Datadog reports an ongoing campaign using fake GitHub repositories to trick users into installing infostealers via the ClickFix technique. The threat actor targets established software brands and has introduced a new variant called SHub Stealer v2.0, which includes advanced features like persistence and remote access.

A new ClickFix campaign targets the hospitality sector in Europe, using fake Windows BSOD screens to trick users into executing malware. Attackers send phishing emails impersonating Booking.com, leading victims to a convincing fake website that prompts them to run malicious commands. Once executed, the malware grants remote access and can spread within the network.

A cybersecurity researcher has introduced FileFix, a new variant of the ClickFix social engineering attack, which exploits the Windows File Explorer address bar to execute malicious PowerShell commands. This method tricks users into pasting commands by disguising them within what appears to be a legitimate file-sharing notification, making it a more user-friendly approach for attackers. FileFix highlights the adaptability of phishing techniques, as it presents a familiar interface to users while executing harmful commands.

iClicker's website was compromised in a ClickFix attack that used a fake CAPTCHA to trick users into executing a PowerShell script that potentially installed malware on their devices. The attack, targeting college students and instructors, aimed to steal sensitive data, but the malware's specific nature varied based on the visitor type. Users who interacted with the fake CAPTCHA between April 12 and April 16, 2025, are advised to change their passwords and run security checks on their devices.