Sekoia: https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

A few days ago Brian Krebs wrote about ClickFix, and now Sekoia has written a technical deep dive of said malicious framework.

In the Sekoia report they analyze the evolution of ClearFake, a malicious JavaScript framework that compromises legitimate websites to deliver malware through drive-by downloads. Since its emergence in July 2023, ClearFake has evolved from displaying fake browser updates to using sophisticated social engineering tactics called 'ClickFix' that trick users into executing malicious PowerShell code. The latest variant (December 2024-February 2025) uses fake reCAPTCHA or Cloudflare Turnstile verifications alongside technical issues to deceive users. ClearFake leverages the Binance Smart Chain through a technique called 'EtherHiding' to store malicious code, making it impossible to remove. The framework has infected thousands of websites and is actively distributing Lumma Stealer and Vidar Stealer malware.

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

@briankrebs
@sekoia_io

#CyberSecurity #ClickFix #ThreatIntel

clearfake-malware-compromised-websites

ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.

^{Sekoia TDR (SEKOIA.IO Blog)}

3 different VMware zero days, under active exploitation by ransomware group

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

(Exploitation actually ESXi)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

#threatintel

A new group, Belsen Group, claim to have released Fortigate configs for 15k firewalls.

#threatintel

Really good Sophos report on data from IR cases they deal with (mostly going to be crimeware due to their customer base, i.e. real operationally disruptive threat actors rather than pretend operation threats aka APTs).

You might think 'threat actors are sat in hoodies hacking the Matrix using generative AI!!!1!' but in reality 90% of attacks use Remote Desktop (i.e. point and click hackers) and follow the same basic paths over and over again successfully.

https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/

#threatintel

The Bite from Inside: The Sophos Active Adversary Report

A sea change in available data fuels fresh insights from the first half of 2024

^{Sophos News}

🎃 & #threatintel: We/GreyNoise have observed a significant increase in Fortinet SSL brute force attempts recently. This is the highest level in the past two months and the third highest of 2024.

https://viz.greynoise.io/tags/fortinet-ssl-vpn-bruteforcer?days=10

Hello everybody. If you use FortiManager from FortiNet you should be prepared to grab the latest available release from the support portal and upgrade.

Patches aren’t out yet. Mitigation is available. If you have FortiManager facing the internet, I’d say remove it from the internet now. #threatintel https://mastodon.green/@fthy/113299522822025433

Happy Thursday! Enjoy this well-written deep dive into a fascinating bit of Linux malware. I can't wait to get my hands on a sample!

H/t to @screaminggoat

https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

#ThreatIntel #ThreatIntelligence

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

Perfctl is particularly elusive and persistent malware employing several sophisticated techniques

^{Idan Revivo (Aqua Security)}