TrendAI™ Research tracked a sustained malvertising campaign that abused Google Ads to deliver ClickFix social engineering attacks disguised as popular AI developer tools. The campaign impersonated at least six legitimate brand names, including ChatGPT Codex, Perplexity, Cursor IDE, JetBrains, Claude AI, and claude.ai, and simultaneously ran Mac utility scam lures.
By leveraging paid search ads targeting users actively seeking AI development tools, the attackers were able to target technically proficient users who are more likely to interact with command-line instructions without suspicion. This marks a sophisticated evolution of the ClickFix social engineering technique, where victims are tricked into manually executing malicious commands, typically by copying and pasting PowerShell or terminal commands under the guise of “fixing” a problem or completing a software installation.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Oregon residents health data stolen in TriZetto breach
January 31, 2026
Thousands more Oregonians will soon receive data breach letters in the continued fallout from the TriZetto data breach, in which someone hacked the insurance verification provider and gained access to its healthcare provider customers across multiple US states. The breach occurred back in November 2024, with intruders snooping through protected health information and other sensitive personal ...
- Informant told FBI that Jeffrey Epstein had a ‘personal hacker’
January 30, 2026
A confidential informant told the FBI in 2017 that Jeffrey Epstein had a “personal hacker,” according to a document released by the Department of Justice on Friday. The document, which was released as part of the Justice Department’s legally required effort to publish documents related to its investigation into the late sex offender, does not identify ...
- North Korean Labyrinth Chollima is morphing into three separate entities
January 30, 2026
One of the largest and most successful North Korean state-sponsored threat actors has split into three separate entities, each with their own tactics, malware tools, targets, and goals, experts have warned. In a recent in-depth analysis, researchers from CrowdStrike expalined the move is a strategic evolution to make Labyrinth Chollima cyberattacks more efficient, and that the ...
- Match, Hinge, OkCupid, and Panera Bread breached by ransomware group
January 30, 2026
The ShinyHunters ransomware group has claimed the theft of data containing 10 million records belonging to the Match Group and 14 million records from bakery-café chain Panera Bread. The Match Group, that runs multiple popular online dating services like Tinder, Match.com, Meetic, OkCupid, and Hinge has confirmed a cyber incident and is investigating the data breach. ...
- Marquis confirms data breach, point finger of blame at SonicWall firewall
January 30, 2026
Marquis, a US fintech company building software for banks and credit unions, has confirmed suffering a ransomware attack and losing sensitive customer data, but shifted the blame onto its firewall provider, SonicWall. In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after unnamed threat actors brute-forced their way into the company’s MySonicWall ...
- Supply chain attack on eScan antivirus: detecting and remediating malicious updates
January 29, 2026
On January 20, a supply chain attack has occurred, with the infected software being the eScan antivirus developed by an Indian company MicroWorld Technologies. The previously unknown malware was distributed through the eScan update server. The same day, our security solutions detected and prevented cyberattacks involving this malware. On January 21, having been informed by Morphisec, ...