began when victims visited compromised websites displaying fake CAPTCHA pages. Users were instructed to copy and execute PowerShell commands in their terminal, a phishing technique commonly referred to as ClickFix.

The downloaded commands were designed to retrieve malicious files such as GHETTOVIBE, a Visual Basic Script (VBS) that establishes persistence by placing itself in the Windows Startup directory.

Once executed, attackers could deploy SCOUTCURL, a PowerShell reconnaissance tool capable of collecting information about the compromised system, including device specifications, installed software, browser data, and local files before exfiltrating the information.

CERT-UA also observed malware loaders including FLUIDLEECH, disguised as antivirus software, and LOADLOOP being used during these campaigns.

Backdoors and Data Theft Tools Widely Deployed

The report noted that attackers continue using malware families such as KALAMBUR, SUMBUR, and TAMBUR after gaining access to victim systems.

To maintain remote access, the group relied on legitimate utilities including OpenSSH and Tor, forwarding local network ports such as 445, 3389, and 22 to attacker-controlled infrastructure.

CERT-UA also found malware designed to steal messaging data from Signal and WhatsApp, with stolen information reportedly exfiltrated using RSYNC.

On infected systems examined during cyber defense operations, investigators additionally identified FREAKYPOLL, a Python-based backdoor distributed as compiled bytecode (.pyc), providing attackers with persistent unauthorized access.

Compromised Websites Used to Deliver Fake CAPTCHA Pages

During June and July 2026, CERT-UA analyzed more than ten compromised websites involved in ClickFix attacks.

Investigators found attackers using both the Cloaking.House service and custom malware called SMARTAXE to dynamically modify legitimate webpages. SMARTAXE retrieves remote domains from blockchain smart contracts through Ethereum’s eth_call function before displaying fake CAPTCHA pages or redirecting visitors to malicious content.

CERT-UA warned that any website used in these attacks should be considered compromised, potentially through vulnerable content management systems (CMS), stolen credentials, web shells, malicious plugins, modified website scripts, or server-side backdoors.

The agency urged website administrators and hosting providers to strengthen website security and respond quickly to incident reports.

Android Malware Also Part of UAC-0145 Operations

The report also highlighted growing use of Android malware distributed through messaging applications.

Attackers were observed sharing APK files disguised as security or antivirus tools. One such malware family, tracked as COWARDDUCK, functions as a full-featured Android backdoor capable of collecting device information, contacts, files, and real-time geolocation.

The malware targets files from directories including DCIM, Documents, Downloads, Pictures, and Alarms while searching for formats such as DOCX, XLSX, PPTX, ZIP, RAR, JSON, and OVPN files.

According to CERT-UA, COWARDDUCK uploads stolen files through the Dropbox API while receiving commands from legitimate services including Steam Community and StockMemory domains through proxy infrastructure.

Microsoft Sees Global Rise in ClickFix Campaigns

Microsoft Threat Intelligence and Microsoft Defender Experts also reported that ClickFix campaigns have increased significantly since early 2024, targeting thousands of enterprise and consumer devices globally each day.

Microsoft said the technique commonly delivers malware such as Lumma Stealer by persuading users to copy and execute commands through Windows Run, Windows Terminal, or Windows PowerShell. The campaigns are often combined with phishing, malvertising, and drive-by compromise techniques that imitate trusted brands.

Because ClickFix attacks rely on user interaction rather than exploiting software vulnerabilities directly, Microsoft recommends organizations strengthen user awareness and apply security policies that restrict unnecessary use of command execution tools.



Source link