Threat Research

I am not a robot: ClickFix used to deploy StealC and Qilin

Sophos
I am not a robot: ClickFix used to deploy StealC and Qilin

ClickFix social-engineering pages on compromised websites led victims to download and run a batch that installed NetSupport Manager (NetSupport RAT), which connected to a C2 and delivered a sideloaded StealC V2 infostealer. Stolen credentials harvested by StealC appear to have been used to access a Fortinet VPN and enable a subsequent Qilin ransomware deployment. #StealC_V2 #Qilin

Keypoints

  • Attackers used a compromised legitimate site (aquafestonline[.]com) hosting an obfuscated script that created an invisible iframe to present a ClickFix verification page.
  • After completing the fake verification, victims downloaded and executed a batch file (C:ProgramDatajh.bat) that installed NetSupport Manager (client32.exe) and established persistence via a registry Run key.
  • NetSupport RAT connected to a C2 at 94[.]158[.]245[.]13 and downloaded a ZIP (mir2.zip) containing a legitimate mfpmp.exe that sideloaded a malicious DLL (rtworkq.dll) to run StealC V2.
  • StealC V2 (an upgraded infostealer released March 2025) was used to harvest credentials that were later used to access a network via a privileged Fortinet VPN account.
  • Approximately one month after initial compromise, Qilin ransomware notes appeared on the network, indicating the stolen credentials enabled follow-on ransomware operations.
  • CTU assesses with moderate confidence that credentials were sold by an initial access broker or purchased from a marketplace and used by a Qilin affiliate; mitigation includes patching, limiting exposed services, phishing-resistant MFA, and EDR.

MITRE Techniques

  • [T1189 ] Drive-by Compromise – Compromised legitimate website served malicious JavaScript and an iframe to deliver the ClickFix page and payload (‘the victim visited a website (aquafestonline[.]com) that contained an embedded malicious script. This script fetched a heavily obfuscated external JavaScript file (d.js) from islonline[.]org’)
  • [T1204 ] User Execution – The campaign relied on user interaction to complete a fake verification that triggered the download and execution of the payload (‘After the victim completes the fake verification process, a batch file containing NetSupport Manager Client files is downloaded’)
  • [T1105 ] Ingress Tool Transfer – Attackers delivered tools and archives by downloading them from remote hosts and the C2 to the victim system (‘a batch file containing NetSupport Manager Client files is downloaded from hxxps://2beinflow[.]com/head.php’ and ‘A ZIP archive was subsequently downloaded from this C2 server to the victim’s system (c://users/public/mir2.zip).’)
  • [T1547.001 ] Registry Run Keys/Startup Folder – Persistence was established by creating a registry Run key to launch NetSupport on startup (‘establishes persistence by creating a registry Run key.’)
  • [T1574.001 ] DLL Search Order Hijacking / DLL Side-Loading – A legitimate executable (mfpmp.exe) was used to sideload a malicious DLL (rtworkq.dll) to execute StealC V2 (‘contained a copy of the legitimate Microsoft Media Foundation Protected Pipeline executable (mfpmp.exe), which sideloaded a malicious DLL file (rtworkq.dll)’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – NetSupport RAT connected to a remote C2 server over common ports to receive additional payloads (‘NetSupport RAT connecting to a command and control (C2) server at 94[.]158[.]245[.]13. As of this publication, this IP address … exposes ports 3389 (RDP), 443 (HTTPS), and 5986 (WinRM)’)
  • [T1078 ] Valid Accounts – Stolen credentials harvested by the infostealer were used to access a Fortinet VPN via a privileged account, enabling network access for the ransomware affiliate (‘the threat actor used stolen credentials to access the network via a privileged account on a Fortinet VPN device.’)

Indicators of Compromise

  • [Domains ] Hosting and delivery sites – aquafestonline[.]com, islonline[.]org, and 2 more domains (yungask[.]com, 2beinflow[.]com)
  • [IP address ] NetSupport RAT C2 – 94[.]158[.]245[.]13 (C2 server exposing ports 3389, 443, 5986)
  • [File paths ] Download and installation locations – C:ProgramDatajh.bat, c://users/public/mir2.zip, and 1 more path (C:ProgramDataloy.zip)
  • [File names ] Malicious and abused executables/libraries – client32.exe (NetSupport RAT), rtworkq.dll (sideloaded malicious DLL), and other items such as mfpmp.exe and mir2.zip
  • [Hashes ] Sample artifact hashes for detection – 0c71102046bea598d2369d2fca664472 (MD5 of Loy.zip), 13fe3c1072ce308192994f2d7b329f7c8cbb192d49bdb538872383192d133ebb (SHA256 of rtworkq.dll), and 8 other hashes

Read more: https://news.sophos.com/en-us/2025/12/18/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint