Latest news with #WindowsRun
Forbes
10 hours ago
- Forbes
Your Passwords Are At Risk — New Windows XFiles Attack Confirmed
Windows passwords come under attack from XFiles threat. Two things that are guaranteed to strike fear into the hearts of anyone concerned about cybersecurity attacks are Windows and passwords. Combine the two, and you have the basis of what can be something of a security nightmare. With Microsoft account password spraying attacks and warnings over opening specific Outlook files in the news as Windows email, passwords and 2FA codes come under attack, this is kind of understandable. Now, with confirmation of a password-stealing threat called XFiles, is there even more cause for concern? The truth, as they say, is out there. A group of self-proclaimed elite threat hunters and cyber analysts has issued a warning that attackers deploying a malware payload called Xfiles, also known as DeerStealer, are targeting Windows users in order to compromise passwords that can then be sold on dark web criminal marketplaces. A June 12 report published by the eSentire Threat Response Unit has revealed how, throughout May, threats actors have been using the XFiles payload in order to steal Windows passwords that can then be sold by a dark web user known only as LuciferXfiles. The methods employed are sadly all too familiar, involving ClickFix attacks during the initial access process. These tech support scams combine seemingly genuine offers of help regarding security issues surrounding account activity with fake ID Captcha prompts that involve executing malicious commands using the Windows Run prompt. Should the victim get to this stage, they will then download something called HijackLoader, often obfuscated using an encrypted PNG image, that downloads the real payload, the XFiles infostealer malware to compromise passwords, browser 2FA session cookies, instant messages and more. Read the full report for a detailed technical analysis of the entire attack chain. When it comes to mitigation, however, the eSentire TRU advice is clear: I would have to add to this that opening the Windows Run prompt and pasting the clipboard's content, which is how ClickFix attacks work, is hardly conducive to good security practice or, frankly, common sense. I mean, how many Captcha or I Am Not A Robot tests have ever asked you to do that? The answer is zero. Protect your passwords by not being tricked into doing something that is so obviously out of the ordinary.
Tom's Guide
12-05-2025
- Tom's Guide
Hackers target popular student site iClicker to spread malware via ClickFix attacks — how to stay safe
Digital classroom tool iClicker was compromised between April 12 and April 16th by a ClickFix attack, which uses a fake CAPTCHA to trick victims into installing malware. This particular hack attempted to fool students and instructors into pressing 'I'm not a robot' in order to verify themselves. However, instead of proving they were human, they actually copied a PowerShell script onto their Windows clipboard. The convincing-looking CAPTCHA requests victims to open a Windows Run dialog (Win + R) and then use Ctrl + V to unknowingly paste the PowerShell script into it. The user then executes the malware by pressing Enter to 'verify' themselves. The PowerShell script varied depending on the type of visitor, so it was difficult to determine what type of malware was installed, though ClickFix attacks often install infostealers. ClickFix attacks have recently become more common, and are social engineering attacks used in malware campaigns like the Cloudflare CAPTCHA attacks. They often spread infostealers onto victims' devices, which are designed to steal data like cookies, credentials, passwords, credit cards, and browsing history. An infosealer may also steal cryptocurrency wallets, private keys and text files that contain sensitive information. This data is returned to the attacker who either sells it on the dark web or uses this stolen info in future attacks. The ClickFix attack is no longer running on iClicker's website, though the PowerShell payload can still be launched by running a command using iClicker is owned by Macmillan, who has yet to comment on the breach. It is used by instructors to take attendance and track student engagement, and used by students to ask live questions or to take surveys. Colleges and universities across the United States use the software including the University of Michigan and the University of Florida; over 5,000 instructors and 7 million students are currently using this tool. According to the iClicker security bulletin, the company recommends that any faculty member or student who may have clicked on a false CAPTCHA during the April 12-16th time period, should run a full scan using the best antivirus security software to make sure their devices remain protected. Users who accessed iClicker while the site was compromised and followed the fraudulent CAPTCHA instructions should also change their iClicker password, and especially if the command was executed, change all the other passwords stored on their computer to unique and strong ones. You can always use one of the best password managers to help with this. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. It's worth keeping in mind that anyone who accessed iClicker using the mobile app or who did not encounter the fake CAPTCHA is not at risk. However, it's certainly still worth being aware of this scam and others like along with how to schedule scans with your antivirus software which should absolutely be kept up to date too.
