Critical Alerts Covering ClickFix Evolves, AI Supply Chain Attacks, and Enterprise Zero-Days

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. The “ClickFix” Epidemic Evolves Across Platforms

Attackers are shifting away from traditional exploit kits, relying instead on manipulating users into executing malicious commands (often via the Run dialog or Terminal) under the guise of fixing software or passing CAPTCHAs.

• DNS-Based Delivery via nslookup — A newly observed ClickFix campaign tricks users into running a command that performs a custom DNS lookup to an attacker-controlled server. The malicious PowerShell payload is hidden inside the DNS “NAME:” response, bypassing traditional web filters to deploy the ModeloRAT.

• Matryoshka macOS Variant — Mac users landing on typosquatted software review sites are instructed to paste a command into Terminal. This triggers a nested, in-memory obfuscation chain (the “Matryoshka” doll effect) that deploys an AppleScript stealer to hijack hardware cryptocurrency wallets (Trezor, Ledger) and harvest credentials.

• MIMICRAT via Fake Verification — Attackers compromised legitimate sites (like a Bank Identification Number validator) to show fake Cloudflare verification pages. The resulting ClickFix command deploys MIMICRAT via a fileless Lua loader, explicitly tampering with Windows ETW and AMSI to blind defenders.

• AMOS via AI Platform Abuse — The Atomic macOS Stealer (AMOS) is being distributed via fake AI tool installers and malicious instructions embedded in publicly shared ChatGPT and Grok conversations, weaponizing the inherent trust users place in AI platforms.

2. AI Systems: The New Attack Surface and Adversary Toolkit

AI is no longer just a buzzword; it is an active component of the cyber kill chain, serving as both a target for data theft and a tool for malware automation.

• PromptSpy Android Malware — PromptSpy is the first known Android malware to use generative AI (Google Gemini) at runtime. It sends XML dumps of the infected device’s screen to Gemini, which returns dynamic instructions on how the malware should use Accessibility Services to “lock” itself in the Recent Apps list, ensuring persistence regardless of the device manufacturer’s unique UI.

• Copilot & Grok as Covert C2 Proxies — Researchers demonstrated that malware can use the web-browsing capabilities of AI assistants like Microsoft Copilot and Grok to tunnel command-and-control traffic. By embedding reconnaissance data in URLs and asking the AI to summarize the attacker’s page, the malware establishes a stealthy, bidirectional C2 channel that blends perfectly into legitimate enterprise web traffic.

• OpenClaw AI Agent Identity Theft — Infostealers are explicitly hunting for configuration files (openclaw.json, device.json) of local AI agents. Stealing these files gives attackers access to API tokens, cryptographic keys, and the agent’s long-term memory, enabling identity impersonation.

• SmartLoader Poisons AI Supply Chain — Threat actors cloned the legitimate Oura Model Context Protocol (MCP) server, faked GitHub contributor activity, and submitted the trojanized package to AI registries. Once installed by developers, it deploys a LuaJIT-based loader to drop the StealC infostealer.

3. Critical Zero-Days and Enterprise Appliance Exploitation

Core infrastructure appliances and enterprise software remain highly targeted, with multiple zero-days and critical pre-authentication flaws actively exploited in the wild.

• Dell RecoverPoint for VMs Zero-Day (CVE-2026-22769) — A suspected China-linked group (UNC6201) has been exploiting hard-coded credentials in Dell RecoverPoint since mid-2024 to gain unauthenticated root access. The attackers utilize advanced stealth tactics, including creating “Ghost NICs” (temporary virtual network interfaces) for lateral movement and manipulating iptables to tunnel C2 traffic over port 443.

• BeyondTrust Pre-Auth RCE (CVE-2026-1731) — An actively exploited OS command injection vulnerability in BeyondTrust Remote Support is allowing attackers to deploy web shells and remote access tools without authentication. Attackers have exfiltrated entire PostgreSQL databases, leading CISA to mandate emergency patching due to ransomware involvement.

• Google Chrome Zero-Day (CVE-2026-2441) — Google released an emergency patch for an actively exploited use-after-free vulnerability within Chrome’s CSS font feature processing (CSSFontFeatureValuesMap), which can lead to memory corruption and arbitrary code execution.

• Rapid7 InsightVM (CVE-2026-1568) & SAP CRM (CVE-2026-0488) — Critical flaws plague enterprise management tools. Rapid7 InsightVM suffers from a pre-auth SAML signature verification bypass (CVSS 9.6) leading to account takeover. Meanwhile, SAP CRM and S/4HANA contain a critical code injection flaw (CVSS 9.9) in the Scripting Editor that permits arbitrary SQL execution and full database compromise.

4. Developer Supply Chain and Post-Compromise Frameworks

Threat actors are targeting the software development lifecycle, attacking both the tools developers use and the infrastructure that updates them.

• VSCode Extensions Expose Dev Environments — Critical vulnerabilities were found in immensely popular VSCode extensions (e.g., Live Server, Code Runner, Markdown Preview Enhanced). Because these extensions run with local privileges, exploitation via malicious links or crafted Markdown files allows attackers to steal source code, .env files, and execute arbitrary code on developer machines.

• Notepad++ Update Mechanism Overhaul — Following the discovery of a targeted supply chain attack by a Chinese APT (Lotus Panda), Notepad++ released v8.9.2. The update introduces a “double lock” verification system to prevent hosting-provider-level traffic hijacking from delivering backdoors like Chrysalis.

• UAT-9921’s VoidLink Framework — A sophisticated Linux-focused threat actor is deploying “VoidLink,” a multi-language (Zig, C, Go) post-compromise framework. It uses compile-on-demand plugins and kernel-level rootkits to maintain stealthy, long-term persistence in cloud environments.

• Dell DUP Privilege Escalation (CVE-2026-23857) — A high-severity local privilege escalation flaw in the Dell Update Package (DUP) framework allows low-privileged local attackers to gain elevated system privileges.

• Password Manager Architecture Weaknesses — A rigorous study revealed that popular cloud-based password vaults (Bitwarden, LastPass, Dashlane) have structural weaknesses in recovery mechanisms and item-level encryption that could allow a compromised or malicious server to decrypt or manipulate vault data.

Proactive Steps for the Week 

• Emergency Patching: Immediately deploy updates for Google Chrome (v145.x), BeyondTrust (v25.3.2+), Dell RecoverPoint (v6.0.3.1 HF1), Rapid7 InsightVM (v8.34.0+), and SAP CRM.

• Audit Developer Tooling: Review installed VSCode and AI IDE extensions across developer fleets. Remove unneeded local server extensions and never paste untrusted configurations into settings.json. Update Notepad++ to v8.9.2 to ensure update integrity.

• Defend Against ClickFix: Educate users—especially macOS users and developers—that legitimate updates or CAPTCHAs never require copying and pasting commands into Terminal or PowerShell. Block the execution of nslookup initiating from command interpreters to kill the DNS-based payload delivery.

• Secure AI Environments: Treat AI configurations (like openclaw.json) as highly sensitive credential stores. Implement strict egress filtering to prevent internal endpoints from using consumer LLM web interfaces (Copilot, Grok) as covert C2 proxies.

• Monitor for “Ghost NICs”: In virtualized environments, monitor hypervisor and appliance logs for the unauthorized creation and rapid deletion of virtual network interfaces, a key indicator of UNC6201’s lateral movement tradecraft.