From ClickFix to Command: A Full PowerShell Attack Chain

Description

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key characteristics include a full PowerShell-based delivery chain, obfuscated payloads, evidence of lateral movement, and potential overlap with MuddyWater campaigns. The attack begins with phishing emails, progresses through a spoofed Microsoft Teams page, and uses social engineering to execute malicious PowerShell commands. The payload retrieves additional data, deploys a RAT, and establishes communication with a command and control server. The campaign demonstrates the effectiveness of living-off-the-land techniques, layered evasion, and adaptive C2 communication.