Category: Uncategorized

ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT).

Counter Threat Unit™ (CTU) researchers investigated Qilin ransomware deployment linked to a ClickFix campaign. The infection chain began when a user visited a legitimate but compromised domain and then followed prompts to inadvertently install NetSupport Manager. This victim’s account was later observed in malicious activity associated with Qilin deployment.

Attack chain

In this incident, the victim visited a website (aquafestonline[.]com) that contained an embedded malicious script. This script fetched a heavily obfuscated external JavaScript file (d.js) from islonline[.]org (see Figure 1).

Figure 1: Malicious JavaScript embedded into the compromised web page

This malicious script fingerprints the user’s operating system and browser type and creates a unique eight-character alphanumeric string. This string is used for tracking purposes and to limit attacks on the system to one per 24-hour period. The script also creates an invisible full-screen iframe overlay that loads a PHP file from hxxps://yungask[.]com/work/index.php?xxxxxxxx (see Figure 2).

Figure 2: Portion of the malicious d.js script that creates the iframe and loads a PHP file

The index.php file dynamically generates malicious content that displays the ClickFix page to the user (see Figure 3).

Figure 3: ClickFix verification page displayed to user

After the victim completes the fake verification process, a batch file containing NetSupport Manager Client files is downloaded from hxxps://2beinflow[.]com/head.php to the victim’s system (C:\ProgramData\jh.bat), where it is executed. The batch file retrieves a ZIP archive, saves it as C:\ProgramData\loy.zip, and then writes the extracted files into C:\ProgramData\Disy. The batch file then launches the NetSupport Manager Client application (client32.exe) and establishes persistence by creating a registry Run key. Although NetSupport Manager is a legitimate remote access tool, it is often referred to as NetSupport RAT due to its popularity with threat actors. CTU™ researchers observed the NetSupport RAT connecting to a command and control (C2) server at 94[.]158[.]245[.]13. As of this publication, this IP address is associated with a Windows Server 2012 operating system and exposes ports 3389 (RDP), 443 (HTTPS), and 5986 (WinRM) (see Figure 4).

Figure 4: NetSupport RAT C2 server with exposed ports 443, 3389, and 5986 (Source: shodan.io)

A ZIP archive was subsequently downloaded from this C2 server to the victim’s system (c://users/public/mir2.zip). This archive contained a copy of the legitimate Microsoft Media Foundation Protected Pipeline executable (mfpmp.exe), which sideloaded a malicious DLL file (rtworkq.dll) and resulted in a StealC V2 infostealer infection. The first version of StealC was launched in 2023 and sold on underground marketplaces until StealC V2 was released in March 2025. The updated version offered significant upgrades in terms of stealth and versatility.

Approximately one month after the StealC infection, Qilin ransom notes (README-RECOVER-ID-.txt) were dropped on the network. Analysis revealed that the threat actor used stolen credentials to access the network via a privileged account on a Fortinet VPN device. Two other user accounts from the attacker’s origin also established VPN tunnels. One of these accounts was associated with the victim of the initial ClickFix compromise.

CTU researchers assess with moderate confidence that an initial access broker obtained the credentials via StealC and sold them to a Qilin affiliate, or that a Qilin affiliate purchased the credentials from a marketplace such as Russian Market. Figure 5 shows the full infection chain for this campaign.

Figure 5: Full infection chain resulting in Qilin ransomware deployment

Recommendations

Qilin has been the most prevalent ransomware-as-a-service (RaaS) operation between January 2024 and December 17, 2025, listing 1,168 victims on its data leak site during that period. Operated by the financially motivated GOLD FEATHER threat group, the scheme uses the name-and-shame or double-extortion model, meaning that affiliates steal data to extort ransom in addition to encrypting files and systems.

CTU researchers recommend that organizations implement good cybersecurity hygiene to mitigate the threat from ransomware. These practices include patching vulnerable internet-facing devices and services in a timely manner, only exposing potentially vulnerable services such as RDP to the internet if there is a business need, and robustly implementing phishing-resistant multi-factor authentication (MFA) across the network. Endpoint detection and response (EDR) solutions are also essential for identifying and mitigating precursor ransomware activity.

Detections and threat indicators

SophosLabs has developed the following detections for this threat:

• ATK/Shanya-B
• Mal/NetSupRat-A

The threat indicators in Table 1 can be used to detect activity related to this threat.

Table 1: Indicators for this threat

Alexandra Ching/Instagram

European Union leaders have struck a deal to give Ukraine a €90bn (£79bn; $105bn) loan after failing to agree on using frozen Russian assets.

The agreement, which leaders said would meet Ukraine’s military and economic needs for the next two years, came after more than a day of talks at a summit in Brussels.

“We committed, we delivered,” EU chief Antonio Costa wrote on X as he announced the deal to provide a loan backed by the bloc’s common budget.

Ukrainian President Volodymyr Zelensky had urged leaders to use €200 billion of frozen Russian assets but Belgium, where the vast bulk of the cash is held, demanded guarantees on sharing liability that proved too much for other countries.

In another development, French President Emmanuel Macron said he believed it would be “useful” for Europe to re-engage with Russian President Vladimir Putin.

“I believe that it’s in our interest as Europeans and Ukrainians to find the right framework to re-engage this discussion,” he said, adding that Europeans should find the means to do so “in coming weeks”.

EU ⁠leaders avoided “chaos ‍and ‍division” ​with ‌their decision to provide Ukraine with a loan through borrowing cash rather than ​use frozen Russian assets, Belgian Prime Minister Bart De ​Wever said early on Friday.

“We remained united,” De ‌Wever added.

Ukraine is months from running out of cash and Zelensky said without an injection by spring Ukraine would “have to reduce production of drones”.

The EU estimates Ukraine needs an extra €135 billion to stay afloat over the next two years, with the cash crunch set to start in April.

German Chancellor Friedrich Merz, who had pushed for the asset plan, said the final decision on the loan “sends a clear signal” to Putin.

Russia had warned EU leaders not to use its money, but Polish Prime Minister Donald Tusk said they had to “rise to this occasion”.

The agreement offers Kyiv a desperately needed lifeline amid a flurry of diplomacy as US President Donald Trump pushes for a quick deal to end Russia’s war.

US and Russian officials are due to meet in Miami this weekend for further talks on a peace plan, a White House official has told AFP news agency. It is thought Kremlin envoy Kirill Dmitriev will talk to Trump envoys Steve Witkoff and Jared Kushner in Miami.

Meanwhile, Zelensky announced Ukrainian and US delegations would hold new talks on Friday and Saturday in the United States.

He said he wanted Washington to give more details on the guarantees it could offer to protect Ukraine from another invasion.