Blackpoint SOC Threat Pulse: Week of July 13, 2026
In this week’s Threat Pulse, the Blackpoint Security Operations Center (SOC) breaks down a ClickFix-style attack that tricked a user into running a malicious command, kicking off a chain that would have deployed HijackLoader and the SnappyClient RAT. The Adversary Pursuit Group (APG) also flags the resurgence of the NodeSnake RAT, a tool tied to the Interlock Ransomware operation, now reappearing via the same ClickFix playbook after a lengthy gap.
Executive Summary
- Featured Incident: The Blackpoint SOC responded to a ClickFix-style (Win+R) attack in which a user was tricked into running a malicious PowerShell command.
- The script pulled a disguised MSI installer from cloud storage while wiping MOTW metadata and Run history to cover its tracks; the Blackpoint SOC isolated the device to prevent further malicious activity.
- Further analysis identified a successful attack would have resulted in the deployment of HijackLoader and SnappyClient RAT.
- Snapshot: More than 101 on-premises incidents observed over the last week, with 84% disrupted before payload delivery and 4% attributed to likely pre-ransomware activity.
- Threat Intel: Fake CAPTCHA/ClickFix attacks are escalating and accounted for 43% of incidents over the last week; continues to be the most frequently observed campaign type observed by the Blackpoint SOC.
- Resurgence Alert: The Blackpoint APG has identified the NodeSnake RAT being redeployed via ClickFix-style attacks tied to the Interlock Ransomware operation and the KongTuke initial access broker, with 5+ incidents in the last 14 days and 100% thwarted prior to ransomware deployment.
Featured Incident: Win Some, R Some
What we’re seeing
- The Blackpoint SOC received alerts for suspicious powershell.exe usage by a user who fell for a ClickFix-style (Win+R) attack.
- The script was designed to pull an MSI installer from a cloud storage and wipe MOTW metadata and MRU Run Reg History Key in an attempt to cover the attacker’s tracks.
- The MSI installer masquerading as a licensing utility and would have deployed HijackLoader (IDAT Loader), a loader designed to allow flexibility and deploy additional payloads.
- Further analysis identified that this install was meant to deploy SnappyClient (Silab RAT), a RAT designed to provide persistent access to compromised environments.
What the Blackpoint SOC did
- The Blackpoint SOC isolated the device at the first signs of a ClickFix-style attack, cutting off attacker’s access and preventing additional malicious activity.
- Conducted additional analysis to provide context, identify potential impact, and appropriate mitigations.
Why this matters
- ClickFix-style attackers are designed to trick users, not software and are often not detected by traditional security software. The Blackpoint SOC understands these attack styles and successfully cuts off access before threat actors can complete their objective.
BROC Weekly Snapshot
What changed. What didn’t. What matters.
| Incidents Observed >105↑ | Pre-Payload Disruptions 84%‒ | Pre-Ransom Interruptions 4%↑ |
Campaign Statuses
| Fake CAPTCHA/ClickFix | ↑ | Escalating | 43% |
| Rogue RMM | ↓ | Ongoing | 19% |
| SSL VPN Compromise | ↓ | Ongoing | 6% |
| Trojanized Installers | ↑ | Ongoing | 2% |
Quick Take
Between January and April 2025, the Blackpoint APG tracked a campaign deploying the NodeSnake RAT, a remote access trojan previously tied to the Interlock Ransomware operation. Beginning in early July 2026, the Blackpoint APG has identified the NodeSnake RAT being deployed again, with more than 5 incidents in the previous 14 days.
Similar to previous Interlock Ransomware campaigns, this malware was delivered via ClickFix-style attacks, with infrastructure being publicly linked to the KongTuke initial access broker. The Interlock Ransomware group has relied on ClickFix-style initial access for at least the last 12 months and will likely continue to due to the attack’s overall success. The Blackpoint SOC has responded to hundreds of ClickFix-style attacks in 2026, and has thwarted 100% of the NodeSnake RAT-related incidents prior to the deployment of additional tools or ransomware payloads.
Analysis of the variant being deployed revealed that the developers appear to have added a new module to collect screenshots. Additionally, the C2 data includes a “vendor id”, likely used to identify the specific affiliate using it. These factors indicate a developer that is actively improving and evolving the malware payload.
DATE PUBLISHEDJuly 14, 2026
AUTHORBlackpoint Cyber
SHARE ON
Blackpoint AI: A Decade in the Making
Webinar - July 22
Automated attacks need automated defense. Learn how Blackpoint AI protects your clients from identity threats by containing threats in as little as 21 seconds.*
*Under two minutes on average