{"id":8773,"date":"2025-08-05T12:00:00","date_gmt":"2025-08-05T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8773"},"modified":"2026-06-14T19:48:57","modified_gmt":"2026-06-14T16:48:57","slug":"threat-report-h1-2025-clickfix-infostealer-disruptions-and-ransomware-deathmatch","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2025\/08\/05\/threat-report-h1-2025-clickfix-infostealer-disruptions-and-ransomware-deathmatch\/","title":{"rendered":"Threat Report H1 2025: ClickFix, infostealer disruptions, and ransomware deathmatch"},"content":{"rendered":"<p>\u201cIt\u2019s all fun and games until someone gets hurt\u201d could well be the title of the latest ESET Threat Report, as cybercriminals play new mind games with their victims, wage full-on deathmatches among themselves, and become the hunted game of law enforcement and private vendors.<\/p>\n<p>ESET Distinguished Researcher <a href=\"https:\/\/www.welivesecurity.com\/en\/our-experts\/aryeh-goretsky\/\">Aryeh Goretsky<\/a> and Security Awareness Specialist <a href=\"https:\/\/www.welivesecurity.com\/en\/our-experts\/ondrej-kubovic\/\">Ondrej Kubovi\u010d<\/a> open this installment of the ESET Research Podcast by breaking down the latest cry among threat actors: ClickFix. They explain how this technique went from non-existent a year ago to the second most prevalent threat today, and why it\u2019s so effective. They also examine a specific example of this social engineering tactic FakeCaptcha, abusing the well-known human verification mechanism and weaponing it trick victims into executing malicious commands.<\/p>\n<p>Moving from emerging threats to positive developments, the second segment highlights recent law enforcement disruptions of infostealers. Noteworthy cases from last 12 months include takedown of Redline\/Meta Stealer in late 2024 and recent operations against <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/eset-takes-part-global-operation-disrupt-lumma-stealer\/\">LummaStealer <\/a>and <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/danabot-analyzing-fallen-empire\/\">Danabot<\/a>. Aryeh and Ondrej discuss what made these infostealer-as-a-service ventures attractive to affiliates, the impact of the disruptions, and ESET research\u2019s specific contributions to these takedowns.<\/p>\n<p>The final section covers the recent \u201cdeathmatch\u201d-style infighting in the ransomware scene, featuring the minor player Dragonforce. Despite their lacking reputation and low victim count, Dragonforce\u2019s operators went on a brazen offensive, defacing the data leak sites (DLS) of several rival groups on the dark web \u2013 including Mamona and BlackLock \u2013 and ultimately taking down also the DLS of the then-leader, RansomHub.<\/p>\n<p>If ransomware, infostelaers or new social engineering techniques are your thing, tune in and subscribe to the ESET Research Podcast. For a more detailed version, download the <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/eset-threat-report-h1-2025\/\">ESET Threat Report H1 2025<\/a> from the <a href=\"https:\/\/www.welivesecurity.com\/threat-reports\/index.html\">Threat Reports section<\/a> \u2013 no paywall or registration required.<\/p>\n<blockquote>\n<div><em>Discussed:<\/em><\/div>\n<ul>\n<li><em>ClickFix and FakeCaptcha 1:05<\/em><\/li>\n<li><em>Whack-a-hack, infostealer version 9:20<\/em><\/li>\n<li><em>Ransomware deathmatch 18:40<\/em><\/li>\n<\/ul>\n<\/blockquote>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/podcasts\/eset-threat-report-h1-2025-clickfix-infostealer-disruptions-ransomware-deathmatch\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are embracing ClickFix, ransomware gangs are turning on each other \u2013 toppling even the leaders \u2013 and law enforcement is disrupting one infostealer after another<\/p>\n","protected":false},"author":5,"featured_media":8774,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2914],"tags":[],"class_list":["post-8773","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-media"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8773"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8773\/revisions"}],"predecessor-version":[{"id":9466,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8773\/revisions\/9466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8774"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}