ctipilot.ch

Home · Live brief · Weekly 2026-W26

Research: ClickFix matured into a productised malware-as-a-service supply chain

notable research discovered 2026-06-22 00:14 UTC

Entities: Operation Endgame ErrTraffic

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

A second cross-day research thread: the ClickFix technique — fake browser/update dialogues that trick users into pasting attacker PowerShell — has industrialised. Sekoia documented ErrTraffic, a ClickFix Malware-as-a-Service framework that resolves its C2 through the Polygon blockchain (Sekoia, 2026-06-17; daily 06-17), and Huntress detailed the Potemkin loader delivering RMMProject RAT through a ClickFix chain that also bypasses Chromium App-Bound Encryption (Huntress, 2026-06-17; daily 06-17). ErrTraffic also surfaced as one of the SocGholish-adjacent clusters still operating after the Operation Endgame takedown (§ 8). The pattern for defenders: ClickFix is now a delivery channel with multiple competing operators and resilient C2, so user-paste-to-PowerShell detection (clipboard-sourced powershell.exe/mshta.exe invocations, RunMRU artefacts) is worth promoting from awareness training to a standing hunt.

phishing infostealer organized-crime global