Canada Revenue Agency (CRA) 🇨🇦 themed #ClickFix campaign, using a fake captcha to spread #malware ⤵️

FakeCaptcha:
🖱️ https://urlhaus.abuse.ch/url/3423002/

HTA download URL:
🌐 https://urlhaus.abuse.ch/url/3418524/

Dropped HTA:
📄

Mastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account.

We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users.

There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster.

For our fellow security nerds... this was #vidar malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d
and a c2 IP 78[.]47[.]227[.]68 from the instance.
there is still at least one more Mastodon instance impacted that we are trying to reach.

Hey hey! More #eBPF #malware in the wild, this one targeting Juniper devices.

https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/

Nobody knows exactly how the #Gootloader operators are finding and taking control over personal and business websites that use WordPress, but it's likely due to an earlier compromise of the site's administrator credentials, through #malware or #phishing. Stolen credentials for WordPress sites are a dime a dozen on the criminal underground.

The insidious nature of Gootloader means even the site's owners, who still have working admin passwords, cannot readily determine that the site is being misused for evil.

3/

Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.

Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO techniques to promote compromised websites into Google search results.

This research finally cracks wide open the mystery of how they manage to do that so effectively. It's a long read, but well worth the deep dive.

https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ‎

1/

Malicious parties have taken over popular Chrome plugins to push malware.

I can confirm it is not just Cyberhaven plugin. We dont have a list of impacted plugins, just reports of machines reaching out to the reported malicious domains. Still gathering informaiton.

https://therecord.media/hackers-target-vpn-ai-extensions-google-chrome-malicious-updates

https://x.com/jaimeblascob/status/1872445912175534278

IMPORTANT ANNOUNCEMENT FOR EVERYONE USING ACTIVITYPUB PROTOCOL!
#mastodon #pleroma #fediverse #malware #important #hotoilyjigglyboobsinmyfacebouncingandmoaning

@nugger @psyopsu @rees @MMS21 @BlinkRape @cute @lebronjames75 @coolboymew @worldisrotting

It’s only day 2 of the #HuntressCTF but I’ve been having a ball trying to complete the challenges before my work day starts. However the windows #malware challenged has got me stumped, also why is it so damn hard to spin up a #windows VM in2024 ?!

Here is a traffic distribution system (TDS) in action. Fairly often when talking about TDS, I get the rebuttal: when i visited that domain, i only saw parking. Exactly. That's the point. :) A malicious TDS is like a router for malware -- the goal is to bring the best victims to the best malicious offering. And to play dead when it looks like they might be caught, aka look like parking or search ads.

What these images show is the difference between visiting the site tokclix[.]live from a scanner (urlscan) versus from a real Android phone. The former leads you to (sketchy) search arbitrage and the latter is classic scareware. This is what a TDS does.

Found this particular one while researching search arbitrage so it is fairly random. started with an old post on BlackHat World but the domains were all still live. On the screen capture you can see the redirects through the TDS.

The imgur video shows the original click to scareware -- watch the redirects.

#InfobloxThreatIntel #tds #dns #malware #threatintel #cybercrime #cybersecurity #infosec #scam #phishing

A funny phishing targeting GitHub users with an email notification about a security issue on a existing repository.

Then the captcha verification on a malicious website is trying to trick the user to run a shell command on Windows.

🔗 Powershell to be executed by the user
https://gist.github.com/adulau/6cf6f3e9c5bbd9106af8814d0a22f473

🔗 File downloaded https://pandora.circl.lu/analysis/21e8f693-361b-4a04-853c-276f9dd841e4/seed-1XqUr4mADaFYlLAyrBH8oQUBgOoEbceZ586b8h05YyA - Lumma Stealer

🔗 Malicious domain analysis. https://lookyloo.circl.lu/tree/91106035-dfec-4acc-af06-c9fc36c62774