TrendAI™ Research tracked a sustained malvertising campaign that abused Google Ads to deliver ClickFix social engineering attacks disguised as popular AI developer tools. The campaign impersonated at least six legitimate brand names, including ChatGPT Codex, Perplexity, Cursor IDE, JetBrains, Claude AI, and claude.ai, and simultaneously ran Mac utility scam lures.
By leveraging paid search ads targeting users actively seeking AI development tools, the attackers were able to target technically proficient users who are more likely to interact with command-line instructions without suspicion. This marks a sophisticated evolution of the ClickFix social engineering technique, where victims are tricked into manually executing malicious commands, typically by copying and pasting PowerShell or terminal commands under the guise of “fixing” a problem or completing a software installation.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Data breach at govtech giant Conduent balloons, affecting millions more Americans
February 5, 2026
A data breach at government technology giant Conduent appears to affect far more people than first disclosed, with the number of victims potentially stretching to dozens of millions of people across the United States. The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million ...
- Paris prosecutor’s cybercrime unit searches X office
February 3, 2026
French police raided the offices of Elon Musk’s social media network X on Tuesday and prosecutors ordered the tech billionaire to face questions in April in a widening investigation, amid growing scrutiny of the platform by authorities across Europe. France’s raid and the summoning of Musk — which could further increase tensions between Europe and the ...
- Polish authorities arrest 20-year-old man on suspicion of carrying out DDoS attacks
February 3, 2026
Polish authorities have cuffed a 20-year-old man on suspicion of carrying out DDoS attacks. The Central Bureau for Combating Cybercrime (CBZC) claims the unnamed individual was responsible for attacks on “numerous popular websites,” including those of strategic importance. Given the context, it can be reasonably assumed that strategically important websites likely refers to those providing essential ...
- Russian ransomware hackers allegedly hit Tulsa airport in cyberattack, dump private files online as proof
February 2, 2026
Russian ransomware operators Qilin have claimed to have broken into the Tulsa International Airport and stolen an unspecified amount of sensitive company data. A report from Cybernews says the group recently added the airport to their data leak site, and included 18 samples as proof of their claims. The researchers analyzed the samples, finding it included ...
- The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
February 2, 2026
Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. Rapid7 investigation ...
- Russia-linked APT28 attackers already abusing new Microsoft Office zero-day
February 2, 2026
Russia-linked attackers are already exploiting Microsoft’s latest Office zero-day, with Ukraine’s national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU. In an alert published on Sunday, CERT-UA says the activity is being driven by UAC-0001, better known as “APT28” or “Fancy ...