Fri, 17 Jul 2026
Markets
DJIA 44,210.31 +0.42% S&P 500 6,204.88 +0.31% NASDAQ 20,398.05 -0.18% RUSSELL 2000 2,271.14 +0.55% FTSE 100 8,786.20 -0.09% DAX 24,120.40 +0.26% NIKKEI 225 39,986.30 +1.02% HANG SENG 24,072.30 -0.44% US 10-YR 4.281% -0.03 CRUDE OIL $67.41 +0.68% GOLD $3,342.10 +0.21% BTC $61,845 -1.12% EUR/USD 1.1782 +0.14% DJIA 44,210.31 +0.42% S&P 500 6,204.88 +0.31% NASDAQ 20,398.05 -0.18% RUSSELL 2000 2,271.14 +0.55% FTSE 100 8,786.20 -0.09% DAX 24,120.40 +0.26% NIKKEI 225 39,986.30 +1.02% HANG SENG 24,072.30 -0.44% US 10-YR 4.281% -0.03 CRUDE OIL $67.41 +0.68% GOLD $3,342.10 +0.21% BTC $61,845 -1.12% EUR/USD 1.1782 +0.14%
Now, even Russia's most elite hackers are using Clickfix to infect devices

Now, even Russia's most elite hackers are using Clickfix to infect devices

The social-engineering technique has primarily been a tool of financially motivated criminals.

One of the Russian government’s most elite hacking groups has adopted an attack, known as Clickfix, to compromise devices belonging to sensitive organizations in Ukraine, the latter country’s CERT center is warning.

Clickfix has emerged as an effective attack technique that attackers, primarily financially motivated criminals, began using in the last year or so. Websites under the control of the attackers display a CAPTCHA that requires the visitor to copy a jumble of text and paste it into the terminal. The text contains scripts that, once entered, perform malicious actions, typically by installing malware or exfiltrating sensitive data. Ukraine’s CERT said Wednesday that Sandworm, an advanced hacking unit inside the GRU, Russia’s military intelligence arm, is now using the technique.

"GhettoVibe," "ScoutCurl," and many more

The Clickfix attacks began in the spring and have continued through the summer. The campaign has resulted in the network compromise of at least one organization when a connected device was found to be infected by FreakyPoll, the name of one of Sandworm’s custom malware packages. Ukrainian authorities discovered 10 compromised websites that displayed a PowerShell command as part of a fake CAPTCHA that said it had to be passed to ensure a real human was behind the visiting device’s keyboard.

Read full article

Comments