ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

MITRE Techniques

• [T1566.002 ] Spearphishing Link – Victims are lured through phishing URLs hosted on typosquatted domains impersonating LinkedIn and Indeed (‘phishing URLs hosted on typosquatted domains impersonating legitimate job and professional networking platforms’).
• [T1036 ] Masquerading – The infrastructure imitates trusted services and uses disguised file names and paths (‘impersonating legitimate job and professional networking platforms such as LinkedIn and Indeed’, ‘mimics a legitimate Python installation structure’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The payload invokes cmd.exe and executes obfuscated commands (‘%COMSPEC% /c …’, ‘invokes cmd.exe with a minimized window’).
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – Embedded JavaScript fetches, decodes, and injects the second-stage payload (‘Embedded JavaScript dynamically fetches remote content … applies ROT13’).
• [T1059.006 ] Command and Scripting Interpreter: Python – Python runtimes and scripts are used to decode, load, and execute later-stage payloads (‘portable Python runtimes to execute in-memory shellcode’, ‘pythonw.exe … .pyc’).
• [T1027 ] Obfuscated Files or Information – Multiple obfuscation layers are used, including caret obfuscation, ROT13, Cyrillic substitution, Base64, XOR, RC4, and ChaCha (‘applies ROT13’, ‘Cyrillic substitution operation’, ‘Base64 encoding, XOR decryption’).
• [T1055 ] Process Injection – Shellcode is executed directly in memory using Windows API calls and ctypes (‘execute payloads entirely in memory’, ‘uses the Windows ctypes interface to execute shellcode’).
• [T1106 ] Native API – The malware uses Windows API calls such as ctypes, ShellExecuteW, CoCreateInstance, WinHttpOpen, and WinHttpWebSocketCompleteUpgrade (‘direct Windows API calls via ctypes’, ‘Establishes secure WebSocket C2 communications using WinHTTP APIs’).
• [T1204.002 ] User Execution: Malicious File – The infection chain depends on the user interacting with the fake CAPTCHA and pressing Enter after clipboard abuse (‘When the user interacts with the fake CAPTCHA box’, ‘press ENTER’).
• [T1055.012 ] Process Hollowing – The campaign kills explorer.exe to disrupt the user environment and then relaunches activity through staged execution (‘taskkill /f /im explorer.exe’, ‘kills and restarts explorer.exe’).
• [T1105 ] Ingress Tool Transfer – Additional payloads, Python runtimes, ZIP archives, and shellcode are downloaded from remote infrastructure (‘download a legitimate Python runtime archive’, ‘retrieves the next-stage payload’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload retrieval use HTTPS, POST requests, and WebSocket-over-HTTPS (‘transmitted in the body of an HTTP POST request’, ‘upgraded to a WebSocket channel’).
• [T1095 ] Non-Application Layer Protocol – The campaign leverages the legacy Finger protocol over port 79 for command resolution (‘abuses the Finger protocol’, ‘finger.exe relies on the Finger protocol over port 79’).
• [T1001 ] Data Obfuscation – C2 traffic is encrypted and encoded using multiple layers before transmission (‘all C2 communication is encrypted via the symmetric ChaCha algorithm’, ‘XOR-encrypts inbound and outbound C2 traffic’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The loader implements persistence and single-instance control with a mutex and watchdog relaunch behavior (‘Creates a mutex … to enforce single-instance execution’, ‘continuously relaunching a child copy’).
• [T1112 ] Modify Registry – The malware reads registry keys for host identification and OS profiling (‘Reads the Windows MachineGuid registry key’, ‘Reads Windows product name information from the registry’).
• [T1082 ] System Information Discovery – It enumerates OS, hostname, domain, architecture, AV products, and elevation state (‘collects host-level metadata’, ‘Enumerate installed AV products via WMI’).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Anti-VM logic checks for hypervisors before continuing (‘Run cpuid instruction to attempt to detect hypervisor’).
• [T1113 ] Screen Capture – CastleLoader can capture the desktop via GDI BitBlt (‘Capture the desktop on bootstrap via the GDI BitBlt pipeline’).
• [T1056.001 ] Input Capture: Keylogging – The RAT relays terminal input from the operator through stdin/stdout pipes (‘Receives operator keystrokes from the C2 and injects them into the stdin pipe’).