Fake CAPTCHA pages now come with a free bonus: “Open Run… paste this PowerShell… trust me bro.” 🙃
And if that feels too “classic,” don’t worry—linked-device takeovers are having a moment too: attackers convince people to pair a new device and quietly siphon the account. 😬
So we built a Forecast Card on a simple question:
By Oct 21, 2026, will a top-tier intel source attribute COLDRIVER / Star Blizzard to either (A) a new custom malware family or (B) a materially new initial-access vector beyond what’s already documented?
Why this is worth betting on now (and not in your next post-incident retro):
ClickFix-style social engineering is spreading—fake CAPTCHAs are becoming a delivery “pattern,” not a one-off.
OAuth device-code phishing is surging because it lands on legitimate login flows (and SOCs love “legit” traffic).
If you had to choose: new malware… or a new “trusted” login flow as initial access? 👀
Read + subscribe: https://blog.alphahunt.io/clickfix-to-linked-device-takeovers-will-star-blizzard-introduce-a-new-initial-access-vector-by-oct-2026
#AlphaHunt #ThreatIntel #IdentitySecurity #Phishing #OAuth