Threat Analysis: Fake Helpdesk Vishing Campaign and ClickFix RAT Delivery, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for the 5th of June 2026.
Two campaigns dominate today’s intelligence picture. Neither involves a zero-day. Neither requires your systems to be unpatched. Both are working right now against organisations that look exactly like the businesses in our readership. I want to cover them in some detail, because the threat model they represent is one the NCSC has been warning about for years, and organisations are still not taking it seriously enough.
Campaign One: Pink and the Fake IT Helpdesk
A newly tracked extortion group designated Pink, cluster CL-CRI-1147 in threat intelligence taxonomy, is running a vishing operation that should concern anyone responsible for a UK business with cloud storage.
The attack chain is straightforward, which is precisely why it works. Operators call employees directly, impersonating IT helpdesk staff. The social engineering is reportedly competent: callers present as internal IT support, reference plausible technical issues, and guide victims through credential handover or MFA approval. Once inside, they move to cloud storage, specifically SharePoint and OneDrive, and exfiltrate data. The ransom demand follows within hours, with a 72-hour window before the group threatens to publish what they have taken.
This is not a new technique. Vishing campaigns targeting helpdesk impersonation have been documented since at least 2022, and the NCSC published specific guidance on social engineering attacks against organisations’ IT support functions in 2023. The fact we are still covering it as an active threat in 2026 tells you exactly how seriously most organisations have taken that guidance.
What Pink represents is the professionalisation of a technique that used to be associated with less organised criminal actors. The 72-hour ransom clock, the targeting of cloud storage rather than local files, the use of legitimate platforms for both exfiltration and leverage, this is operationally disciplined. It is also a direct evolution of the tactics used by groups like Scattered Spider, which targeted major organisations in 2023 and 2024 using identical helpdesk impersonation methods.
What the reporting does not say: The Register’s coverage confirms the campaign is active and the TTPs are documented, but it does not specify which sectors Pink is prioritising. Based on the broader pattern of groups using this methodology, professional services, legal, and accountancy firms are historically high-value targets, they hold sensitive client data, they tend to have small IT teams, and their staff are conditioned to respond quickly to IT requests. If your business fits that profile, treat the threat level as elevated.
What to do about it
- Tell your staff, today, that IT support will never call them and ask them to approve an MFA prompt or read out a one-time code. This is the single most effective control available. It costs nothing. Write it in an email, say it in a team meeting, put it on a poster by the kettle if you have to.
- Implement a callback verification policy. If someone calls claiming to be IT support, staff should hang up and call back on a number they look up themselves, not one provided by the caller.
- Review who has access to SharePoint and OneDrive. Least-privilege access means a compromised account can only reach what that person actually needs. Most SMBs have not done this audit.
- Check your MFA configuration. Number-matching MFA, where the user must confirm a code displayed on screen rather than simply pressing approve, significantly reduces the effectiveness of MFA fatigue attacks. If you are still on basic push notifications, change it.
Campaign Two: ClickFix Evolves Into Job Platform Impersonation
The second campaign worth your attention today comes from SpiderLabs at LevelBlue, and it represents the latest evolution of ClickFix, a social engineering technique that has been running in various forms since 2024.
ClickFix works by presenting victims with a fake CAPTCHA or error page that instructs them to run a command to fix a problem. The command, which the victim copies and pastes into their own system, installs malware. It is ingenious in a deeply frustrating way: the victim is the attack vector, and the malware arrives via legitimate system utilities, which means endpoint detection tools frequently miss it.
The new variant documented by SpiderLabs is targeting job-seekers via typosquatted domains impersonating LinkedIn and Indeed. The fake pages are being served through Google Ads, meaning they appear at the top of search results, carrying the implicit legitimacy that paid placement confers in most users’ minds. Victims who interact with the fake CAPTCHA trigger a chain that downloads a portable Python runtime using the Windows Finger protocol (a legacy utility that is almost never used legitimately and rarely blocked), then installs a Python-based remote access trojan called CastleRAT.
A separate but related cluster documented by LevelBlue also shows ClickFix chains leading through Deno, a JavaScript runtime, as an intermediate stage, further obscuring the infection chain from automated detection.
What this means for UK SMBs: Recruitment is active. UK unemployment data from early 2026 shows continued churn in professional services and hospitality sectors. Staff who are job-hunting on work devices, or who handle recruitment on behalf of the business, are the most exposed. The use of Google Ads as a delivery mechanism is particularly concerning because it bypasses the instinct to avoid obviously suspicious sites, the malicious page appears at the top of a legitimate search.
Check Point Research has separately documented a related infrastructure pattern, a large-scale impersonation ecosystem targeting downloads of legitimate open-source tools, that uses Traffic Distribution Systems to gate delivery, ensuring only genuine targets receive the malicious payload. This level of operational sophistication means automated defences alone will not catch it.
What to do about it
- Block the Finger protocol at your network boundary. TCP port 79. There is no legitimate business reason for it to be open. If your IT provider has not done this, ask them why.
- Restrict PowerShell execution policy on endpoints not managed by IT. ClickFix chains rely heavily on PowerShell for staging. ExecutionPolicy set to RemoteSigned or AllSigned will not stop everything, but it raises the barrier.
- Apply DNS filtering. Services like Cisco Umbrella, Cloudflare Gateway, or even the NCSC’s free Protective DNS service for eligible organisations will block known malicious domains before a connection is made.
- Remind staff that copying and pasting commands from a website is not a normal troubleshooting step. Ever. If a website tells them to open a terminal and paste something, that is an attack. Full stop.
A Note on the York Council Data Breach
I will not spend much time on this because it does not involve a sophisticated threat actor, but it is worth a sentence or two.
City of York Council sent an email to hundreds of Blue Badge holders, people with disabilities, using CC instead of BCC. Every recipient could see every other recipient’s email address, and by extension their disability status. The ICO has been notified.
I mention it not to pile on a council that has clearly had an embarrassing day, but because this type of incident is still the most common cause of personal data breaches in UK organisations. Not ransomware. Not nation-state attacks. A staff member not checking which address field they were using. The NCSC published guidance on preventing accidental data disclosure three years ago. Most organisations have not implemented the technical controls, email DLP, recipient confirmation prompts, sensitive data classification, that would prevent it.
If your organisation sends bulk email to clients, service users, or customers, audit your process. This week.
Summary
Today’s threat picture is dominated by human-layer attacks, not technical ones. The Pink vishing campaign bypasses MFA through conversation. ClickFix bypasses endpoint security through user instruction-following. The York incident bypasses data protection policy through distraction.
In each case, the technical controls that would mitigate the risk exist. The problem is implementation and awareness. If you take one action today, make it telling your staff, clearly, specifically, and in plain language, what a real IT support call looks like and what to do when they receive one that does not match that description.