Researchers uncovered a ClickFix campaign on Artlist’s compromised subdomain new-blog.artlist[.]io, where attackers used a fake CAPTCHA to deliver a RAT through EtherHiding and a multi-stage malware chain. The intrusion began with an August 2023 infostealer infection on a freelance WordPress developer’s machine, which exposed privileged Artlist credentials that were later abused to inject malicious code.
#Artlist #new-blog.artlist.io #auth-code-check.info #EtherHiding #ClickFix #HudsonRock #Vidar #StealC
#Artlist #new-blog.artlist.io #auth-code-check.info #EtherHiding #ClickFix #HudsonRock #Vidar #StealC
Keypoints
- Attackers compromised Artlist’s new-blog.artlist[.]io subdomain to host a ClickFix lure.
- A fake CAPTCHA tricked visitors into pasting a hidden PowerShell command.
- The campaign used EtherHiding with Polygon blockchain smart contracts to hide payload delivery.
- The root cause was an infostealer infection from a pirated Adobe Acrobat PRO DC torrent.
- The final RAT used DLL sideloading, Tor fallback, and advanced persistence and control features.