We encountered a unique variant of the ClickFix malware technique. The catch? The user is social engineered into running a PowerShell script which downloads no files, makes no web requests, and embeds no payload.
Regardless, it's still able to install a malicious loader to maintain a foothold on the infected system. Check out my latest blog post to find out more:
https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
Marcus Hutchins :verified:
npub1uu…hgs7t
2025-10-08 16:41:45 UTC
Author Public Key
npub1uu7gddsfwccptfz3wgqqgxz0wuwx302e07k3u475he6qzasfkz4q0hgs7tSeen on
wss://relay.momostr.pinkPublished at
2025-10-08 16:41:45 UTCEvent JSON
{
"id": "18c15eaf63e640e6643014d4bf8bf25044ca59ef943e30fbf5a4fcf3c0f95ec9",
"pubkey": "e73c86b609763015a451720004184f771c68bd597fad1e57d4be74017609b0aa",
"created_at": 1759941705,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@malwaretech/115339539629115390",
"web"
],
[
"proxy",
"https://infosec.exchange/users/malwaretech/statuses/115339539629115390",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/malwaretech/statuses/115339539629115390",
"pink.momostr"
],
[
"-"
]
],
"content": "We encountered a unique variant of the ClickFix malware technique. The catch? The user is social engineered into running a PowerShell script which downloads no files, makes no web requests, and embeds no payload.\n\nRegardless, it's still able to install a malicious loader to maintain a foothold on the infected system. Check out my latest blog post to find out more: \n\nhttps://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/",
"sig": "2d161aadb7e820d8ef6a3d9fe4eef64105cc0f374d5486de1d0b1dae762b1f25e6029af5ecf117c173e174056f576c0d40a0924382014a4bc406ade5cfff8cd8"
}