Research /var/log/messages

Threat actors constantly look for ways to circumvent traditional security measures to deliver malware to unsuspecting users. One of the most effective delivery methods to emerge in 2024 and one that remains highly popular amongst threat actors today are ClickFix-style attacks. In these attacks, a victim is prompted to copy and paste or manually type a seemingly benign command on their machine, which triggers a malicious chain of activity, typically resulting in the deployment of information-stealing malware on the victim’s endpoint.

In February 2026, WithSecure’s MDR (Managed Detection and Response) team investigated an incident involving the execution of a ClickFix-type command on a corporate endpoint that led to the deployment of Vidar information stealer malware.

Upon a closer look by WithSecure STINGR (Strategic Threat Intelligence and Research) group, it was discovered that these specific ClickFix commands were being promoted through hundreds (and potentially thousands) of video content such as reels and shorts published across major social media platforms such as Instagram, Facebook, and Tiktok. Masquerading as topics such as tech tips, some of these videos have garnered hundreds of thousands of views, with total views reaching into the millions when combined.

Shortly after the publication of a Proof-of-Concept exploit for two critical RCE vulnerabilities in Ivanti Endpoint Manager Mobile by the end of January 2026, mass exploitation started. While some threat actors performed these in a highly opportunistic way, others knew very well what they were after. On a compromised host investigated by our Incident Response team, we confirmed the successful exfiltration of sensitive EPMM data through a fully automated and carefully prepared attack. This post explains the observed attack chain and highlights some lesser-known technical aspects, including the connection to an open-source offensive framework.

Cybercrime-as-a-Service has evolved into a complex, scalable economy with modular roles, faster attack chains, and increasing use of AI, requiring defenders to adapt their strategies accordingly.

In 2025, WithSecure discovered two cyberattacks that we attributed to the Andariel group, a state-sponsored cyber group linked to the RGB 3^rd bureau of Democratic People’s Republic of Korea (DPRK). During our investigation, we also discovered a staging server used by Andariel. We were able to pull artifacts from it during its uptime.

Throughout our research, we identified several new implants, tools, and techniques that shape a part of Andariel’s latest arsenal. These include new remote access trojans (RATs) such as JelusRAT, StarshellRAT, and GopherRAT, as well as tools and techniques such as a custom port scanner, a PetitPotato sample, and abusing a vulnerable driver to target AV/EDR products.

WithSecure's STINGR Group is releasing a detailed technical analysis of TangleCrypt, a previously undocumented packer for Windows malware. The packer was found on two executables of the STONESTOP EDR killer used in a recent ransomware attack. The blogpost describes how TangleCrypt unpacks and launches the payload, which anti-analysis techniques it uses, and the implementation flaws we identified.

WithSecure’s STINGR has been investigating a malware campaign, tracked as WEBJACK, which compromises Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware family. The hijacked servers are being abused for SEO poisoning and fraud, redirecting users to casino, gambling, or betting websites. The threat actor has compromised high-profile targets, including government institutions, universities, tech firms, and many other organizations, abusing their domain reputation to serve fraudulent content through search engine results pages (SERPs).