Cyber Threat Intelligence 07 August 2025

NCSA_THAICERT

Vulnerabilities

Microsoft Releases Guidance On High-Severity Vulnerability (CVE-2025-53786) In Hybrid Exchange Deployments
"CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service. While Microsoft has stated there is no observed exploitation as of the time of this alert’s publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise."
https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
Trend Micro Warns Of Apex One Zero-Day Exploited In Attacks
"Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform. Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities. This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software."
https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-endpoint-protection-zero-day-exploited-in-attacks/
https://success.trendmicro.com/en-US/solution/KA-0020652
https://thehackernews.com/2025/08/trend-micro-confirms-active.html
https://www.darkreading.com/vulnerabilities-threats/attackers-exploit-trend-micro-apex-one-zero-day-flaw
https://www.infosecurity-magazine.com/news/attackers-critical-apex-one/
https://www.securityweek.com/trend-micro-patches-apex-one-vulnerabilities-exploited-in-wild/
https://securityaffairs.com/180856/hacking/trend-micro-fixes-two-actively-exploited-apex-one-rce-flaws.html
https://www.helpnetsecurity.com/2025/08/06/trend-micro-apex-one-flaws-exploted-in-the-wild-cve-2025-54948-cve-2025-54987/
CISA Releases Malware Analysis Report Associated With Microsoft SharePoint Vulnerabilities
"CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:
CVE-2025-49704 [CWE-94: Code Injection],
CVE-2025-49706 [CWE-287: Improper Authentication],
CVE-2025-53770 [CWE-502: Deserialization of Untrusted Data], and
CVE-2025-53771 [CWE-287: Improper Authentication]"
https://www.cisa.gov/news-events/alerts/2025/08/06/cisa-releases-malware-analysis-report-associated-microsoft-sharepoint-vulnerabilities
Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults
"Researchers have unearthed nine zero-day security vulnerabilities in HashiCorp Vault and five in CyberArk Conjur, password vaults used by thousands of companies. Secret management platforms like these are the most sensitive systems you can find at any enterprise. It's why they're also referred to as "vaults" — they're the big, iron doors that protect all of an enterprise's passwords, certificates, encryption keys, application programming interface (API) keys, etc."
https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs-cyberark-hashicorp-password-vaults
https://www.securityweek.com/enterprise-secrets-exposed-by-cyberark-conjur-vulnerabilities/
WWBN, MedDream, Eclipse Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/wwbn-meddream-eclipse-vulnerabilities/
Google Gemini AI Bot Hijacks Smart Homes, Turns Off The Lights
"In a real-life demonstration, three security researchers illustrated how they could hijack Google's artificial intelligence bot, Gemini, and use it to take over smart home functions. The attack began with a poisoned Google Calendar invitation, in which the researchers included an invisible, indirect prompt injection telling the LLM to carry out malicious actions when called upon. The malicious prompts were hidden within the titles of the calendar invites in English, not requiring any technical knowledge, according to the researchers, meaning that they can be developed by virtually anyone."
https://www.darkreading.com/cyberattacks-data-breaches/google-gemini-ai-bot-hijacks-smart-homes
#BHUSA: Security Researchers Uncover Critical Flaws In Axis CCTV Software
"Thousands of organizations could be vulnerable to attack after researchers discovered four critical vulnerabilities in the products of Axis Communications, a leading manufacturer of CCTV cameras and surveillance equipment. OT security firm Claroty and its research branch, Team82, shared findings at Black Hat USA, in Las Vegas, on August 6."
https://www.infosecurity-magazine.com/news/bhusa-critical-flaws-axis-cctv/
ECScape: Understanding IAM Privilege Boundaries In Amazon ECS
"This post is Part 2 of our educational series on Amazon ECS security. In Part 1 – Under the Hood of Amazon ECS on EC2, we explored how the ECS agent, IAM roles and the ECS control plane provide credentials to tasks. Here we’ll demonstrate how those mechanisms can lead to a known risk when tasks with different privilege levels share the same EC2 host. This cross-task credential exposure highlights the inherent risks of relying on per-task IAM scoping and task execution boundaries when workloads share the same EC2 instance, and it underscores why Fargate (where each task runs in its own micro‑VM) offers stronger isolation. Our goal is to help you understand the IAM privilege boundaries in Amazon ECS and how to configure your services securely."
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html
When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts In Active Directory
"BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue. By analyzing the core mechanics of this technique and offering practical detection strategies, we help security professionals and system administrators understand dMSAs and how attackers can misuse them to elevate privileges. We also provide advice on how to implement effective detection and mitigation strategies."
https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/

Malware

Makop Ransomware Identified In Attacks In South Korea
"AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks."
https://asec.ahnlab.com/en/89397/
GRITREP: Observed Malicious Driver Use Associated With Akira SonicWall Campaign
"Bottom-Line Up Front (BLUF): We have observed Akira affiliates exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting. In this report, we detail the observed drivers and provide a YARA rule based on associated strings, conditions, and imports. We advise defenders to hunt for the presence of these drivers, which date back to at least July 15, 2025."
https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/
https://www.bleepingcomputer.com/news/security/akira-ransomware-abuses-cpu-tuning-tool-to-disable-microsoft-defender/
https://hackread.com/akira-ransomware-sonicwall-vpns-drivers-bypass-security/
Ghost Calls: Abusing Web Conferencing For Covert Command & Control (Part 2 Of 2)
"In part one, we discussed the architecture of web conferencing applications, with a specific focus on Zoom’s architecture to support web conferencing at a massive global scale. Part two will discuss the approach we developed to support tunneling traffic through Zoom and Microsoft Teams using the TURN protocol. Let’s start with a quick recap of what we discussed in part one and then move into the options we considered for tunneling traffic through web conferencing infrastructure."
https://www.praetorian.com/blog/ghost-calls-abusing-web-conferencing-for-covert-command-control-part-2-of-2/
https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuses-zoom-and-microsoft-teams-for-c2-operations/
VexTrio Cybercrime Outfit Run By Legit Ad Tech Firms
"For years, security researchers and threat analysts believed that much of the malicious traffic distribution system (TDS) activity on the Internet stemmed from your average cybercriminals. But new research reveals the culprits are a network of seemingly legitimate corporations in the digital advertising industry. At Black Hat USA in Las Vegas today, researchers with network security vendor Infoblox discussed their findings in a session titled "No Hoodies Here: Organized Crime in AdTech." The research focuses on VexTrio, an extensive cybercrime operation that was first detailed by Infoblox last year."
https://www.darkreading.com/threat-intelligence/vextrio-cybercrime-outfit-legit-ad-tech
https://thehackernews.com/2025/08/fake-vpn-and-spam-blocker-apps-tied-to.html
https://www.infosecurity-magazine.com/news/bhusa-cybercrime-network-vextrio/
Phishers Abuse Microsoft 365 To Spoof Internal Users
"Cybercriminals appear to have found a troubling new way to bypass Microsoft 365's email security defenses and deliver convincing phishing emails to targeted users. The tactic exploits a legitimate Microsoft 365 feature, Direct Send, to make malicious emails appear as if they are coming from internal users. It allows attackers to evade key email authentication protocols, such as SPF, DKIM, and DMARC, that help verify whether a message is genuinely from the domain it claims to be."
https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users
https://www.strongestlayer.com/blog/direct-send-deception-microsoft-365-exploit-credential-theft
The Anatomy Of a Deepfake Voice Phishing Attack: How AI-Generated Voices Are Powering The Next Wave Of Scams
"Deepfake vishing – fraudulent phone calls that leverage AI‑generated voice clones – has rapidly evolved into one of today’s most sophisticated social‑engineering threats. This research dissects the full attack chain, from harvesting target audio on social media to crafting hyper‑realistic calls that bypass traditional caller‑ID and voice‑biometric checks. Drawing on Group-IB’s experience in real‑world incidents and threat‑intelligence telemetry, this research highlights the sectors most at risk: finance, executive services, and remote‑work help desks. Through detection techniques such as acoustic fingerprinting and multimodal authentication, this research aims to provide cybersecurity professionals with a layered defense strategy that blends AI‑powered anomaly analysis with robust employee awareness training."
https://www.group-ib.com/blog/voice-deepfake-scams/
Driver Of Destruction: How a Legitimate Driver Is Being Used To Take Down AV Processes
"In a recent incident response case in Brazil, we spotted intriguing new antivirus (AV) killer software that has been circulating in the wild since at least October 2024. This malicious artifact abuses the ThrottleStop.sys driver, delivered together with the malware, to terminate numerous antivirus processes and lower the system’s defenses as part of a technique known as BYOVD (Bring Your Own Vulnerable Driver). AV killers that rely on various vulnerable drivers are a known problem. We have recently seen an uptick in cyberattacks involving this type of malware."
https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/
Malware Brief: Something Old, Something New …
"Today we’ll round up a few of the latest malware trends, including threats to Entra ID data and AI-company spoofing. Plus, we’ll reach into the way-back file and check in on a classic ransomware variant that’s still doing plenty of harm nearly 10 years after its first appearance on the scene."
https://blog.barracuda.com/2025/08/06/malware-brief-something-old-something-new
CERT-UA Warns Of HTA-Delivered C# Malware Attacks Using Court Summons Lures
"The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. The attacks, which leverage phishing emails as an initial compromise vector, are used to deliver malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE."
https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html
https://therecord.media/hackers-using-fake-summonses-ukraine
Muddled Libra: Why Are We So Obsessed With You?
"Many articles and presentations have covered the tactics, techniques and procedures of the group that Unit 42 tracks as Muddled Libra. Known for social engineering tactics, the group recently attacked organizations in industries including government, retail, insurance and aviation. There's an undeniable impact for the group’s victims, but I’ve also been pondering why this group seems to receive more media attention than other groups that also partner with Ransomware-as-a-Service (RaaS) programs."
https://unit42.paloaltonetworks.com/why-the-focus-on-muddled-libra/

Breaches/Hacks/Leaks

Google Suffers Data Breach In Ongoing Salesforce Data Theft Attacks
"Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group. In June, Google warned that a threat actor they classify as 'UNC6040' is targeting companies' employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked. In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen."
https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/
https://databreaches.net/2025/08/06/google-reveals-it-became-one-of-the-salesforce-attack-victims-in-june/
https://www.securityweek.com/google-discloses-salesforce-hack/
https://www.theregister.com/2025/08/06/google_salesforce_attacks/
National Bank Of Canada Online Systems Down Due To 'technical Issue'
"National Bank of Canada (Banque Nationale du Canada), the sixth largest commercial bank of Canada is currently experiencing a widespread service outage affecting its online banking and mobile app platforms. Social media reports suggest that the issues began earlier this morning, with customers encountering a "maintenance" message when attempting to access their accounts via online banking on web and mobile app. Headquartered in Montreal, NBC (BNC) serves more than 2.4 million personal banking clients and employs over 30,000 staff across Canada."
https://www.bleepingcomputer.com/news/technology/national-bank-of-canada-online-systems-down-due-to-technical-issue/
Data Hygiene And Enhancement Service Exposed PII In Data Breach
"Cybersecurity Researcher Jeremiah Fowler discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 38 GB of CSV and PDF files. Collectively, the exposed spreadsheets displayed hundreds of thousands of names, physical addresses, phone numbers, email addresses, and other potentially sensitive information."
https://www.websiteplanet.com/news/imdatacenter-breach-report/
https://hackread.com/hacker-accesses-imdatacenter-records-exposed-aws-bucket/
KLM Confirms Customer Data Breach Linked To Third-Party System
"KLM Airlines (aka KLM Royal Dutch Airlines), a French-Dutch multinational airline, has notified customers about a recent data breach that exposed certain personal details after a third-party system the company relies on was accessed by an unauthorised party. The breach did not affect core systems or more sensitive data, but it still involves information that could be misused in targeted scams. In the email sent to affected users, including frequent flyers, KLM stated that the breach involved a limited set of personal data from previous interactions with their customer service team."
https://hackread.com/klm-customer-data-breach-linked-third-party-system/
Clinical Data Stolen In Cyber-Attack On Kidney Dialysis Provider DaVita
"US-based kidney dialysis provider DaVita has confirmed that sensitive personal and clinical data was stolen from its systems, impacting over 900,000 customers. The incident, which is reportedly ransomware-related, began on March 24, 2025, and continued until the threat actor was blocked from DaVita servers on April 12. An investigation revealed that the attacker accessed and removed data from the company’s dialysis labs database."
https://www.infosecurity-magazine.com/news/clinical-data-stolen-kidney/
https://www.securityweek.com/over-1-million-impacted-by-davita-data-breach/

General News

Navigating 2025’s Midyear Threats: Insights From Flashpoint’s Global Intelligence Index
"The first half of 2025 witnessed extreme volatility and escalating risk across the threat landscape. Organizations are navigating a complex environment that is marked by the rapid expansion of information-stealing malware and the relentless pervasiveness of ransomware, vulnerabilities, and data breaches. To effectively defend against them, security teams need timely and actionable threat intelligence."
https://flashpoint.io/blog/flashpoint-2025-global-threat-intelligence-index-midyear/
https://www.bankinfosecurity.com/on-rise-ransomware-victims-breaches-infostealers-a-29137
A Region-Wise Breakdown Of Cyber Threats: What H1 2025 Data Reveals
"The global threat landscape in the first half of 2025 has not only intensified but also splintered across regions with clear intent and growing precision. According to Cyble’s Global Threat Landscape: H1 2025 report, while ransomware attacks and zero-day exploits rose across the board, the distribution of these incidents varied significantly by geography. Regional targeting is no longer incidental—it is deliberate, adaptive, and often aligned with sectoral weaknesses and geopolitical fault lines."
https://cyble.com/blog/global-threat-landscape-h1-2025-report/
The Role Of Security Policies In Shaping Organisational Culture And Risk Awareness
"Organisational culture, as we know it, isn’t built overnight. It takes shape over time through decisions, habits and values that gradually define how people work together. One of the most overlooked influences on culture is the presence or absence of clear and effective security policies. For executives and managers, these aren’t just operational tools; they’re signals that show what the business takes seriously, how it protects its people and assets, and how it expects staff to behave. When developed properly, security policies help create a culture that is aware, responsive and able to adapt as threats evolve. Their effect goes far beyond compliance, shaping how people see their roles and what they expect from each other."
https://hackread.com/security-policies-role-organisational-culture-risk-awareness/
Cybersecurity And The Development Of Software-Defined Vehicles
"In many automotive companies, the same systems-engineering teams are responsible for both safety and security. As a result, cybersecurity is treated as a subset of safety, undergirded by an implicit assumption: “If it’s safe, it must be secure.” But that’s not necessarily always the case. As so many chief information and product security officers across the industry have seen, a vehicle deemed functionally safe under ISO 26262 can be highly vulnerable to cyber threats, especially as connected vehicles, software-defined architectures and over-the-air updates grow standard for the industry."
https://www.helpnetsecurity.com/2025/08/06/cybersecurity-and-the-development-of-software-defined-vehicles/
CISOs Say They’re Prepared, Their Data Says Otherwise
"Most security teams believe they can act quickly when a threat emerges. But many don’t trust the very data they rely on to do so, and that’s holding them back. A new Axonius report, based on a survey of 500 U.S.-based IT and security leaders, shows a disconnect between perceived readiness and actual performance in vulnerability and exposure management. While 90% of respondents said their organization is prepared to act when a threat is found, only 25% said they trust the data in their security tools."
https://www.helpnetsecurity.com/2025/08/06/ciso-vulnerability-management-data-trust/
Why 90% Of Cyber Leaders Are Feeling The Heat
"90% of cyber leaders find managing cyber risks harder today than five years ago, mainly due to the explosion of AI and expanding attack surfaces, according to BitSight. These threats are also fueling high rates of burnout, with 47% of cybersecurity and cyber risk professionals reporting exhaustion. Another key factor in the burnout crisis is the lack of threat visibility. Those who work at organizations with the tools to regularly map threats across their environments and contextualize them with multiple risk factors for full visibility, a capability that just 17% have, experience a significantly lower burnout rate of 44%. Those who don’t have a burnout rate of 63%."
https://www.helpnetsecurity.com/2025/08/06/managing-cyber-risk-practices/
#BHUSA: Exploring The Top Cyber Threats Facing Agentic AI Systems
"The emerging adoption of AI agents, programs involving large language models (LLMs) and conduct automated or semi-automated tasks, brings its own set of new cybersecurity risks. Sean Morgan, Chief Architect at Protect AI, a firm recently acquired by Palo Alto Networks, highlighted agentic AI’s main risks during the AI Summit at Black Hat, in Las Vegas, on August 5."
https://www.infosecurity-magazine.com/news/top-cyber-threats-facing-agentic/
#BHUSA: Malware Complexity Jumps 127% In Six Months
"The toolsets used by threat actors to attack their targets are rapidly evolving, with a 127% spike in malware complexity over the past six months, according to OPSWAT, a cybersecurity company focusing on critical infrastructure. In its inaugural Threat Landscape Report, published on August 6 during Black Hat USA, the firm estimated that this significant increase is primarily driven by three major factors combined"
https://www.infosecurity-magazine.com/news/malware-complexity-jumps-127/
New WhatsApp Tools And Tips To Beat Messaging Scams
"Every day criminal scammers attempt to play on people’s economic anxiety to trick people with too-good-to-be-true offers and pyramid schemes to earn quick money. As part of our ongoing efforts to protect people from scams, we’re sharing updates on disrupting attempts by criminal scam centers to target people on our apps, the latest insights into how these scams work, new anti-scam tools on WhatsApp and key safety tips."
https://about.fb.com/news/2025/08/new-whatsapp-tools-tips-beat-messaging-scams/
https://www.securityweek.com/whatsapp-takes-down-6-8-million-accounts-linked-to-criminal-scam-centers-meta-says/
https://securityaffairs.com/180864/cyber-crime/whatsapp-cracks-down-on-6-8m-scam-accounts-in-global-takedown.html
Major Enterprise AI Assistants Can Be Abused For Data Theft, Manipulation
"Researchers at AI security startup Zenity demonstrated how several widely used enterprise AI assistants can be abused by threat actors to steal or manipulate data. The Zenity researchers showcased their findings on Wednesday at the Black Hat conference. They shared several examples of how AI assistants can be leveraged — in some cases without any user interaction — to do the attacker’s bidding. Enterprise tools are increasingly integrated with generative AI to boost productivity, but this also opens cybersecurity holes that could be highly valuable to threat actors."
https://www.securityweek.com/major-enterprise-ai-assistants-abused-for-data-theft-manipulation/
AI Slashes Workloads For vCISOs By 68% As SMBs Demand More – New Report Reveals
"As the volume and sophistication of cyber threats and risks grow, cybersecurity has become mission-critical for businesses of all sizes. To address this shift, SMBs have been urgently turning to vCISO services to keep up with escalating threats and compliance demands. A recent report by Cynomi has found that a full 79% of MSPs and MSSPs see high demand for vCISO services among SMBs. How are service providers scaling to meet this demand? Which business upside can they expect to see? And where does AI fit in?"
https://thehackernews.com/2025/08/ai-slashes-workloads-for-vcisos-by-68.html
https://cynomi.com/state-of-the-vciso-2025/
British Intelligence Warns Cyber Threat To Critical Infrastructure Is Increasing
"The threat posed by hackers to critical infrastructure in Britain is increasing, leaving a “widening gap” between the potential for harm and the collective ability to defend against it, the country’s cybersecurity agency warned on Wednesday. In its latest attempt to sound the alarm about that threat, the National Cyber Security Centre (NCSC) again stressed that Britain was underestimating the severity of the risk from cyberattacks and provided updated guidance to infrastructure operators to protect themselves. Despite these repeated warnings, there are continuing delays from both the government and the private sector in taking action to drive forward even basic levels of security. As the agency’s chief complained earlier this year, many organizations still fail to follow the NCSC’s cybersecurity guidance and advice."
https://therecord.media/british-intel-cyber-threat-infrastructure
ESET Threat Report H1 2025: ClickFix, Infostealer Disruptions, And Ransomware Deathmatch
"“It’s all fun and games until someone gets hurt” could well be the title of the latest ESET Threat Report, as cybercriminals play new mind games with their victims, wage full-on deathmatches among themselves, and become the hunted game of law enforcement and private vendors. ESET Distinguished Researcher Aryeh Goretsky and Security Awareness Specialist Ondrej Kubovič open this installment of the ESET Research Podcast by breaking down the latest cry among threat actors: ClickFix. They explain how this technique went from non-existent a year ago to the second most prevalent threat today, and why it’s so effective. They also examine a specific example of this social engineering tactic FakeCaptcha, abusing the well-known human verification mechanism and weaponing it trick victims into executing malicious commands."
https://www.welivesecurity.com/en/podcasts/eset-threat-report-h1-2025-clickfix-infostealer-disruptions-ransomware-deathmatch/

อ้างอิง
Electronic Transactions Development Agency(ETDA)