It’s a classic tale of new tricks and old dogs. Recent reports from cybersecurity researchers are shining a light on how cybercriminals are blending advanced, highly technical exploits with simple, deceptive social engineering. The result? Sophisticated new threats like MostereRAT and novel takes on the ClickFix scam, both designed to steal your data and bypass security. These campaigns highlight a growing trend where attackers use every tool at their disposal—from obscure programming languages to sneaky AI manipulation—to get past your defenses.
Unpacking MostereRAT: A Master of Disguise
Cybersecurity firm Fortinet FortiGuard Labs recently uncovered a phishing campaign delivering a dangerous piece of malware known as MostereRAT. Initially a banking trojan, this malware has evolved into a full-fledged remote access tool that gives attackers complete control over a compromised system.
Here’s what makes this threat so unique:
- Linguistic Lures: The campaign primarily targets users in Japan with emails that look like legitimate business inquiries, a clever social engineering tactic.
- Obscure Code: MostereRAT is built using an uncommon visual programming language called Easy Programming Language (EPL), which is primarily used by non-English speakers. This makes the malware harder for many researchers to analyze and reverse-engineer, as the code itself is a form of obfuscation.
- Security Evasion: The malware disables a wide range of security tools by blocking their network traffic. It even mimics a known “red team” tool, EDRSilencer, to prevent security solutions from sending alerts or telemetry back to their servers.
- High-Privilege Access: MostereRAT can run as a TrustedInstaller, a highly privileged Windows account. This lets it make deep system changes, like modifying the registry, deleting files, and adding a hidden admin user.
This evolution from a simple banking trojan to a multi-functional RAT shows how cybercriminals are getting more resourceful, moving beyond just stealing credentials to setting up long-term access for data theft and surveillance.
ClickFix: A New Twist on an Old Scam
As if MostereRAT wasn’t enough, researchers at Huntress have also detailed a new spin on the ClickFix social engineering scam. This trick convinces users they need to “fix” a broken process by manually clicking through a series of steps.
Here’s the breakdown:
- Fake Verification: The attack starts with a fake Cloudflare Turnstile page that asks the user to check a box to prove they’re not a bot.
- Deceptive Pop-ups: When the user clicks, a pop-up appears, telling them to open their Windows File Explorer.
- URI Protocol Exploitation: Behind the scenes, hidden PHP code uses the
search-ms:URI protocol to open File Explorer to a specific, attacker-controlled location. This then displays a fake PDF file, which is actually a malicious LNK file (a Windows shortcut).
When the user clicks the “PDF,” it triggers a chain of events that downloads and installs an information stealer called MetaStealer. The entire process relies on the user’s willingness to follow instructions to fix a seemingly broken page. The cleverness of this attack lies in its ability to bypass automated security measures, which are often looking for direct downloads or executable files, not for human interaction with a benign-looking pop-up.
The Alarming Role of AI in These Scams
A particularly troubling development, detailed by CloudSEK, shows how the ClickFix technique is being weaponized with artificial intelligence. Attackers are using a new method called “prompt overdose” to manipulate AI summarization tools.
Here’s how it works:
- Invisible Payload: Attackers embed a malicious ClickFix payload within HTML content, using CSS to make it invisible to the user.
- AI Manipulation: They then overwhelm an AI model’s context window with this hidden text. When the AI is asked to summarize the content, its attention is drawn repeatedly to the hidden instructions.
- Malicious Summary: The AI-generated summary then subtly includes the malicious ClickFix instructions, guiding the user to unwittingly initiate an attack.
This is a game-changer. It means that attackers can now use the AI tools we trust—like those in email clients or browser extensions—as a delivery mechanism for their attacks, bypassing traditional security filters.
What Can You Do to Stay Safe?
These new threats prove that hackers are always innovating. To protect yourself, it’s not enough to rely on automated security alone.
- Be a Smart Clicker: Be extremely cautious with links and attachments in emails, especially if they’re from unknown senders. No legitimate company will ask you to “fix” a process by opening your file explorer or downloading an obscure file.
- Patch and Update: Keep your operating system, browsers, and security software up to date. This is your first line of defense.
- Educate Yourself: Understand the signs of a phishing attempt. Look for unusual sender addresses, strange language, or demands for immediate action.
The future of cybersecurity is a race between innovative attackers and proactive defenders. These recent campaigns highlight how crucial it is to stay ahead of the curve. How do you stay on top of the latest cybersecurity threats?
