"Fix It" Social-Engineering Campaign

Incident Report for Rapid Response Status Page

Resolved

Dear customers,

Following our latest update, we continued with the threat-focused hunting efforts, looking for indicators of compromise.

Relevant hits that require your attention will be mentioned in the AXON report.

Sincerely,
Team AXON
Posted Dec 25, 2024 - 09:01 UTC

Investigating

Dear customers,

Team AXON is aware of an ongoing social engineering campaign, known as "Fix it".
This campaign manipulates end users into manually executing malicious code. The infection process begins when a user visits a website designed to mimic legitimate sites for products or services such as Notepad++ or Microsoft Teams.

Upon clicking the download button, the user is redirected to a new page that appears to be from Cloudflare, prompting a verification to confirm they are human. Instead of displaying a standard CAPTCHA, the page presents a message instructing the user to press the Windows and ‘R’ keys to open the Run command dialog and paste a malicious code into it, deceiving the user into executing the harmful code on their device.

A threat-focused threat-hunting related to this campaign is now ongoing. In case of any significant finding that requires your attention, we’ll of course reach out.

An AXON report will be available for all of our AXON customers as soon as the Rapid Response efforts are concluded.
Please don’t hesitate to contact us in case of any questions.

Sincerely,
Team AXON.
Posted Dec 23, 2024 - 18:02 UTC
This incident affected: Rapid Response.