One of Russia's most elite hacking groups has adopted an attack known as Clickfix, targeting sensitive organizations in Ukraine. This technique involves websites displaying a CAPTCHA that requires visitors to copy a jumble of text and paste it into their terminal. The text contains scripts that install malware or exfiltrate data once entered.
The campaign began in the spring and has continued through the summer. Ukrainian authorities have discovered 10 compromised websites, with one network compromise resulting from an infection by FreakyPoll, a custom malware package developed by Sandworm, an advanced hacking unit inside the GRU, Russia's military intelligence arm.
Once users enter the script, it can install malicious Visual Basic scripts and other malware. Typically, the first program to run is a reconnaissance tool that gathers information from the infected device. Systems deemed important then receive follow-on malware that backdoors the system, allowing continued access.
The technique has emerged as an effective attack strategy for financially motivated criminals in recent years. As even Russia's elite hackers are using it, this could indicate a shift towards simpler yet more widespread methods of cyberattack, challenging the resilience of cybersecurity measures.







