Surfers and swimmers paid tribute to Sunday’s shooting victims at Bondi beach on Friday morning.
They paddled out past the wave breaks to create a ring shape and held a memorial on shore.
Bondi beach has become a vigil site for the 15 killed and dozens wounded in last weekend’s attack.
Flower bouquets are bundled in a heap next to the park where the shooting occurred, where mourners have been listening to community speakers in the days since.
ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT).
Counter Threat Unit™ (CTU) researchers investigated Qilin ransomware deployment linked to a ClickFix campaign. The infection chain began when a user visited a legitimate but compromised domain and then followed prompts to inadvertently install NetSupport Manager. This victim’s account was later observed in malicious activity associated with Qilin deployment.
In this incident, the victim visited a website (aquafestonline[.]com) that contained an embedded malicious script. This script fetched a heavily obfuscated external JavaScript file (d.js) from islonline[.]org (see Figure 1).
Figure 1: Malicious JavaScript embedded into the compromised web page
This malicious script fingerprints the user’s operating system and browser type and creates a unique eight-character alphanumeric string. This string is used for tracking purposes and to limit attacks on the system to one per 24-hour period. The script also creates an invisible full-screen iframe overlay that loads a PHP file from hxxps://yungask[.]com/work/index.php?xxxxxxxx (see Figure 2).
Figure 2: Portion of the malicious d.js script that creates the iframe and loads a PHP file
The index.php file dynamically generates malicious content that displays the ClickFix page to the user (see Figure 3).
Figure 3: ClickFix verification page displayed to user
After the victim completes the fake verification process, a batch file containing NetSupport Manager Client files is downloaded from hxxps://2beinflow[.]com/head.php to the victim’s system (C:\ProgramData\jh.bat), where it is executed. The batch file retrieves a ZIP archive, saves it as C:\ProgramData\loy.zip, and then writes the extracted files into C:\ProgramData\Disy. The batch file then launches the NetSupport Manager Client application (client32.exe) and establishes persistence by creating a registry Run key. Although NetSupport Manager is a legitimate remote access tool, it is often referred to as NetSupport RAT due to its popularity with threat actors. CTU™ researchers observed the NetSupport RAT connecting to a command and control (C2) server at 94[.]158[.]245[.]13. As of this publication, this IP address is associated with a Windows Server 2012 operating system and exposes ports 3389 (RDP), 443 (HTTPS), and 5986 (WinRM) (see Figure 4).
Figure 4: NetSupport RAT C2 server with exposed ports 443, 3389, and 5986 (Source: shodan.io)
A ZIP archive was subsequently downloaded from this C2 server to the victim’s system (c://users/public/mir2.zip). This archive contained a copy of the legitimate Microsoft Media Foundation Protected Pipeline executable (mfpmp.exe), which sideloaded a malicious DLL file (rtworkq.dll) and resulted in a StealC V2 infostealer infection. The first version of StealC was launched in 2023 and sold on underground marketplaces until StealC V2 was released in March 2025. The updated version offered significant upgrades in terms of stealth and versatility.
Approximately one month after the StealC infection, Qilin ransom notes (README-RECOVER-ID-
CTU researchers assess with moderate confidence that an initial access broker obtained the credentials via StealC and sold them to a Qilin affiliate, or that a Qilin affiliate purchased the credentials from a marketplace such as Russian Market. Figure 5 shows the full infection chain for this campaign.
Figure 5: Full infection chain resulting in Qilin ransomware deployment
Qilin has been the most prevalent ransomware-as-a-service (RaaS) operation between January 2024 and December 17, 2025, listing 1,168 victims on its data leak site during that period. Operated by the financially motivated GOLD FEATHER threat group, the scheme uses the name-and-shame or double-extortion model, meaning that affiliates steal data to extort ransom in addition to encrypting files and systems.
CTU researchers recommend that organizations implement good cybersecurity hygiene to mitigate the threat from ransomware. These practices include patching vulnerable internet-facing devices and services in a timely manner, only exposing potentially vulnerable services such as RDP to the internet if there is a business need, and robustly implementing phishing-resistant multi-factor authentication (MFA) across the network. Endpoint detection and response (EDR) solutions are also essential for identifying and mitigating precursor ransomware activity.
SophosLabs has developed the following detections for this threat:
The threat indicators in Table 1 can be used to detect activity related to this threat.
| Indicator | Type | Context |
|---|---|---|
| c://users/public/mir2.zip | File path | Location of StealC V2 package downloaded via NetSupport RAT |
| 0c71102046bea598d2369d2fca664472 | MD5 hash | ZIP archive containing NetSupport RAT (Loy.zip) used to download StealC |
| b5a445a18258f37edc5c8ee57bc77d4b75d9b7dd | SHA1 hash | ZIP archive containing NetSupport RAT (Loy.zip) used to download StealC |
| 2e0ea138be2d206305a6583730a20754786de71a18e64e8e24c4f771d2438855 | SHA256 hash | ZIP archive containing NetSupport RAT (Loy.zip) used to download StealC |
| ee75b57b9300aab96530503bfae8a2f2 | MD5 hash | NetSupport RAT (client32.exe) used to download StealC |
| 98dd757e1c1fa8b5605bda892aa0b82ebefa1f07 | SHA1 hash | NetSupport RAT (client32.exe) used to download StealC |
| 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | SHA256 hash | NetSupport RAT (client32.exe) used to download StealC |
| e02a63b8b70a83a0639c7b18f6b3742c | MD5 hash | StealC V2 package (mir2.zip) downloaded via NetSupport RAT |
| d098222025c2e4ffa04bd1045a1e4ac081a616dd | SHA1 hash | StealC V2 package (mir2.zip) downloaded via NetSupport RAT |
| 369c18819a35e965c83cdeab07f92eecf69a401030dd8021cb118c9c76176f31 | SHA256 hash | StealC V2 package (mir2.zip) downloaded via NetSupport RAT |
| 13fe3c1072ce308192994f2d7b329f7c8cbb192d49bdb538872383192d133ebb | SHA256 hash | Malicious DLL (rtworkq.dll) sideloaded to run StealC |
Table 1: Indicators for this threat
Tiffanie Turnbulland
Tabby Wilson,Sydney
When bullets began flying at Sydney’s Bondi Beach on Sunday, strangers Wayne and Jessica found themselves in the same nightmare scenario. They couldn’t find their three-year-olds.
In the chaos, separately, they desperately scanned the green. People who’d gathered to celebrate the first day of Hanukkah screamed and ducked. Others ran. Some didn’t make it far.
The 10-odd minutes that followed were the longest of their lives.
Wayne’s body was acting as a human shield for his eldest daughter, but his mind was elsewhere: with his missing daughter Gigi.
“We had to wait all that time for the gunshots to stop. It felt like eternity,” he tells the BBC.
Unbeknown to him, Jessica’s gaze had caught on a little girl in a rainbow skirt, confused, scared and alone – calling out for her mummy and daddy.
In that moment, the pregnant mother couldn’t protect her own child, so she’d protect this one, she decided. She smothered Gigi’s body with her own, and uttered “I’ve got you”, over and over again. They could feel the moment a woman about a metre away was shot and killed.
By the time the air finally fell silent, Wayne had become all but convinced Gigi was dead.
“I was looking amongst the blood and the bodies,” he says, growing emotional.
“What I saw – no human should ever see that.”
Eventually, he caught a glimpse of a familiar colourful skirt and found his daughter, stained in red – but okay, still shrouded under Jessica. Her son too would soon be found, unharmed.
“She said she’s just a mother and she acted with mother instincts,” Wayne says.
“[But] she’s a superhero. We’ll be indebted to her for the rest of our lives.”
It is one of the incredible accounts of selflessness and courage that have emerged from one of Australia’s darkest days.
Declared a terror attack by police, it is the deadliest in Australian history. Dozens were injured and 15 people – including a 10-year-old girl – were killed by the two gunmen, who police say were inspired by the jihadist group Islamic State (IS).
More people undoubtedly would have been harmed if it weren’t for Ahmed al Ahmed.
A Syrian-Australian shop owner, he’d been having coffee nearby when the shooting began. His father told BBC Arabic Ahmed “saw the victims, the blood, women and children lying on the street, and then acted”.
Footage of the moment he sprung out from behind a car and wrestled a gun off one of the attackers immediately went viral. He was shot multiple times, and may lose his arm.
Another man, Reuven Morrison, was also seen on the video hurling objects at the same attacker in the moments after Ahmed disarmed him.
Sheina Gutnik easily recognised her dad in the footage.
“He is not one to lie down. He is one to run towards danger,” Ms Gutnick told BBC partner CBS News.
He had jumped up the second the shooting started, she said, and was throwing bricks at one of the gunmen before he was fatally shot.
“He went down fighting, protecting the people he loved most.”
The first two victims of the assault, Boris and Sofia Gurman, were also captured on dashcam footage grappling with one of the men for his weapon. When they succeeded, he got another gun from the car he’d just climbed out of and killed them.
“Even in the final moments of their lives, they showed the depth of who they were by facing those moments with courage, selflessness and love,” read a message from their proud son Alex, which was read out at the couple’s funeral on Friday.
“In doing so, they reminded us that they were not only devoted parents, but, in every sense of the word, heroes.”
The list goes on.
Chaya, only 14 years old, was shot in the leg while shielding two young children from gunfire.
Jack Hibbert – a beat cop just four months into the job – was hit in both the head and the shoulder but continued to help festival attendees until he physically couldn’t, his family said. The 22-year-old will survive, but with life-changing injuries.
Lifeguard Jackson Doolan was photographed sprinting over from a neighbouring beach during the attack, armed with critical medical supplies. He didn’t even pause to put on shoes.
Alexandra Ching/InstagramOthers at Bondi rushed from the beach into the fire, their red-and-yellow lifesaving boards working overtime as stretchers. One lifeguard even dived back into the surf to save swimmers who’d been sent into a panic by the shooting.
Student Levi Xu, 31, told the BBC he felt he could not shout for help, as he didn’t want to draw attention to himself or risk any potential saviours being targeted.
But lifeguard Rory Davey saw him and his friend struggling, and dragged them back to shore.
“We stood up and wanted to thank him, but he had already gone back into the sea to rescue other people,” says Mr Xu.
Thousands of Australians flocked to donate blood, dwarfing the previous record.
Authorities say many off-duty first responders travelled to Bondi on Sunday – from as far as two hours away – simply because they knew there was a need. Likewise, healthcare workers rushed to hospitals when they heard of the attack, shift or no shift, confronting unspeakable trauma to save lives.
“[They were] just coming into the station and saying ‘I’m ready to go’. Coming to the scene and saying ‘I’m ready… put me in’,” New South Wales Health Minister Ryan Park told the BBC.
“Normally on a Sunday night, there is staff available to run one operating theatre [at St Vincent’s Hospital]. There were eight operating at once,” Prime Minister Anthony Albanese said.
State premier Chris Minns, too, has been quick to praise the heroics of ordinary, everyday Australians.
“This is a terrible, wanton act of destructive violence. But there are still amazing people that we have in Australia, and they showed their true colours last night,” he said, the day after the attack.
Wayne says he shudders to think what would have happened without people like Jessica and Ahmed.
When he speaks to the BBC, he’s just attended a funeral for the gunmen’s youngest victim, 10-year-old Matilda.
“I was sitting at this funeral and I was just thinking, tears pouring out of my eyes… I could have been in the front… It could have been my little girl.”
“There could have been so much more devastation without the bravery of [these] people… someone who could run just comes in. Someone who could worry about their own child looks after another child.
“That’s what the world needs more of.”
Additional reporting by Fan Wang.
