ClickFix Attacks Hit Crypto Users While Zero-Days Target Government Infrastructure

Page content

ClickFix Attacks Hit Crypto Users While Zero-Days Target Government Infrastructure

I’ve been tracking some concerning attack patterns this week that show how creative threat actors are getting with their delivery methods. The most interesting case involves attackers using Pastebin comments to distribute what researchers are calling “ClickFix” attacks specifically targeting cryptocurrency users.

The Pastebin Problem Gets Worse

Here’s how the ClickFix attack works: threat actors are posting malicious JavaScript in Pastebin comments, disguised as helpful fixes for common crypto wallet issues. When users copy and paste this code into their browser console (thinking they’re fixing a legitimate problem), they’re actually executing malware that hijacks Bitcoin swap transactions and redirects funds to attacker-controlled wallets.

What makes this particularly nasty is the social engineering angle. These aren’t random spam comments – they’re crafted responses to real user questions about wallet connectivity issues or transaction problems. The attackers are essentially weaponizing the helpful nature of the crypto community against itself.

We’ve seen ClickFix techniques before, but using Pastebin as a distribution mechanism is clever because it bypasses many traditional security controls. Most organizations don’t block Pastebin entirely since developers use it legitimately for code sharing and troubleshooting.

Government Infrastructure Under Fire

While crypto users deal with social engineering attacks, government agencies are facing more direct threats through zero-day exploits. European government agencies including the European Commission and agencies in Finland and the Netherlands have been breached through zero-day attacks targeting Ivanti systems.

This isn’t the first time we’ve seen Ivanti products in the crosshairs – they’ve had a rough year with multiple critical vulnerabilities. What’s concerning here is the coordinated nature of these attacks across multiple European governments. The timing and targets suggest this isn’t opportunistic scanning but rather targeted intelligence gathering.

For those of us managing government or critical infrastructure networks, this reinforces why we need to treat VPN appliances and similar edge devices as high-risk assets. These systems often have privileged network access but can be harder to patch quickly than traditional servers.

Old School Botnets Making a Comeback

Speaking of infrastructure attacks, researchers have identified a new botnet called SSHStalker that’s using some surprisingly old-school techniques. The botnet relies on IRC for command and control – which feels like a throwback to the early 2000s – and targets Linux systems using legacy kernel exploits.

What’s interesting about SSHStalker is how it blends old and new techniques. While the IRC C2 and kernel exploits are vintage approaches, the operators are using modern log cleaning tools and rootkit-style persistence mechanisms. They’re also maintaining what researchers describe as a “large back-catalog” of legacy Linux exploits, suggesting they’re specifically targeting older, unpatched systems.

This highlights a persistent problem in our industry: legacy systems that can’t be easily updated but remain connected to networks. The attackers know these systems exist and are building specialized toolkits to exploit them.

The Operational Technology Threat

The legacy system problem becomes even more critical when we look at operational technology environments. A recent analysis of OT attack techniques describes how attackers are developing “living-off-the-plant” approaches – essentially using legitimate OT tools and protocols to carry out malicious activities.

The scary part is that security through obscurity has been one of our main defenses in OT environments. Many industrial control systems use proprietary protocols and aren’t well-documented online, which has historically made them harder targets. But as researchers and attackers develop better understanding of these systems, that protection is eroding.

We’re seeing attackers who understand industrial processes well enough to cause physical damage while making their activities look like normal operations or equipment failures. That’s a level of sophistication that should worry anyone responsible for critical infrastructure security.

AI-Powered Security Tools Enter the Scene

On a more positive note, we’re seeing continued investment in AI-powered security tools. Zast.AI just raised $6 million for their approach to code security, which uses AI agents to identify and validate software vulnerabilities before reporting them.

The validation step is crucial here – we’ve all dealt with static analysis tools that generate more false positives than actionable findings. If AI can help reduce the noise while catching real vulnerabilities, that could significantly improve how development teams approach security.

What This Means for Our Defense Strategies

These attacks show us that threat actors are diversifying their approaches across the entire technology stack. We’re dealing with social engineering through legitimate platforms, zero-days against critical infrastructure, legacy exploit kits, and sophisticated OT attacks all at the same time.

The common thread is that attackers are finding creative ways to work around our existing security controls. Whether it’s using Pastebin comments to distribute malware or IRC for C2 communications, they’re betting that we’re not monitoring these channels as closely as more obvious attack vectors.

For our defensive strategies, this means we need to think beyond traditional perimeter security and signature-based detection. We need better visibility into how users interact with external platforms, more comprehensive monitoring of legacy systems, and deeper understanding of our OT environments.

Sources