Ddos 
A Qilin ransom note
A deceptive social engineering tactic known as “ClickFix” has evolved into a gateway for major ransomware attacks, with researchers uncovering a direct link between these fake verification prompts and the notorious Qilin ransomware group. A new report from the Counter Threat Unit (CTU) research team details how a simple browsing error spiraled into a full-scale network compromise involving multiple malware families and stolen VPN credentials.
The “ClickFix” tactic exploits a user’s conditioning to click through security checks. As the report explains, the technique “essentially relies on a victim following a series of instructions that masquerade as a human verification request”.
The investigation began with a user visiting a legitimate but compromised website, aquafestonline[.]com. Hidden within the site was a malicious script that fetched a heavily obfuscated JavaScript file from an external source.
This script was designed to be selective. It “fingerprints the user’s operating system and browser type” and even creates a unique tracking string to “limit attacks on the system to one per 24-hour period”.
When triggered, the script generated a fake “ClickFix” verification page. Victims who followed the prompts to “verify” themselves were not proving their humanity—they were unknowingly downloading a batch file that installed NetSupport Manager, a legitimate remote administration tool often abused by attackers.
Once the NetSupport Remote Access Trojan (RAT) was established, the attackers pivoted. The RAT connected to a command-and-control server and downloaded a ZIP archive containing a legitimate Microsoft executable (mfpmp.exe). This executable was used to sideload a malicious DLL, triggering an infection with StealC V2, a potent information stealer released in March 2025.
“The updated version offered significant upgrades in terms of stealth and versatility,” the researchers noted regarding StealC V2.
The final blow came approximately one month later. Using credentials likely harvested by StealC, threat actors accessed the victim’s network via a Fortinet VPN account. Shortly after, Qilin ransomware notes (README-RECOVER-ID) appeared across the network .
“Analysis revealed that the threat actor used stolen credentials to access the network via a privileged account on a Fortinet VPN device”.
The involvement of Qilin (operated by the GOLD FEATHER threat group) highlights the severity of the campaign. Qilin has been identified as the “most prevalent ransomware-as-a-service (RaaS) operation between January 2024 and December 17, 2025,” claiming 1,168 victims in that period alone.
The group employs a “double-extortion model,” stealing sensitive data to use as leverage while simultaneously encrypting the victim’s systems.
The CTU team recommends organizations focus on “patching vulnerable internet-facing devices” and ensuring that services like RDP are not exposed without a critical business need .
Most importantly, the path from a stolen credential to a ransomware deployment can be blocked by identity security. The report advises “robustly implementing phishing-resistant multi-factor authentication (MFA) across the network” to prevent initial access brokers from selling a way in.
Related Posts:
- StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
- StealC Infostealer Spreads in New Disguise, Targets User Data
- Stealc Malware: The Infostealer Targeting Credentials, Crypto Wallets, and More
- Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
- The “Korean Leaks” Siege: Qilin & North Korea Cripple Financial Sector via MSP Hack
Donate