How ClickFix Opens the Door to Stealthy StealC Information Stealer

This analysis details a multi-stage Windows attack that begins with a fake Cloudflare CAPTCHA (ClickFix) social-engineering prompt to trick victims into executing malicious PowerShell, which in-memory loads shellcode, a PE downloader, and ultimately the StealC information stealer. The StealC payload harvests browser credentials, crypto wallets, Steam and Outlook data, system fingerprints, and screenshots exfiltrating data to RC4-encrypted HTTP C2 servers. #StealC #ClickFix

Keypoints

Initial vector is a ClickFix/fake CAPTCHA social-engineering trick delivered via a compromised site (madamelam.com) and malicious JavaScript that instructs users to paste and run PowerShell commands.
Execution is fileless and multi-stage: PowerShell loader → Donut position-independent shellcode (cptch.bin) → reflectively loaded 64-bit PE downloader → StealC stealer (cptchbuild.bin).
StealC is a builder-based (MaaS) 64-bit MSVC-compiled information stealer that supports modular theft of browser credentials, crypto wallets, Steam accounts, Outlook credentials, system data, screenshots, and file grabbing.
C2 communications use HTTP with Base64+RC4 encryption (Build ID as RC4 key), chunked JSON uploads (256 KB chunks), and distinctive network artifacts (User-Agent “Loader”).
Evasion techniques include fileless memory execution, reflective PE loading, API hashing, string obfuscation (RC4+Base64), process injection/hollowing into svchost.exe, and no persistence with optional self-delete.
Defensive recommendations emphasize monitoring PowerShell usage, detecting VirtualAlloc/CreateThread patterns, flagging suspicious User-Agent strings and large Base64-encoded POSTs, and training users against fake verification prompts.

MITRE Techniques

[T1059.001 ] PowerShell – Used as the initial execution mechanism to retrieve and run the in-memory loader script (‘Press Windows Key + R to open the Run dialog … Press Ctrl + V to paste a pre-loaded command’).
[T1204 ] User Execution – Social-engineering via a fake CAPTCHA prompts victims to execute commands, exploiting user trust (‘The fake CAPTCHA page mimics a legitimate Cloudflare security check, then instructs victims to: Press Windows Key + R … Press Ctrl + V’).
[T1620 ] Reflective Code Loading – The Donut-generated position-independent shellcode reflectively loads embedded PE payloads entirely in memory (‘position-independent shellcode … Donut embeds the entire PE file within the shellcode payload’).
[T1055 ] Process Injection – The 64-bit downloader injects the StealC payload into svchost.exe by allocating memory in the target process, writing the payload, and creating a remote thread (‘allocates memory in the target process, writes the StealC payload to allocated memory, creates a remote thread’).
[T1027 ] Obfuscated Files or Information – String obfuscation and dual-layer encryption (RC4 + Base64) hide configuration, C2 URLs, and module names (‘Plaintext string → RC4 encryption (hardcoded key: rOIBXiPtf9) → Encrypted bytes → Base64 encoding’).
[T1555.003 ] Credentials from Web Browsers – StealC extracts and decrypts credentials from Chromium-based browsers by retrieving the encrypted key and using DPAPI/AES-GCM to decrypt stored passwords (‘reads the Local State file … calls CryptUnprotectData … uses the decrypted key with AES-GCM to decrypt the stored passwords’).
[T1552.002 ] Credentials from Registry – StealC extracts Outlook credentials stored in Windows Registry and decrypts them using DPAPI (‘extracts the encrypted password from the registry … calls CryptUnprotectData to decrypt the password’).
[T1041 ] Exfiltration Over C2 Channel – Stolen data is packaged into Base64-encoded JSON and uploaded to C2 servers over HTTP with RC4 encryption (‘formats stolen data into structured JSON payloads … applies a multi-layer encryption scheme … transmits to the C2 server’).
[T1113 ] Screen Capture – The malware captures screenshots via GDI+ (BitBlt/GDI+ JPEG compression) and uploads them to C2 (‘the module named `take_screenshot` takes a screenshot … converts the captured bitmap to JPEG format … uploads the screenshot file to the C2 server’).
[T1082 ] System Information Discovery – StealC collects detailed system fingerprints (OS version, HWID, CPU, RAM, GPU, locale) for victim profiling (‘generates a comprehensive system fingerprint … includes OS details, hardware, timestamps, system language’).
[T1057 ] Process Discovery – The stealer enumerates running processes to aid targeting and injection decisions (‘The malware lists all running processes’).
[T1012 ] Query Registry – Registry enumeration is used to locate Steam paths and Outlook profiles and to extract stored credentials (‘locates Steam installations by querying the registry key HKCUSoftwareValveSteamSteamPath’; ‘queries specific Windows Registry locations including HKCUSoftwareMicrosoftOfficeOutlookProfiles’).
[T1548 ] Abuse Elevation Control Mechanism – StealC can request UAC elevation and attempts privilege escalation (SeDebugPrivilege) when needed to access protected locations (‘The module … attempts SeDebugPrivilege string used for privilege escalation’ and ‘StealC can request UAC elevation’).

Indicators of Compromise

[IP Addresses ] C2 and payload servers – 94.154.35.115 (Stage 2 payload delivery), 91.92.240.219 (PowerShell loader), and 2 other infrastructure IPs (178.16.53.70, 91.92.240.190).
[URLs / Domains ] Malicious scripts and fake CAPTCHA hosts – hxxps://goveanrs.org/jsrepo (malicious JS), https://cptoptious.com (fake CAPTCHA), and compromised site madamelam.com used to deliver the initial script.
[File Names ] Stage payloads and artifacts – cptch.bin (Donut shellcode), cptchbuild.bin (StealC payload), plus temporary artifact screenshot.jpg created before exfiltration.
[File Hashes ] Known payload hashes – cptch.bin SHA-256: 5ad34f3a900ec243355dea4ac0cd668ef69f95abc4a18f5fc67af2599d1893bd; cptchbuild.bin SHA-256: dc38f3f3c8d495da8c3b0aca8997498e9e4d19738e1e2a425af635d37d0e06b8.
[HTTP Headers ] Malicious User-Agent – “Loader” used by the downloader when requesting cptchbuild.bin (indicative of the downloader component).
[Registry Keys / Paths ] Targets for credential and wallet harvesting – HKCUSoftwareValveSteamSteamPath (Steam discovery), %LOCALAPPDATA%GoogleChromeUser Data (Chromium extension and wallet storage paths), and HKCUSoftwareMicrosoftOfficeOutlookProfiles (Outlook credentials).