The merchandise website of FBI director Kash Patel (basedapparel[.]com) was taken offline on Friday after reports that it had been compromised by hackers using it to spread malware. The malware was discovered on Thursday by “big time nerd” user known as “debbie.”
Visitors were instructed to copy a code from the website and paste it into their computer’s terminal, a social engineering method known as a ClickFix attack. Once executed, the Mac-specific code would download and install malware on the device.
A ClickFix attack is a social engineering technique that manipulates users into running malicious commands themselves, typically by posing as a fix for a problem or verification step, ultimately leading to malware installation or system compromise.
“A website that sells merchandise related to FBI Director Kash Patel went offline Friday after a hack apparently tricked visitors into downloading malware.” reports the website Straight Arrow News. “Visitors were then prompted to copy a code from the website and paste it into the terminal on their computers, a social engineering technique known as a ClickFix attack. When entered, the code, designed specifically for Mac computers, would download and install malware onto the user’s devices.”
At this time, the site is still offline.
The researcher who goes online with the X handler WifiRumHam analyzed the compromised website. The e-store was using WordPress plug-in WooCommerce running a multi-part malware attack. A malicious plugin running on the site both steals payment data and targets macOS users with a fake Cloudflare CAPTCHA (“ClickFix”) that tricks them into running hidden malicious commands.
If executed, the commands download a script-based macOS stealer that avoids normal security protections and can steal browser data, passwords, and cryptocurrency wallet information. It also targets many popular browsers and wallet apps, collects the data, compresses it, and sends it to a remote server before deleting itself.
The campaign appears to be widespread, with similar infections seen across many websites.
— WifiRumHam (@WifiRumHam) May 22, 2026CORRECTION + FULL ANALYSIS VT UPLOAD: Live dual-payload campaign on compromised WooCommerce site
Credit @dm4uz31/ Correction first — earlier thread had the wrong C2 domain. It's monterushy[.]com, not monterusei[.]com. Apologies for the bad IOC.
2/ Compromised site:…
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FBI director)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。