Hello and welcome to the Friday, November 14th,

2025 edition of the Sands Inundit Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in

Purple Team Operations. And today we do have two diaries I should talk about. First one is from

Brad Duncan and he writes about the latest regarding the SmartApe SG campaign. This is a campaign that usually advertised itself via fake browser updates,

but lately has jumped on the ClickFix bandwagon,

and that has overall been sort of a huge thing,

where we see more and more of these fake catchers

that are tricking victims into installing malicious software on their system.

In this particular case, it starts out with a compromised webpage.

Inside that webpage, the attacker will add some JavaScript to then redirect the user to the clickfix exploit, which is in this case,

as you see sort of a Cloudflare lookalike, capture that then tricks the victim into installing

or basically running a malicious power shell command, and that PowerShe shell command will install additional malicious software.

As usual, Pratt provides plenty of indicators of compromise here with his diary, including

packet captures, to see how the attack really unfolded and hopefully helps you detect

some of these attacks in your own network.

The second diary comes from Xavier, and Xavier gives us an update of the formbook of Malware.

Formbook, another very popular piece of Malware that we haven't really talked much about lately.

This particular example arrived the form of an email attachment as a zip file.

The user was then tricked into extracting the zip file and executing the Visual Basic

script that was included with the zip file.

...