{
  "name": "From ClickFix to Command: A Full PowerShell Attack Chain",
  "slug": "from-clickfix-to-command-a-full-powershell-attack-chain",
  "description": "A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key characteristics include a full PowerShell-based delivery chain, obfuscated payloads, evidence of lateral movement, and potential overlap with MuddyWater campaigns. The attack begins with phishing emails, progresses through a spoofed Microsoft Teams page, and uses social engineering to execute malicious PowerShell commands. The payload retrieves additional data, deploys a RAT, and establishes communication with a command and control server. The campaign demonstrates the effectiveness of living-off-the-land techniques, layered evasion, and adaptive C2 communication.",
  "published": "2025-08-11T13:29:28+00:00",
  "created_at": "2025-08-11T13:29:28+00:00",
  "modified_at": "2025-08-11T14:12:04+00:00",
  "created_at_opencti": "2025-08-11T13:29:28+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-11",
    "c2 communication",
    "israeli targets",
    "lateral movement",
    "obfuscation",
    "phishing",
    "powershell",
    "powershell rat",
    "rat",
    "social engineering"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:7704bc3b4ffb2192",
        "name": "PowerShell RAT",
        "slug": "powershell-rat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "98b7af71-8465-4bc4-9526-3bd1a8ac5f59",
        "name": "MuddyWater",
        "slug": "muddywater"
      }
    ],
    "attack_patterns": [
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Israel"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": []
}