Threat Research

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

Security researchers uncovered ongoing attacks linked to the KongTuke threat group using compromised WordPress sites and fake CAPTCHA lures to spread the Python-based modeloRAT. Attackers inject malicious JavaScript that prompts users to run a PowerShell command, triggering a multistage infection process....

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

ClickFix-based campaigns have employed a rotating set of commands for clipboard-injected content. In late December 2025, the KongTuke campaign incorporated DNS TXT records within its ClickFix text. These campaigns regularly shift between ClickFix techniques, including the finger protocol and mshta....

TA584 stands out in the cybercrime landscape, highlighting the limits of static detection against rapidly evolving threat actors. It operates as a major initial access broker, targeting organizations worldwide. In the second half of 2025, the group significantly modified its attack chains....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

ClickFix is a social-engineering technique that tricks users into pasting malicious scripts—often injected into the clipboard through pastejacking—into terminals or run windows, leading to system compromise. Since September 2025, detections have surged to over 200 compromised sites daily, driven by lures that mimic Google’s “Aw Snap!” error or fake browser update pages....

A GLS-themed ClickFix social-engineering campaign in Italy delivered the Remcos RAT by tricking users into manually running malicious commands. ClickFix campaigns have risen over the past year because manual execution helps attackers evade AV, sandbox, and EDR detection....

A global phishing campaign is targeting the hospitality industry, exploiting compromised Booking.com accounts and WhatsApp messages to defraud hotel customers. The attackers gained access to hotel systems through infostealer malware, stealing credentials for booking platforms like Booking.com and Expedia....

Attackers are leveraging a social engineering technique called ClickFix—which tricks users into manually executing malware—and are now packaging it into phishing kits for easy use. One such kit, the IUAM ClickFix Generator, automates the creation of deceptive phishing pages that mimic browser verification screens....