How an Infostealer Infection Led to a Sophisticated ClickFix Campaign at Artlist

How an Infostealer Infection Led to a Sophisticated ClickFix Campaign at Artlist
Researchers uncovered a ClickFix campaign on Artlist’s compromised subdomain new-blog.artlist[.]io, where attackers used a fake CAPTCHA to deliver a RAT through EtherHiding and a multi-stage malware chain. The intrusion began with an August 2023 infostealer infection on a freelance WordPress developer’s machine, which exposed privileged Artlist credentials that were later abused to inject malicious code.
#Artlist #new-blog.artlist.io #auth-code-check.info #EtherHiding #ClickFix #HudsonRock #Vidar #StealC

Keypoints

  • Attackers compromised Artlist’s new-blog.artlist[.]io subdomain to host a ClickFix lure.
  • A fake CAPTCHA tricked visitors into pasting a hidden PowerShell command.
  • The campaign used EtherHiding with Polygon blockchain smart contracts to hide payload delivery.
  • The root cause was an infostealer infection from a pirated Adobe Acrobat PRO DC torrent.
  • The final RAT used DLL sideloading, Tor fallback, and advanced persistence and control features.

Read More: https://www.infostealers.com/article/how-an-infostealer-infection-led-to-a-sophisticated-clickfix-campaign-at-artlist/