{ "name": "ClickFix tactic: The Phantom Meet", "slug": "clickfix-tactic-the-phantom-meet", "description": "This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems, spreading infostealers like Stealc, Rhadamanthys, and AMOS Stealer. The operation is linked to cybercrime groups 'Slavic Nation Empire' and 'Scamquerteo', sub-teams of larger cryptocurrency scam organizations. The report details the infection chain, infrastructure, and provides insights into the broader malware distribution ecosystem associated with these threat actors.", "published": "2024-10-18T13:56:45+00:00", "created_at": "2024-10-18T13:56:45+00:00", "modified_at": "2024-10-18T14:26:46+00:00", "created_at_opencti": "2024-10-18T13:56:45+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-18", "amos stealer", "clickfix", "cryptocurrency", "google meet", "infostealer", "phishing", "rhadamanthys", "social engineering", "stealc", "web3" ], "related_entities": { "observables": [ { "id": "", "name": "95.182.97.58" }, { "id": "", "name": "85.209.11.155" }, { "id": "", "name": "77.221.157.170" }, { "id": "", "name": "https://webapizmland.com/api/cmdruned" }, { "id": "", "name": "https://us18web-zoom.us/stealc.exe" }, { "id": "", "name": "https://us18web-zoom.us/ram.exe" }, { "id": "", "name": "https://meet.google.webjoining.com/exw-jfaj-hpa" }, { "id": "", "name": "https://meet.google.us07host.com/coc-btru-ays" }, { "id": "", "name": "https://meet.google.us-join.com/ywk-batf-sfh" }, { "id": "", "name": "https://meet.google.com-join.us/wmq-qcdn-orj" }, { "id": "", "name": "https://googIedrivers.com/fix-error" }, { "id": "", "name": "https://carolinejuskus.com/kusaka.php?call=launcher" }, { "id": "", "name": "https://carolinejuskus.com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?call=launcher" }, { "id": "", "name": "http://95.182.97.58/84b7b6f977dd1c65.php" }, { "id": "", "name": "http://85.209.11.155/joinsystem" }, { "id": "", "name": "http://77.221.157.170:3004/server.js" }, { "id": "", "name": "meet.google.webjoining.com" }, { "id": "", "name": "meet.google.web-join.com" }, { "id": "", "name": "meet.google.us07host.com" }, { "id": "", "name": "meet.google.us-join.com" }, { "id": "", "name": "meet.google.com-join.us" }, { "id": "", "name": "meet.google.cdm-join.us" }, { "id": "", "name": "meet.googie.com-join.us" }, { "id": "", "name": "worldcozy.com" }, { "id": "", "name": "webroom-zoom.us" }, { "id": "", "name": "webapizmland.com" }, { "id": "", "name": "webjoining.com" }, { "id": "", "name": "web3dev.buzz" }, { "id": "", "name": "web05-zoom.us" }, { "id": "", "name": "veriscroll.com" }, { "id": "", "name": "verdascript.com" }, { "id": "", "name": "utv4fun.com" }, { "id": "", "name": "us95web-zoom.us" }, { "id": "", "name": "us85web-zoom.us" }, { "id": "", "name": "us80web-zoom.us" }, { "id": "", "name": "us77web-zoom.us" }, { "id": "", "name": "us6web-zoom.us" }, { "id": "", "name": "us70web-zoom.us" }, { "id": "", "name": "us60web-zoom.us" }, { "id": "", "name": "us5web-zoom.us" }, { "id": "", "name": "us55web.us" }, { "id": "", "name": "us555web-zoom.us" }, { "id": "", "name": "us50web.us" }, { "id": "", "name": "us50web-zoom.us" }, { "id": "", "name": "us505web-zoom.us" }, { "id": "", "name": "us500web-zoom.us" }, { "id": "", "name": "us4web-zoom.us" }, { "id": "", "name": "us45web-zoom.us" }, { "id": "", "name": "us40web.us" }, { "id": "", "name": "us40web-zoom.us" }, { "id": "", "name": "us30web-zoom.us" }, { "id": "", "name": "us18web-zoom.us" }, { "id": "", "name": "us20web.us" }, { "id": "", "name": "us15web.us" }, { "id": "", "name": "us12web.us" }, { "id": "", "name": "us10web-zoom.us" }, { "id": "", "name": "us09web.us" }, { "id": "", "name": "us08web.us" }, { "id": "", "name": "us09web-zoom.us" }, { "id": "", "name": "us08web-zoom.us" }, { "id": "", "name": "us07web-zoom.us" }, { "id": "", "name": "us055web-zoom.us" }, { "id": "", "name": "us050web-zoom.us" }, { "id": "", "name": "us03web.us" }, { "id": "", "name": "us03web-zoom.us" }, { "id": "", "name": "us01web.us" }, { "id": "", "name": "us01web-zoom.us" }, { "id": "", "name": "us008web-zoom.us" }, { "id": "", "name": "us007web-zoom.us" }, { "id": "", "name": "us006web-zoom.us" }, { "id": "", "name": "us005web-zoom.us" }, { "id": "", "name": "us004web-zoom.us" }, { "id": "", "name": "us003webzoom.us" }, { "id": "", "name": "us002webzoom.us" }, { "id": "", "name": "ultimateplay.xyz" }, { "id": "", "name": "ultimategame.xyz" }, { "id": "", "name": "tooldream.live" }, { "id": "", "name": "thewatch.com" }, { "id": "", "name": "thecalipsoproject.com" }, { "id": "", "name": "stonance.com" }, { "id": "", "name": "sleipnirbrowser.xyz" }, { "id": "", "name": "sleipnirbrowser.org" }, { "id": "", "name": "projectcalipso.com" }, { "id": "", "name": "playultimate.xyz" }, { "id": "", "name": "playbattleforge.xyz" }, { "id": "", "name": "playbattleforge.org" }, { "id": "", "name": "phperl.com" }, { "id": "", "name": "patrickcateman.com" }, { "id": "", "name": "pakoyayinlari.com" }, { "id": "", "name": "nortexmessenger.us" }, { "id": "", "name": "nortexmessenger.pro" }, { "id": "", "name": "nortexmessenger.blog" }, { "id": "", "name": "nortexapp.xyz" }, { "id": "", "name": "nortexapp.pro" }, { "id": "", "name": "nortexapp.me" }, { "id": "", "name": "nortexapp.io" }, { "id": "", "name": "nortexapp.com" }, { "id": "", "name": "nortex.uk" }, { "id": "", "name": "nortex.lol" }, { "id": "", "name": "nortex.life" }, { "id": "", "name": "nortex.blog" }, { "id": "", "name": "nortex-app.xyz" }, { "id": "", "name": "nortex-app.us" }, { "id": "", "name": "nortex-app.pro" }, { "id": "", "name": "nort-ex.world" }, { "id": "", "name": "nort-ex.lol" }, { "id": "", "name": "nort-ex.eu" }, { "id": "", "name": "nor-tex.xyz" }, { "id": "", "name": "nor-tex.world" }, { "id": "", "name": "nor-tex.pro" }, { "id": "", "name": "nor-tex.eu" }, { "id": "", "name": "nightstudioweb.xyz" }, { "id": "", "name": "nightstudio.io" }, { "id": "", "name": "night-support.xyz" }, { "id": "", "name": "ngtverse.org" }, { "id": "", "name": "ngtstudio.online" }, { "id": "", "name": "ngtstudio.io" }, { "id": "", "name": "ngtproject.com" }, { "id": "", "name": "ngtmetaweb.com" }, { "id": "", "name": "ngtmetaland.io" }, { "id": "", "name": "ngtmeta.io" }, { "id": "", "name": "myultimate.xyz" }, { "id": "", "name": "mybattleforge.xyz" }, { "id": "", "name": "mordex.homes" }, { "id": "", "name": "mordex.blog" }, { "id": "", "name": "mor-dex.world" }, { "id": "", "name": "modoodeul.com" }, { "id": "", "name": "missingfrontier.com" }, { "id": "", "name": "mishapagerealty.com" }, { "id": "", "name": "mensadvancega.com" }, { "id": "", "name": "mdalies.com" }, { "id": "", "name": "lunacy4.com" }, { "id": "", "name": "lunacy3.com" }, { "id": "", "name": "lirelasuisse.com" }, { "id": "", "name": "lastnuggets.com" }, { "id": "", "name": "kansaskollection.com" }, { "id": "", "name": "iloanshop.com" }, { "id": "", "name": "googiedrivers.com" }, { "id": "", "name": "gamascript.com" }, { "id": "", "name": "fatoreader.net" }, { "id": "", "name": "fatoreader.com" }, { "id": "", "name": "doculuma.com" }, { "id": "", "name": "dekhke.com" }, { "id": "", "name": "darkblow.com" }, { "id": "", "name": "cphoops.com" }, { "id": "", "name": "cozyworld.io" }, { "id": "", "name": "cozyweb3.com" }, { "id": "", "name": "cozymeta.fun" }, { "id": "", "name": "cozymeta.xyz" }, { "id": "", "name": "cozymeta.com" }, { "id": "", "name": "cautrucanhtuan.com" }, { "id": "", "name": "cozyland.xyz" }, { "id": "", "name": "carolinejuskus.com" }, { "id": "", "name": "bowerchalke.com" }, { "id": "", "name": "calipsoproject.com" }, { "id": "", "name": "battleultimate.xyz" }, { "id": "", "name": "argongame.com" }, { "id": "", "name": "battleforge.cc" }, { "id": "", "name": "apunanwu.com" }, { "id": "", "name": "alienmanfc6.com" }, { "id": "", "name": "riotrevelry.com" }, { "id": "", "name": "nightpredators.com" }, { "id": "", "name": "nortexmessenger.digital" }, { "id": "", "name": "nortexapp.digital" }, { "id": "", "name": "nortex.limited" }, { "id": "", "name": "nortex.digital" }, { "id": "", "name": "mordex.digital" }, { "id": "", "name": "a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c" }, { "id": "", "name": "2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe" }, { "id": "", "name": "94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5" }, { "id": "", "name": "92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138" } ], "malware": [ { "id": "legacy:malware:44ab3a032ad46f5d", "name": "AMOS Stealer", "slug": "amos-stealer" }, { "id": "legacy:malware:bd5e900cb57b2f39", "name": "StealC", "slug": "stealc" }, { "id": "legacy:malware:96d5163803bd1444", "name": "Rhadamanthys", "slug": "rhadamanthys" } ], "intrusion_sets": [ { "id": "de93cc91-2b73-4730-99b8-ba7ba84d6e86", "name": "Slavic Nation Empire", "slug": "slavic-nation-empire" } ], "attack_patterns": [ { "id": "21fd9920-9bc7-4ba5-8cdd-3022c0ef4e9d", "name": "T1584.001" }, { "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd", "name": "T1588.001" }, { "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c", "name": "T1583.001" }, { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ], "others": [ { "id": "", "name": "Poland" } ] }, "external_refs": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/", "https://otx.alienvault.com/pulse/6712853de72c457312a3336b" ] }