Microsoft revealed information about a new iteration of the ClickFix social engineering technique, in which the attackers fool gullible users into executing commands that perform a DNS lookup in order to obtain the subsequent payload. The attack specifically uses the "nslookup" command, which stands for "nameserver lookup," to perform a custom DNS lookup that is initiated by the Windows Run dialog. Traditionally distributed through phishing, malvertising, or drive-by download schemes, ClickFix is a technique that is becoming more and more popular.

It frequently directs visitors to phony landing pages that display phony CAPTCHA verification or instructions to fix a computer issue that doesn't exist by executing a command via the macOS Terminal app or the Windows Run dialog.

Over the past two years, the attack technique has proliferated since it relies on the victims infecting their own computers with malware, which enables the threat actors to get around security measures. ClickFix has been so successful that it has given rise to a number of variations, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix. CastleLoader, which is essential to LummaStealer's growth through delivery chains, is at the heart of many of these campaigns."

It's interesting to note that one of the domains on CastleLoader's infrastructure ("testdomain123123[. ]shop") was identified as a Lumma Stealer command-and-control (C2), suggesting that the operators of the two malware families are either cooperating or sharing service providers.

India has reported the highest number of Lumma Stealer infections, followed by France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. Bitdefender claimed that ClickFix's efficacy was due to its misuse of procedural trust rather than any technical flaws. "The instructions are similar to verification workarounds or troubleshooting procedures that users may have already encountered.

Because of this, victims frequently aren't aware that they are manually running arbitrary code on their own computer." Lumma Stealer is distributed using a variety of loaders besides CastleLoader. "A genuine Claude page, not a phishing copy, appears when you click on the advertisement.

The result is obvious: a powerful malware distribution vector is created by Google Ads, a reputable and well-known platform, and technical users who have a significant downstream influence.A macOS email phishing campaign that deploys another AppleScript intended to steal credentials and retrieve more JavaScript payloads after requesting that recipients download and run an AppleScript file to fix alleged compatibility issues. According to Darktrace, "the malware does not grant permissions to itself; instead, it forges TCC authorizations for trusted Apple-signed binaries (Script Editor, Terminal, osascript, and bash) and then executes malicious actions through these binaries to inherit their permissions." A ClearFake campaign that uses phony CAPTCHA lures on hacked WordPress websites to launch Lumma Stealer and cause an HTML Application (HTA) file to run.

The campaign is also known to execute a contract hosted on the BNB Smart Chain and retrieve an unidentified payload hosted on GitHub by exploiting a technique called EtherHiding through malicious JavaScript injections.