3 min Security

Sandworm uses ClickFix against Ukrainian organizations

Sandworm uses ClickFix against Ukrainian organizations

The Russian state-sponsored hacking group Sandworm is now using the ClickFix attack technique to infect organizations in Ukraine with malware. This marks a shift, as a method that was previously popular mainly among financially motivated cybercriminals has now entered the arsenal of one of the most sophisticated state-sponsored attackers.

The Ukrainian National Computer Emergency Response Team (CERT-UA) reports that the campaign has been active since the spring. According to Ars Technica, at least ten compromised websites were used to present visitors with a fake CAPTCHA. Victims were instructed to copy and run a PowerShell command to prove they were not robots. In reality, by doing so, they themselves triggered the infection chain.

Over the past year, ClickFix has become a widely used social engineering technique. Instead of exploiting a software vulnerability, the attack tricks users into executing a malicious script themselves. As a result, many traditional security measures are bypassed because the user consciously executes the command.

It is notable that Sandworm is now also using this technique. The hacking group, which is linked to the Russian military intelligence service GRU, is known for sophisticated cyberattacks against Ukraine and other strategic targets.

According to CERT-UA, the campaign has already led to the compromise of at least one organization. On an infected system, researchers found FreakyPoll, a Python backdoor developed by Sandworm.

The infection occurs in several steps. After a victim executes the PowerShell command, a reconnaissance script is first launched to gather information about the system. This includes data on the computer’s configuration, installed software, files, and browser data. Only if a target proves sufficiently interesting does a second phase follow, during which additional malware is installed to gain persistent access to the system.

Proprietary malware and hidden infrastructure

According to CERT-UA, in addition to FreakyPoll, Sandworm also deploys other malware, including GHETTOVIBE, SCOUTCURL, FluidLeech, and LoadLoop. SCOUTCURL performs the initial assessment of a system, while FluidLeech masquerades as antivirus software to arouse less suspicion.

Researchers also discovered that the attackers have further advanced their infrastructure. In addition to the well-known Cloaking.House service, they use their own software, SMARTAXE, to dynamically modify the content of compromised websites. For example, depending on the visitor, a fake CAPTCHA may be displayed, while the location of the malicious content is retrieved via a blockchain smart contract. This makes it more difficult to identify and block the infrastructure behind the attack.

Android devices also targeted

CERT-UA also describes an Android campaign being tracked under the nameCowardDuck. In this campaign, victims are tricked into installing a malicious app. The malware then collects files from the device and sends them to the attackers’ servers.

Sandworm previously used other distribution methods, such as infected versions of illegal software offered via torrent sites. There are also known campaigns in which victims were persuaded, after prolonged contact via Signal, to install software that masqueraded as a security program.

ClickFix continues to evolve

Sandworm’s use of ClickFix underscores that the technique is evolving from an attack method primarily used by cybercriminals into a tool for state-sponsored cyber operations. For organizations, this means that not only technical security but also employee awareness is becoming increasingly important.

CERT-UA therefore advises administrators to regularly check websites for webshells, unauthorized extensions, and other signs of compromise. In addition, it remains important to remind users that legitimate websites never ask them to execute PowerShell, Terminal, or other command-line commands as part of a CAPTCHA or verification procedure.