Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances.
The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows –
CVE-2025-57788 (CVSS score: 6.9) – A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials
CVE-2025-57789 (CVSS score: 5.3) – A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control
CVE-2025-57790 (CVSS score: 8.7) – A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution
CVE-2025-57791 (CVSS score: 6.9) – A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role
watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the four security defects in April 2025. All the flagged vulnerabilities have been resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solution is not affected.
In an analysis published Wednesday, the cybersecurity company said threat actors could fashion these vulnerabilities into two pre-authenticated exploit chains to achieve code execution on susceptible instances: One that combines CVE-2025-57791 and CVE-2025-57790, and the other that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790.
It’s worth noting that the second pre-auth remote code execution chain becomes successful only if the built-in admin password hasn’t been changed since installation.
The disclosure comes nearly four months after watchTowr Labs reported a critical Commvault Command Center flaw (CVE-2025-34028, CVSS score: 10.0) that could allow arbitrary code execution on affected installations.
A month later, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.
Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups.
“The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today.
The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads –
UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads
UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT
The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.
The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3.
Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server. The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection.
“CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.”
Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.
Persistence on the host is achieved by means of Windows Registry changes. At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.
Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine.
“To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli said. “Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.”
USB Infection Drops XMRig Miner
The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.
“This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant said. “The low cost and ability to bypass network security make this technique a compelling option for attackers.”
The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive. The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection –
DIRTYBULK, a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL
CUTFAIL, a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC
HIGHREPS, a downloader that retrieves additional files to ensure persistence of PUMPBENCH
PUMPBENCH, a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig
XMRig, an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin
“PUMPBENCH spreads by infecting USB drives,” Mandiant said. “It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.”
Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024.
IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable.
“The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL,” security researcher Raymond Joseph Alfonso said. “This DLL, in turn, loads, decrypts, and injects the final payload into its target process.”
This is achieved by using process hollowing to inject the malware into one of the three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.
The DLL loader, per IBM, has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico.
The campaign targeting Taiwan is said to have specifically singled out employees of Nusoft Taiwan, a network and internet security research company based in New Taipei City, with the goal of infecting them with Snake Keylogger, which is capable of stealing sensitive information from popular web browsers, keystrokes, and clipboard content.
The Mexico-related campaign, on the other hand, is assessed to be random, with the infection chains delivering Remcos RAT and AsyncRAT.
“The threat actor consistently writes the DLL loader module in .NET languages and uses ahead-of-time (AOT) compilation,” Alfonso said. “This process compiles the code into native machine code before execution, making the resulting binary appear as though it were written in C or C++.”
New Phishing Trends
The development comes as threat actors are using new QR code phishing (aka quishing) tactics like splitting malicious QR codes into two parts or embedding them within legitimate ones in email messages propagated via phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution.
“Malicious QR codes are popular with attackers for several reasons,” Barracuda researcher Rohit Suresh Kanase said. “They cannot be read by humans so don’t raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners.”
“Furthermore, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.”
The findings also follow the emergence of a phishing kit used by the PoisonSeed threat actor to acquire credentials and two-factor authentication (2FA) codes from individuals and organizations to gain access to victims’ accounts and use them to send emails for carrying out cryptocurrency scams.
“The domains hosting this phishing kit impersonate login services from prominent CRM and bulk email companies like Google, SendGrid, Mailchimp, and likely others, targeting individuals’ credentials,” NVISO Labs said. “PoisonSeed employs spear-phishing emails embedding malicious links, which redirect victims to their phishing kit.”
A noteworthy aspect of the kit is the use of a technique known as precision-validated phishing in which the attacker validates an email address in real-time in the background, while a fake Cloudflare Turnstile challenge is served to the user. Once the checks are passed, a login form impersonating the legitimate online platform appears, allowing the threat actors to capture submitted credentials and then relay them to the service.
As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing password cracking attacks and detecting the malicious use of compromised accounts.
With the first half of 2025 behind us, compromised valid accounts remain the most underprevented attack vector, highlighting the urgent need for a proactive approach focused on the threats that are evading organizations’ defenses.
A Wake-Up Call: The Alarming Rise in Password Cracking Success
The Picus Blue Report is an annual research publication that analyzes how well organizations are preventing and detecting real-world cyber threats. Unlike traditional reports that focus solely on threat trends or survey data, the Blue Report is based on empirical findings from over 160 million attack simulations conducted within organizations’ networks around the world, using the Picus Security Validation Platform.
In the Blue Report 2025, Picus Labs found that password cracking attempts succeeded in 46% of tested environments, nearly doubling the success rate from last year. This sharp increase highlights a fundamental weakness in how organizations are managing – or mismanaging – their password policies. Weak passwords and outdated hashing algorithms continue to leave critical systems vulnerable to attackers using brute-force or rainbow table attacks to crack passwords and gain unauthorized access.
Given that password cracking is one of the oldest and most reliably effective attack methods, this finding points to a serious issue: in their race to combat the latest, most sophisticated new breed of threats, many organizations are failing to enforce strong basic password hygiene policies while failing to adopt and integrate modern authentication practices into their defenses.
Why Organizations Are Failing to Prevent Password Cracking Attacks
So, why are organizations still failing to prevent password cracking attacks? The root cause lies in the continued use of weak passwords and outdated credential storage methods. Many organizations still rely on easily guessable passwords and weak hashing algorithms, often without using proper salting techniques or multi-factor authentication (MFA).
In fact, our survey results showed that 46% of environments had at least one password hash cracked and converted to cleartext, highlighting the inadequacy of many password policies, particularly for internal accounts, where controls are often more lax than they are for their external counterparts.
To combat this, organizations must enforce stronger password policies, implement multi-factor authentication (MFA) for all users, and regularly validate their credential defenses. Without these improvements, attackers will continue to compromise valid accounts, obtaining easy access to critical systems.
Credential-Based Attacks: A Silent but Devastating Threat
The threat of credential abuse is both pervasive and dangerous, yet as the Blue Report 2025 highlights, organizations are still underprepared for this form of attack. And once attackers obtain valid credentials, they can easily move laterally, escalate privileges, and compromise critical systems.
Infostealers and ransomware groups frequently rely on stolen credentials to spread across networks, burrowing deeper and deeper, often without triggering detection. This stealthy movement within the network allows attackers to maintain long dwell times, undetected, while they exfiltrate data at will.
Despite this ongoing and well-known issue, organizations continue to prioritize perimeter defenses, often leaving identity and credential protection overlooked and under-funded as a result. This year’s Blue Report clearly shows that valid account abuse is at the core of modern cyberattacks, reinforcing the urgent need for a stronger focus on identity security and credential validation.
Valid Accounts (T1078): The Most Exploited Path to Compromise
One of the key findings in the Blue Report 2025 is that Valid Accounts (MITRE ATT&CK T1078) remains the most exploited attack technique, with a truly concerning 98% success rate. This means that once attackers gain access to valid credentials, whether through password cracking or initial access brokers, they can swiftly move through an organization’s network, often bypassing traditional defenses.
The use of compromised credentials is particularly effective because it allows attackers to operate under the radar, making it harder for security teams to detect malicious activity. Once inside, they can access sensitive data, deploy malware, or create new attack paths, all while seamlessly blending in with legitimate user activity.
How to Strengthen Your Defenses Against Credential Abuse and Password Cracking
To protect against increasingly effective attacks, organizations should implement stronger password policies and enforce complexity requirements, while eliminating outdated hashing algorithms in favor of more secure alternatives. It is also essential to adopt multi-factor authentication (MFA) for all sensitive accounts, ensuring that even if credentials do become compromised, attackers can’t just use them to access the network without an additional verification step.
Regularly validating credential defenses through simulated attacks is crucial to identifying vulnerabilities and ensuring that your controls are performing as expected. Organizations also need to enhance their behavioral detection capabilities to catch anomalous activities tied to credential abuse and lateral movement.
Additionally, monitoring and inspecting outbound traffic for signs of data exfiltration and ensuring that data loss prevention (DLP) measures are both in place and operating effectively are critical to protecting your sensitive information.
Closing the Gaps in Credential and Password Management
The findings in the Blue Report 2025 show that, unfortunately, many organizations are still vulnerable to the silent threat of password cracking and compromised accounts. And while strengthening perimeter defenses continues to be a priority, it’s also clear that core weaknesses lie in credential management and internal controls. The report also highlighted the fact that infostealers and ransomware groups are leveraging these gaps effectively.
If you’re ready to take proactive steps to harden your security posture, reduce your exposure, and prioritize your critical vulnerabilities, the Blue Report 2025 offers invaluable insights to show you where to focus. And at Picus Security, we’re always happy to talk about helping your organization meet its specific security needs..
Don’t forget to get your copy of The Blue Report 2025 and take proactive steps today to improve your security posture.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts.
Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX.
In addition, 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust.
Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 from at least five different victims, per the U.S. Department of Justice (DoJ).
Prosecutors said Urban and his co-conspirators engaged in SIM swapping attacks to hijack victims’ cryptocurrency accounts and plunder the digital assets.
Later that November, the DoJ unsealed criminal charges against Urban and four other members of Scattered Spider for using social engineering techniques to target employees of companies across the U.S. and to break into corporate networks and steal proprietary data and to siphon millions of dollars in cryptocurrency.
Tyler Robert Buchanan, who is among those indicted, was extradited from Spain to the U.S. in April following his arrest in the European nation last June.
The development comes as Scattered Spider has joined forces with other threat groups ShinyHunters and LAPSUS$ to form a new cybercrime alliance. The group, associated with a broader English-speaking cybercriminal collective called The Com, has a history of conducting social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, data theft, and extortion attacks.
“Scattered Spider has historically leaned on tactics that generate urgency, drive media and industry attention, create fear of exposure, and help force victims to payout quicker,” Adam Darrah, vice president of intelligence at ZeroFox, told The Hacker News in a statement.
“Timed leaks, countdown threats, and taunts directed at security firms are all part of their playbook. They have ties to a wider network of like-minded actors, which has given them access to more tools, data, and infrastructure, multiplying their effectiveness. We regularly see groups team up when there is an increase in external pressures, like law enforcement crackdowns. To survive, these groups need to consolidate. And the result is often a more versatile and potentially dangerous combined operation.”
Cybersecurity firm Flashpoint, which published a profile of Scattered Spider last week, said the financially-motivated hacking group adopts a wave-like approach by choosing a specific sector and attacking as many organizations within that vertical over a short span of time.
“The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities,” it said. “Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.”
Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild.
The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in an advisory.
The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The following versions address the security defect –
iOS 18.6.2 and iPadOS 18.6.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
iPadOS 17.7.10 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
It’s currently not known who is behind the attacks and who may have been targeted, but it’s likely that the vulnerability has been weaponised as part of highly targeted attacks.
Last month, the company also issued patches for a Safari vulnerability residing in an open-source component (CVE-2025-6558) that Google reported as having been exploited as a zero-day in the Chrome web browser.
A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks.
Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their “strategic interest” to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022.
The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code.
It’s worth noting that the security defect has also been likely weaponized by the China-aligned Salt Typhoon (aka Operator Panda) actors as part of attacks targeting U.S. telecommunication providers in late 2024.
Static Tundra, per Talos, is assessed to be linked to the Federal Security Service’s (FSB) Center 16 unit and operational for over a decade, with a focus on long-term intelligence gathering operations. It’s believed to be a sub-cluster of another group that’s tracked as Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex.
The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory, said it has observed FSB cyber actors “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
In these attacks, the threat actors have been found collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. The activity is also characterized by the attackers modifying configuration files on susceptible devices to facilitate unauthorized access.
The foothold is then abused to conduct reconnaissance within the victim networks, while simultaneously deploying custom tools like SYNful Knock, a router implant first reported by Mandiant in September 2015.
“SYNful Knock is a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network,” the threat intelligence firm said at the time. “It is customizable and modular in nature and thus can be updated once implanted.”
Another noteworthy aspect of the attacks concerns the use of SNMP to send instructions to download a text file from a remote server and append it to the current running configuration so as to allow for additional means of access to the network devices. Defense evasion is achieved by modifying TACACS+ configuration on infected appliances to interfere with remote logging functions.
“Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest,” Talos researchers Sara McBroom and Brandon White said. “One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective.”
This is accomplished by setting up Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure. The adversary has also been spotted collecting and exfiltrating NetFlow data on compromised systems. The harvested data is exfiltrated via outbound TFTP or FTP connections.
Static Tundra’s activities are primarily focused on unpatched, and often end-of-life, network devices with the goal of establishing access on primary targets and facilitating secondary operations against related targets of interest. Upon gaining initial access, the threat actors burrow deeper into the environment and hack into additional network devices for long-term access and information gathering.
To mitigate the risk posed by the threat, Cisco is advising customers to apply the patch for CVE-2018-0171 or disable Smart Install if patching is not an option.
“The purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government,” Talos said. “This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.”
Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions.
The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month.
“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP),” Tóth said. “The new technique is general and can be applied to other types of extensions.”
Clickjacking, also called UI redressing, refers to a type of attack in which users are tricked into performing a series of actions on a website that appear ostensibly harmless, such as clicking on buttons, when, in reality, they are inadvertently carrying out the attacker’s bidding.
The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM — for example, auto-fill prompts, by making them invisible by setting their opacity to zero.
The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users.
To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.
“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
Following responsible disclosure, six of the vendors have yet to release fixes for the defect –
1Password Password Manager 8.11.4.27
Apple iCloud Passwords 3.1.25
Bitwarden Password Manager 2025.7.0
Enpass 6.11.6
LastPass 4.146.3
LogMeOnce 7.12.4
Software supply chain security firm Socket, which independently reviewed the research, said Bitwarden, Enpass, and iCloud Passwords are actively working on fixes, while 1Password and LastPass marked them as informative. It has also reached out to US-CERT to assign CVE identifiers for the identified issues.
Until fixes are available, it’s advised that users disable the auto-fill function in their password managers and only use copy/paste.
“For Chromium-based browser users, it is recommended to configure site access to ‘on click’ in extension settings,” Tóth said. “This configuration allows users to manually control auto-fill functionality.”
Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page.
Described by Guardio Labs an “AI-era take on the ClickFix scam,” the attack technique demonstrates how AI-driven browsers, such as Perplexity’s Comet, that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user’s knowledge or intervention.
“With PromptFix, the approach is different: We don’t try to glitch the model into obedience,” Guardio said. “Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core design goal: to help its human quickly, completely, and without hesitation.”
This leads to a new reality that the company calls Scamlexity, a portmanteau of the terms “scam” and “complexity,” where agentic AI – systems that can autonomously pursue goals, make decisions, and take actions with minimal human supervision – takes scams to a whole new level.
With AI-powered coding assistants like Lovable proven to be susceptible to techniques like VibeScamming, an attacker can effectively trick the AI model into handing over sensitive information or carrying out purchases on lookalike websites masquerading as Walmart.
All of this can be accomplished by issuing an instruction as simple as “Buy me an Apple Watch” after the human lands on the bogus website in question through one of the several methods, like social media ads, spam messages, or search engine optimization (SEO) poisoning.
Scamlexity is “a complex new era of scams, where AI convenience collides with a new, invisible scam surface and humans become the collateral damage,” Guardio said.
The cybersecurity company said it ran the test several times on Comet, with the browser only stopping occasionally and asking the human user to complete the checkout process manually. But in several instances, the browser went all in, adding the product to the cart and auto-filling the user’s saved address and credit card details without asking for their confirmation on a fake shopping site.
In a similar vein, it has been found that asking Comet to check their email messages for any action items is enough to parse spam emails purporting to be from their bank, automatically click on an embedded link in the message, and enter the login credentials on the phony login page.
“The result: a perfect trust chain gone rogue. By handling the entire interaction from email to website, Comet effectively vouched for the phishing page,” Guardio said. “The human never saw the suspicious sender address, never hovered over the link, and never had the chance to question the domain.”
That’s not all. As prompt injections continue to plague AI systems in ways direct and indirect, AI Browsers will also have to deal with hidden prompts concealed within a web page that’s invisible to the human user, but can be parsed by the AI model to trigger unintended actions.
This so-called PromptFix attack is designed to convince the AI model to click on invisible buttons in a web page to bypass CAPTCHA checks and download malicious payloads without any involvement on the part of the human user, resulting in a drive-by download attack.
“PromptFix works only on Comet (which truly functions as an AI Agent) and, for that matter, also on ChatGPT’s Agent Mode, where we successfully got it to click the button or carry out actions as instructed,” Guardio told The Hacker News. “The difference is that in ChatGPT’s case, the downloaded file lands inside its virtual environment, not directly on your computer, since everything still runs in a sandboxed setup.”
The findings show the need for AI systems to go beyond reactive defenses to anticipate, detect, and neutralize these attacks by building robust guardrails for phishing detection, URL reputation checks, domain spoofing, and malicious files.
The development also comes as adversaries are increasingly leaning on GenAI platforms like website builders and writing assistants to craft realistic phishing content, clone trusted brands, and automate large-scale deployment using services like low-code site builders, per Palo Alto Networks Unit 42.
What’s more, AI coding assistants can inadvertently expose proprietary code or sensitive intellectual property, creating potential entry points for targeted attacks, the company added.
Enterprise security firm Proofpoint said it has observed “numerous campaigns leveraging Lovable services to distribute multi-factor authentication (MFA) phishing kits like Tycoon, malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information.”
The counterfeit websites created using Lovable lead to CAPTCHA checks that, when solved, redirect to a Microsoft-branded credential phishing page. Other websites have been found to impersonate shipping and logistics services like UPS to dupe victims into entering their personal and financial information, or lead them to pages that download remote access trojans like zgRAT.
Lovable URLs have also been abused for investment scams and banking credential phishing, significantly lowering the barrier to entry for cybercrime. Lovable has since taken down the sites and implemented AI-driven security protections to prevent the creation of malicious websites.
Other campaigns have capitalized on deceptive deepfaked content distributed on YouTube and social media platforms to redirect users to fraudulent investment sites. These AI trading scams also rely on fake blogs and review sites, often hosted on platforms like Medium, Blogger, and Pinterest, to create a false sense of legitimacy.
“GenAI enhances threat actors’ operations rather than replacing existing attack methodologies,” CrowdStrike said in its Threat Hunting Report for 2025. “Threat actors of all motivations and skill levels will almost certainly increase their use of GenAI tools for social engineering in the near-to mid-term, particularly as these tools become more available, user-friendly, and sophisticated.”
Do you know how many AI agents are running inside your business right now?
If the answer is “not sure,” you’re not alone—and that’s exactly the concern.
Across industries, AI agents are being set up every day. Sometimes by IT, but often by business units moving fast to get results. That means agents are running quietly in the background—without proper IDs, without owners, and without logs of what they’re doing. In short: they’re invisible.
Shadow agents aren’t harmless helpers. Once compromised, they can move through systems, grab sensitive data, or escalate privileges at machine speed. Unlike humans, they don’t pause to think—they just execute 24/7.
The truth is, most security programs weren’t built for this. They manage people, not autonomous software agents. And as adoption grows, these shadow agents multiply—scaling risk just as fast as innovation.
This session isn’t theory—it’s about what’s happening now. You’ll learn:
How shadow AI agents appear in real environments
The kinds of attacks already being used against them
Practical steps to bring them under control
Our expert guest, Steve Toole, Principal Solutions Consultant at SailPoint, has seen firsthand how enterprises are grappling with AI-driven identities. Steve will share proven strategies to give AI agents proper identities, assign accountability, and enforce the right guardrails—so innovation remains safe instead of risky.
Shadow AI agents aren’t going away. They’re already active inside organizations today. The real choice is whether they’ll become trusted assets—or dangerous liabilities. That decision depends on the steps you take right now.
Reserve your spot today for Shadow Agents and Silent Threats: Securing AI’s New Identity Frontier and learn how to take back control before attackers exploit the gap.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
