ClickFix, infostealer disruptions, and ransomware deathmatch

Threat actors are embracing ClickFix, ransomware gangs are turning on each other – toppling even the leaders – and law enforcement is disrupting one infostealer after another

05 Aug 2025
•
,
1 min. read

ESET Threat Report H1 2025: ClickFix, infostealer disruptions, and ransomware deathmatch

“It’s all fun and games until someone gets hurt” could well be the title of the latest ESET Threat Report, as cybercriminals play new mind games with their victims, wage full-on deathmatches among themselves, and become the hunted game of law enforcement and private vendors.

ESET Distinguished Researcher Aryeh Goretsky and Security Awareness Specialist Ondrej Kubovič open this installment of the ESET Research Podcast by breaking down the latest cry among threat actors: ClickFix. They explain how this technique went from non-existent a year ago to the second most prevalent threat today, and why it’s so effective. They also examine a specific example of this social engineering tactic FakeCaptcha, abusing the well-known human verification mechanism and weaponing it trick victims into executing malicious commands.

Moving from emerging threats to positive developments, the second segment highlights recent law enforcement disruptions of infostealers. Noteworthy cases from last 12 months include takedown of Redline/Meta Stealer in late 2024 and recent operations against LummaStealer and Danabot. Aryeh and Ondrej discuss what made these infostealer-as-a-service ventures attractive to affiliates, the impact of the disruptions, and ESET research’s specific contributions to these takedowns.

The final section covers the recent “deathmatch”-style infighting in the ransomware scene, featuring the minor player Dragonforce. Despite their lacking reputation and low victim count, Dragonforce’s operators went on a brazen offensive, defacing the data leak sites (DLS) of several rival groups on the dark web – including Mamona and BlackLock – and ultimately taking down also the DLS of the then-leader, RansomHub.

If ransomware, infostelaers or new social engineering techniques are your thing, tune in and subscribe to the ESET Research Podcast. For a more detailed version, download the ESET Threat Report H1 2025 from the Threat Reports section – no paywall or registration required.