Search results for run-powershell-as-administrator | Breaking Cybersecurity News | The Hacker News

Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025. The phishing campaigns adopting the strategy have been attributed to clusters tracked as TA427 (aka Kimsuky), TA450 (aka MuddyWater), UNK_RemoteRogue, and TA422 (aka APT28). ClickFix has been an initial access technique primarily affiliated with cybercrime groups, although the effectiveness of the approach has led to it also being adopted by nation-state groups. "The incorporation of ClickFix is not revolutionizing the campaigns carried out by TA427, TA450, UNK_RemoteRogue, and TA422 but instead is replacing the installation and execution stages in existing infection chains," enterprise security firm Proofpoint said in a report published today. ClickFix , in a nutshell, refers to a sneaky technique that tricks users int...

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. "To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment," the Microsoft Threat Intelligence team said in a series of posts shared on X. To read the purported PDF document, victims are persuaded to click a URL containing a list of steps to register their Windows system. The registration link urges them to launch PowerShell as an administrator and copy/paste the displayed code snippet into the terminal, and execute it. Should the victim follow through, the malicious code downloads and installs a browser-based remote desktop tool, along with a certificate file with a hardcoded PIN from a rem...

Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites. "Site visitors get injected content that was drive-by malware like fake Cloudflare verification," Sucuri researcher Puja Srivastava said in an analysis published last week. The website security company said it began an investigation after one of its customer's WordPress sites served suspicious third-party JavaScript to site visitors, ultimately finding that the attackers introduced malicious modifications to a theme-related file ("functions.php"). The code inserted into "functions.php" incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain "brazilc[.]com," which, in turn, responds with a dynamic payload that includes two component...

Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver ( BYOVD ) attack. Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese cybersecurity firm Antiy Labs has codenamed the activity as HIDDEN SHOVEL. "GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner," Elastic researchers Salim Bitam, Samir Bousseaden, Terrance DeJesus, and Andrew Pease said . "This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRig miner." It all starts with an executable file ("Tiworker.exe"), which is used to run a PowerShell script that retrieves an obfuscated Power...

Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync . "Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands," Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey said . It's currently not known if the campaigns are the work of the same threat actor. The use of ClickFix lures to distribute the malware was also flagged by Jamf Threat Labs in December 2025. The details of the three campaigns are as follows - November 2025: A campaign that used OpenAI's ChatGPT Atlas web browser as bait, delivered via sponsored search results on Google, to direct users to a fake Google Sites URL with a download button that, whe...

Great news for hackers. Now you can download and install Kali Linux directly from the Microsoft App Store on Windows 10 just like any other application. I know it sounds crazy, but it's true! Kali Linux, a very popular, free, and open-source Linux-based operating system widely used for hacking and penetration testing, is now natively available on Windows 10, without requiring dual boot or virtualization. Kali Linux is the latest Linux distribution to be made available on the Windows App Store for one-click installation, joining the list of other popular distribution such as Ubuntu , OpenSUSE and SUSE Enterprise Linux . In Windows 10, Microsoft has provided a feature called " Windows Subsystem for Linux " (WSL) that allows users to run Linux applications directly on Windows. "For the past few weeks, we've been working with the Microsoft WSL team to get Kali Linux introduced into the Microsoft App Store as an official WSL distribution, and today we...

The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen users" in 2024. "Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code," Kaspersky researcher Oleg Kupreev said in an analysis published this week. More than 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam. Also referred to as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas is an unattributed threat activity cluster that has been active since 2014. In December 2022, the group was linked to cyber attacks aimed at Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower. Then exactly a year later, Russian cy...

Source: Securonix Cybersecurity researchers have disclosed details of a new campaign dubbed PHALT#BLYX that has leveraged ClickFix -style lures to display fixes for fake blue screen of death ( BSoD ) errors in attacks targeting the European hospitality sector. The end goal of the multi-stage campaign is to deliver a remote access trojan known as DCRat , according to cybersecurity company Securonix. The activity was detected in late December 2025. "For initial access, the threat actors utilize a fake Booking.com reservation cancellation lure to trick victims into executing malicious PowerShell commands, which silently fetch and execute remote code," researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said . The starting point of the attack chain is a phishing email impersonating Booking.com that contains a link to a fake website (e.g., "low-house[.]com"). The messages warn recipients of unexpected reservation cancellations, urging them to click the ...

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments," security researcher Subhajeet Singha said . The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer." The email, per the cybersecurity compa...

A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages. "This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details," Elastic Security Labs researcher Jia Yu Chan said in an analysis. The attack chains begin with threat actors compromising legitimate websites with malicious JavaScript payloads that serve bogus CAPTCHA check pages, which prompt site visitors to "prove you are not [a] robot" by following a three-step process, a prevalent tactic called ClickFix . This involves instructing the potential victim to open the Windows Run dialog prompt, paste an already copied command into the "verification window"...

Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. At a high level, the attack chain involves the use of FileFix to entice users into launching an initial payload that then proceeds to download seemingly innocuous images containing the malicious components from a Bitbucket repository. This allows the attackers to abuse the trust associated with a legitimate source code hosting platform to bypass detection. FileFix, first documented by security researcher mrd0x as a proof-of-concept (PoC) in June 2025, is a little different from ClickFix in that it eschews the need for us...

Cybersecurity researchers have disclosed details of a previously undocumented threat group called  Unfading Sea Haze  that's believed to have been active since 2018. The intrusion singled out high-level organizations in South China Sea countries, particularly military and government targets, Bitdefender said in a report shared with The Hacker News. "The investigation revealed a troubling trend beyond the historical context," Martin Zugec, technical solutions director at Bitdefender,  said , adding it identified a total of eight victims to date. "Notably, the attackers repeatedly regained access to compromised systems. This exploitation highlights a critical vulnerability: poor credential hygiene and inadequate patching practices on exposed devices and web services." There are some indications that the threat actor behind the attacks is operating with goals that are aligned with Chinese interests despite the fact that the attack signatures do not overlap wit...

Power doesn’t just disappear in one big breach. It slips away in the small stuff—a patch that’s missed, a setting that’s wrong, a system no one is watching. Security usually doesn’t fail all at once; it breaks slowly, then suddenly. Staying safe isn’t about knowing everything—it’s about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk. Here are this week’s signals—each one pointing to where action matters most. ⚡ Threat of the Week Ghost Tap NFC-Based Mobile Fraud Takes Off — A new Android trojan called PhantomCard has become the latest malware to abuse near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. In these attacks, users who end up installing the malicious apps are instructed to place their credit/debit card on the back of the phone to begin the verification process, only for the card data to be sent to an attacker-controlled NFC relay...