Infostealer Infections Expose Cloud Credentials, Enabling Cyber Attacks on Global Companies

The evolution of cybercrime in 2024 and 2025 has created a dangerous, self-sustaining threat vector known as “ClickFix.” 

A new investigation by the Hudson Rock Threat Intelligence Team, backed by data from ClickFix Hunter, has revealed a startling cycle: legitimate business websites are being weaponized using stolen administrative credentials obtained through Infostealer malware.

The Rise of Human-Assisted Malware

Traditional web-based exploits have steadily declined as browsers like Chrome and operating systems such as Windows strengthened their defenses.

In response, cybercriminals have shifted to “human-assisted” malware delivery, tricking users into executing malicious commands.

In a typical ClickFix campaign, victims are redirected to compromised websites through malvertising or SEO poisoning.

These pages often display deceptive overlays resembling CAPTCHA challenges, Chrome update errors, or Windows alerts.

When users interact with them, embedded JavaScript scripts copy a PowerShell command to the clipboard. The site then instructs the user to press Windows + R, paste the “verification code,” and press Enter, inadvertently executing the malicious script with full privileges.

This command downloads and executes Infostealer malware such as Lumma, Vidar, or Stealc, which silently collects passwords, tokens, and saved credentials from browsers and applications.

Feedback Loop: From Victim to Vector

According to ClickFix Hunter’s data, more than 1,600 live domains have been observed serving ClickFix campaigns, with hundreds discovered in the past month alone.

Hudson Rock’s analysis uncovered a more profound connection among these compromised sites: approximately 13% overlap with domains whose administrative credentials had already been leaked via Infostealer infections.

Case studies of jrqsistemas.com and wo.cementah.com illustrate the feedback loop. In both cases, administrative logins stolen via Infostealer infections were later used by attackers to hijack the same websites and host new ClickFix payloads.

This creates a self-propagating chain where victims become unwilling participants in distributing further infections.

By combining ClickFix Hunter’s real-time monitoring with Hudson Rock’s Cavalier cybercrime intelligence, researchers demonstrated that many of these malicious campaigns are running on compromised cloud or hosting platforms rather than attacker-owned servers.

This decentralized infrastructure makes takedowns more difficult and allows the ecosystem to persist despite law enforcement disruptions.

Experts warn that as long as infostealer logs containing credentials for WordPress, cPanel, and cloud dashboards circulate in underground markets, attackers can continuously repurpose legitimate business assets.

Hudson Rock recommends using its free API tools to identify compromised domains, track infections, and prevent hijacked infrastructure from being reused in future attacks.

The findings underscore a critical truth in 2025: the most significant vulnerability is no longer in software code; it’s in human actions and exposed credentials that power the global web.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post Infostealer Infections Expose Cloud Credentials, Enabling Cyber Attacks on Global Companies appeared first on Cyber Security News.