• About Us
  • Contact Us
  • Editorial Calendar
  • Careers
  • The Cyber Express by Cyble Vulnerability Disclosure Policy
  • Cyble Trust Portal
The Cyber Express
  • MagazineDownload
  • Firewall Daily
    • All
    • Bug Bounty & Rewards
    • Dark Web News
    • Data Breach News
    • Hacker News
    • Ransomware News
    • Vulnerabilities
    weekly round

    The Cyber Express Weekly Roundup: TikTok Age Verification Probe, Healthcare Data Breach, Qantas Ruling, and Major Cyberattacks

    ClickFix Attacks

    ClickFix Attacks Drive UAC-0145 Cyber Campaigns, CERT-UA Warns

    Chinese money laundering

    US Charges Two Over $43M Chinese Money Laundering Operation

    Notepad++ vulnerabilities

    Critical Notepad++ Bugs Could Lead to Code Execution, Patch Available

    TikTok age verification

    TikTok Age Verification Under Investigation as UK Tightens Child Safety Rules

    CVE-2026-53412

    Zoom Patches Critical Windows Flaw Enabling Account Takeover

    Partnered Health cyberattack

    Partnered Health Cyberattack Exposes Patient Data Across Australia

    Chrome Beta

    Google Rolls Out Chrome 151 Beta and Early Stable Updates

    Qantas, Qantas Data Breach, Data Breach, Cyber aattack, Socail Engineering, OAIC, OAIC Report, Privacy Commissioner

    Qantas Did Everything “Right” — And Got Breached Anyway. Regulators Say That’s the Point.

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    global crypto investment scam

    Dutch Police Arrest Key Suspect in €100M Global Crypto Investment Scam

    Australia-India PACTS

    Australia-India PACTS to Deepen Cybersecurity and Tech Collaboration

    FBI Warns of Malicious Traffic

    FBI Warns of a Hidden Web Tactic Fueling Phishing and Ransomware

    Ukraine Joins EU Cybersecurity Reserve

    What Ukraine’s Entry Into the EU Cybersecurity Reserve Means

    UK social media ban

    UK Social Media Ban for Under-16s Could Take Effect by Spring 2027

    Ransomware Preparedness

    Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief

    AI legal assistants

    AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

    VerdantBamboo

    China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

    Crypto Scam, Crypto

    New Threat Actor Targets Crypto Firms’ Development Infrastructure

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
    • All
    • How to
    • What is
    Google Chrome

    How to Remove Saved Passwords From Google Chrome (And Why You Should)

    DPDP Rules, Cyble, DPDP Act, Cyble Vantage

    How Cyble’s Front-Row Vantage Can Help You in Complying to India’s DPDP Act

    Cybersecurity Countries

    The Top 8 Countries Leading the Cyber Defense Race in 2025

    link building

    The Link Building Secrets Your Competitors Don’t Want You to Know

    Supply Chain Attack

    Supply Chain Resilience and Physical Security: Lessons for 2025

    Healthcare cybersecurity trends of 2024

    Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better

    CEO's Guide to Take-Down Services

    Shield Your Organization: CEO’s Perspective on Take-Down Services

    Azure sign-in Microsoft

    Microsoft Announces Mandatory MFA for Azure Sign-ins to Bolster Cloud Defenses

    Signal Proxy, Signal, Signal Ban in Russia, Signal Ban in Venezuela, Bypass Signal Ban, How to Activate Signal Proxy, Signal Proxy Server

    How to Set Up Signal Proxy to Help Bypass Censorship in Russia and Venezuela

  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Australia-India PACTS

    Australia-India PACTS to Deepen Cybersecurity and Tech Collaboration

    Sunil Varkey

    Sunil Varkey Joins Hexaware Technologies as EVP & CISO

    AI Chip, Chip Security Act

    Congress Wants a GPS Tracker on Every Advanced AI Chip America Exports

    Fraud, Agentic AI, AI-assisted Cyberattacks

    Agentic AI Run Fraud Campaigns Earning 4.5 Times More: Interpol

    Stryker, Stryker Cyberattack, CISA, Handala

    Stryker Says Cyberattack Disrupted Processing, Manufacturing and Shipping

    INC Ransom, Western Critical Infrastructure, Critical infrastructure, Russian GRU, Russian Threat Actor, Sandworm, APT44, Energy Supply Chain, Energy Infrastructure

    INC Ransom’s Franchise Model Is Putting Critical Infrastructure on the Chopping Block

    Terrorist Cyberattacks, UAE Cyber Security Council

    UAE Blocked AI-Powered Terrorist Cyberattacks Targeting Critical Infrastructure

    Eurail Breach, Eurail

    Eurail Breach Escalates as Stolen Passport Data and IBANs Surface on Dark Web for Sale

    Discord teen-by-default settings

    Discord Introduces Stronger Teen Safety Controls Worldwide

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board
No Result
View All Result
  • MagazineDownload
  • Firewall Daily
    • All
    • Bug Bounty & Rewards
    • Dark Web News
    • Data Breach News
    • Hacker News
    • Ransomware News
    • Vulnerabilities
    weekly round

    The Cyber Express Weekly Roundup: TikTok Age Verification Probe, Healthcare Data Breach, Qantas Ruling, and Major Cyberattacks

    ClickFix Attacks

    ClickFix Attacks Drive UAC-0145 Cyber Campaigns, CERT-UA Warns

    Chinese money laundering

    US Charges Two Over $43M Chinese Money Laundering Operation

    Notepad++ vulnerabilities

    Critical Notepad++ Bugs Could Lead to Code Execution, Patch Available

    TikTok age verification

    TikTok Age Verification Under Investigation as UK Tightens Child Safety Rules

    CVE-2026-53412

    Zoom Patches Critical Windows Flaw Enabling Account Takeover

    Partnered Health cyberattack

    Partnered Health Cyberattack Exposes Patient Data Across Australia

    Chrome Beta

    Google Rolls Out Chrome 151 Beta and Early Stable Updates

    Qantas, Qantas Data Breach, Data Breach, Cyber aattack, Socail Engineering, OAIC, OAIC Report, Privacy Commissioner

    Qantas Did Everything “Right” — And Got Breached Anyway. Regulators Say That’s the Point.

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    global crypto investment scam

    Dutch Police Arrest Key Suspect in €100M Global Crypto Investment Scam

    Australia-India PACTS

    Australia-India PACTS to Deepen Cybersecurity and Tech Collaboration

    FBI Warns of Malicious Traffic

    FBI Warns of a Hidden Web Tactic Fueling Phishing and Ransomware

    Ukraine Joins EU Cybersecurity Reserve

    What Ukraine’s Entry Into the EU Cybersecurity Reserve Means

    UK social media ban

    UK Social Media Ban for Under-16s Could Take Effect by Spring 2027

    Ransomware Preparedness

    Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief

    AI legal assistants

    AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

    VerdantBamboo

    China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

    Crypto Scam, Crypto

    New Threat Actor Targets Crypto Firms’ Development Infrastructure

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
    • All
    • How to
    • What is
    Google Chrome

    How to Remove Saved Passwords From Google Chrome (And Why You Should)

    DPDP Rules, Cyble, DPDP Act, Cyble Vantage

    How Cyble’s Front-Row Vantage Can Help You in Complying to India’s DPDP Act

    Cybersecurity Countries

    The Top 8 Countries Leading the Cyber Defense Race in 2025

    link building

    The Link Building Secrets Your Competitors Don’t Want You to Know

    Supply Chain Attack

    Supply Chain Resilience and Physical Security: Lessons for 2025

    Healthcare cybersecurity trends of 2024

    Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better

    CEO's Guide to Take-Down Services

    Shield Your Organization: CEO’s Perspective on Take-Down Services

    Azure sign-in Microsoft

    Microsoft Announces Mandatory MFA for Azure Sign-ins to Bolster Cloud Defenses

    Signal Proxy, Signal, Signal Ban in Russia, Signal Ban in Venezuela, Bypass Signal Ban, How to Activate Signal Proxy, Signal Proxy Server

    How to Set Up Signal Proxy to Help Bypass Censorship in Russia and Venezuela

  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Australia-India PACTS

    Australia-India PACTS to Deepen Cybersecurity and Tech Collaboration

    Sunil Varkey

    Sunil Varkey Joins Hexaware Technologies as EVP & CISO

    AI Chip, Chip Security Act

    Congress Wants a GPS Tracker on Every Advanced AI Chip America Exports

    Fraud, Agentic AI, AI-assisted Cyberattacks

    Agentic AI Run Fraud Campaigns Earning 4.5 Times More: Interpol

    Stryker, Stryker Cyberattack, CISA, Handala

    Stryker Says Cyberattack Disrupted Processing, Manufacturing and Shipping

    INC Ransom, Western Critical Infrastructure, Critical infrastructure, Russian GRU, Russian Threat Actor, Sandworm, APT44, Energy Supply Chain, Energy Infrastructure

    INC Ransom’s Franchise Model Is Putting Critical Infrastructure on the Chopping Block

    Terrorist Cyberattacks, UAE Cyber Security Council

    UAE Blocked AI-Powered Terrorist Cyberattacks Targeting Critical Infrastructure

    Eurail Breach, Eurail

    Eurail Breach Escalates as Stolen Passport Data and IBANs Surface on Dark Web for Sale

    Discord teen-by-default settings

    Discord Introduces Stronger Teen Safety Controls Worldwide

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Cyber News

ClickFix Attacks Drive UAC-0145 Cyber Campaigns, CERT-UA Warns

Samiksha Jain by Samiksha Jain
July 17, 2026
in Cyber News, Firewall Daily, Malware News
0
ClickFix Attacks
585
SHARES
3.2k
VIEWS
Share on LinkedInShare on Twitter

The ClickFix attacks technique has become a key initial access method for the UAC-0145 cyber threat cluster, according to a new report from Ukraine’s Computer Emergency Response Team (CERT-UA). The agency said the threat group, also tracked as Sandworm, APT44, Seashell Blizzard, and a subcluster of UAC-0002, has shifted its tactics during 2026, increasingly relying on fake CAPTCHA prompts and social engineering to compromise systems.

CERT-UA said it has worked with Ukrainian cybersecurity agencies for several years to investigate the activities of UAC-0145. While the group previously relied on infected software installers distributed through torrent websites, recent campaigns have increasingly used ClickFix to trick users into executing malicious PowerShell commands.

ClickFix Attacks Emerging as Primary Initial Access Vector

According to CERT-UA, infections recorded during the spring and summer of 2026 frequently began when victims visited compromised websites displaying fake CAPTCHA pages. Users were instructed to copy and execute PowerShell commands in their terminal, a phishing technique commonly referred to as ClickFix.

The downloaded commands were designed to retrieve malicious files such as GHETTOVIBE, a Visual Basic Script (VBS) that establishes persistence by placing itself in the Windows Startup directory.

Once executed, attackers could deploy SCOUTCURL, a PowerShell reconnaissance tool capable of collecting information about the compromised system, including device specifications, installed software, browser data, and local files before exfiltrating the information.

CERT-UA also observed malware loaders including FLUIDLEECH, disguised as antivirus software, and LOADLOOP being used during these campaigns.

Backdoors and Data Theft Tools Widely Deployed

The report noted that attackers continue using malware families such as KALAMBUR, SUMBUR, and TAMBUR after gaining access to victim systems.

To maintain remote access, the group relied on legitimate utilities including OpenSSH and Tor, forwarding local network ports such as 445, 3389, and 22 to attacker-controlled infrastructure.

CERT-UA also found malware designed to steal messaging data from Signal and WhatsApp, with stolen information reportedly exfiltrated using RSYNC.

On infected systems examined during cyber defense operations, investigators additionally identified FREAKYPOLL, a Python-based backdoor distributed as compiled bytecode (.pyc), providing attackers with persistent unauthorized access.

Compromised Websites Used to Deliver Fake CAPTCHA Pages

During June and July 2026, CERT-UA analyzed more than ten compromised websites involved in ClickFix attacks.

Investigators found attackers using both the Cloaking.House service and custom malware called SMARTAXE to dynamically modify legitimate webpages. SMARTAXE retrieves remote domains from blockchain smart contracts through Ethereum’s eth_call function before displaying fake CAPTCHA pages or redirecting visitors to malicious content.

CERT-UA warned that any website used in these attacks should be considered compromised, potentially through vulnerable content management systems (CMS), stolen credentials, web shells, malicious plugins, modified website scripts, or server-side backdoors.

The agency urged website administrators and hosting providers to strengthen website security and respond quickly to incident reports.

Android Malware Also Part of UAC-0145 Operations

The report also highlighted growing use of Android malware distributed through messaging applications.

Attackers were observed sharing APK files disguised as security or antivirus tools. One such malware family, tracked as COWARDDUCK, functions as a full-featured Android backdoor capable of collecting device information, contacts, files, and real-time geolocation.

The malware targets files from directories including DCIM, Documents, Downloads, Pictures, and Alarms while searching for formats such as DOCX, XLSX, PPTX, ZIP, RAR, JSON, and OVPN files.

According to CERT-UA, COWARDDUCK uploads stolen files through the Dropbox API while receiving commands from legitimate services including Steam Community and StockMemory domains through proxy infrastructure.

Microsoft Sees Global Rise in ClickFix Campaigns

Microsoft Threat Intelligence and Microsoft Defender Experts also reported that ClickFix campaigns have increased significantly since early 2024, targeting thousands of enterprise and consumer devices globally each day.

Microsoft said the technique commonly delivers malware such as Lumma Stealer by persuading users to copy and execute commands through Windows Run, Windows Terminal, or Windows PowerShell. The campaigns are often combined with phishing, malvertising, and drive-by compromise techniques that imitate trusted brands.

Because ClickFix attacks rely on user interaction rather than exploiting software vulnerabilities directly, Microsoft recommends organizations strengthen user awareness and apply security policies that restrict unnecessary use of command execution tools.

Share this:

  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Reddit (Opens in new window) Reddit
  • Share on X (Opens in new window) X
  • Share on Facebook (Opens in new window) Facebook
  • More
  • Email a link to a friend (Opens in new window) Email
  • Share on WhatsApp (Opens in new window) WhatsApp

Related

Tags: Android MalwareAPT44CERT-UAClickFix attacksData Theft Toolsfake CAPTCHA promptsUAC-0002UAC-0145UAC-0145 Operations
Previous Post

US Charges Two Over $43M Chinese Money Laundering Operation

Next Post

The Cyber Express Weekly Roundup: TikTok Age Verification Probe, Healthcare Data Breach, Qantas Ruling, and Major Cyberattacks

Next Post
weekly round

The Cyber Express Weekly Roundup: TikTok Age Verification Probe, Healthcare Data Breach, Qantas Ruling, and Major Cyberattacks

Q1 2026 Threat Reports

❮ ❯
Cyble-Vision


Follow Us On Google News

Latest Cyber News

weekly round
Firewall Daily

The Cyber Express Weekly Roundup: TikTok Age Verification Probe, Healthcare Data Breach, Qantas Ruling, and Major Cyberattacks

July 17, 2026
ClickFix Attacks
Cyber News

ClickFix Attacks Drive UAC-0145 Cyber Campaigns, CERT-UA Warns

July 17, 2026
Chinese money laundering
Firewall Daily

US Charges Two Over $43M Chinese Money Laundering Operation

July 17, 2026
Notepad++ vulnerabilities
Firewall Daily

Critical Notepad++ Bugs Could Lead to Code Execution, Patch Available

July 17, 2026

Categories

Web Stories

Do This on Telegram, Your Bank Account Will Become Zero
Do This on Telegram, Your Bank Account Will Become Zero
If You Install the iOS 18 Beta, Your iPhone Could Be Hacked
If You Install the iOS 18 Beta, Your iPhone Could Be Hacked
Cricket World Cup Ticketing Systems Under Cybersecurity
Cricket World Cup Ticketing Systems Under Cybersecurity
Cyber Threats and Online Ticket Scams During the NBA Finals
Cyber Threats and Online Ticket Scams During the NBA Finals
Biometric Data Security: Protecting Sensitive Information
Biometric Data Security: Protecting Sensitive Information

About

The Cyber Express

#1 Trending Cybersecurity News and Magazine

The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

 

Contact

For editorial queries: [email protected]

For marketing and Sales: [email protected]

 

Quick Links

  • About Us
  • Contact Us
  • Editorial Calendar
  • Careers
  • The Cyber Express by Cyble Vulnerability Disclosure Policy
  • Cyble Trust Portal

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
10080 North Wolfe Road, Suite SW3-200, Cupertino, CA, US 95014

 

India Office:

Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063

  • Privacy Statement
  • Terms of Use
  • Write For Us

© 2026 The Cyber Express - Cybersecurity News and Magazine.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Magazine
  • Firewall Daily
  • Essentials
    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board

© 2026 The Cyber Express - Cybersecurity News and Magazine.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
-
00:00
00:00

Queue

Update Required Flash plugin
-
00:00
00:00
Do This on Telegram, Your Bank Account Will Become Zero If You Install the iOS 18 Beta, Your iPhone Could Be Hacked Cricket World Cup Ticketing Systems Under Cybersecurity Cyber Threats and Online Ticket Scams During the NBA Finals Biometric Data Security: Protecting Sensitive Information