https://alertoverload.com/categories/etherhiding/ Recent content in EtherHiding on Alert Overload Hugo en-us Mon, 23 Mar 2026 00:00:00 +0000 https://alertoverload.com/posts/2026/03/clickfix---rockfest/ Mon, 23 Mar 2026 00:00:00 +0000 https://alertoverload.com/posts/2026/03/clickfix---rockfest/ <h1 id="clickfix-rockfest">ClickFix RockFest</h1> <p>Shout out to RedTeamRonin from DC612 for sending me this sample!</p> <h2 id="incident-overview">Incident Overview</h2> <p>Rock Fest is the largest rock and camping event in the United States. They use a WordPress domain that contains several potentially vulnerable plugins. This includes plugins vulnerable to multiple types of cross site scripting attacks. It is likely that the domain was compromised through a vulnerable plugin or exposed admin credentials.</p> <p>The ClickFix page utilizes the Windows Terminal variant lure. Instead of asking users to use the Windows Run menu (Win+R), this lure variant asks users to open PowerShell or the Terminal with Win+X, select an Admin shell, and paste &amp; submit the copied command.</p>