Cybercriminals Exploit ClickFix Method to Spread Remote Access Trojans and Data-Siphoning Malware

Security researchers have recently uncovered a worrying surge in cyberattacks leveraging the “ClickFix” technique, a sophisticated social engineering method designed to trick users into unwittingly executing malicious code on their own devices.

According to the latest intelligence from Elastic Security Labs, cybercriminals are increasingly relying on this approach as the initial vector for multi-stage malware campaigns.

ClickFix has become highly prevalent, successfully delivering a range of threats, including the notorious GHOSTPULSE loader and infamous remote access trojans (RATs), such as ARECHCLIENT2 (also known as SectopRat).

At the heart of this attack is the exploitation of everyday user habits. Attackers craft fraudulent web pages that mimic familiar interfaces such as browser updates, system error messages, or CAPTCHA verifications, tricking users into copying and pasting seemingly innocuous PowerShell commands.

These commands, when executed, bypass traditional security defenses because the user initiates the process, often driven by “verification fatigue” or the mindless habit of clicking through online prompts.

In the wild, researchers observed campaigns where the malicious action started on fake Cloudflare anti-DDoS CAPTCHA verification pages.

Victims were directed to domains such as clients. dealeronlinemarketing[.]com or clients.contology[.]com, both of which resolved to the same compromised server (50.57.243[.]90).

Once users interacted with the fake CAPTCHA, obfuscated JavaScript code would run in the background, sending the victim’s IP address to attacker-controlled infrastructure before copying a base64-encoded PowerShell command to the clipboard.

This command, when executed, would fetch additional scripts from remote locations and ultimately deploy the malware.

Unraveling the Threat: How GHOSTPULSE and ARECHCLIENT2 Work Together

Once the user executes the copied PowerShell script, a ZIP file named ComponentStyle.zip is downloaded and extracted.

The extracted files include a legitimate-looking executable (such as Crysta_X64.exe) and a malicious DLL (DllXDownloadManager.dll), enabling DLL sideloading a technique where a legitimate program loads malicious code, evading detection.

The infection process leverages encrypted files like Shonomteak.bxi, which stores critical configuration and payload data for the GHOSTPULSE loader.

GHOSTPULSE decrypts its next stage using a DWORD addition operation, then injects the resultant code into a legitimate library (such as vssapi.dll), calling a function with a configuration structure that includes details for fetching the final payload.

Notably, the loader checks for specific running processes to avoid detection, delaying execution if certain software is present.

The final payload delivered is ARECHCLIENT2, a heavily obfuscated .NET Remote Access Trojan (RAT).

This malware undergoes several steps to ensure stealth and persistence: it patches anti-malware scanning interfaces (AMSI), decrypts its payload using a key located in the program’s .tls section, and loads the .NET Common Language Runtime (CLR) to inject ARECHCLIENT2 directly into memory.

This RAT is capable of stealing a wide array of sensitive data from cryptocurrency wallets and browser credentials to FTP, VPN, and chat app logins while also providing attackers with remote control over infected systems.

Infrastructure and Impact: The Road Ahead for Cybersecurity Teams

Analysis of the command-and-control (C2) infrastructure revealed a vast network of servers, most of which were running Canonical Linux, with reverse proxies disguising Windows-based C2 servers.

As of June 2025, over a dozen servers are actively serving as C2 endpoints for ARECHCLIENT2, with infrastructure rapidly changing to evade detection.

The malware is hardcoded to connect to C2s, such as 144.172.97[.]2 and 143.110.230[.]167, further complicating mitigation efforts.

This layered attack chain illustrates the increasing sophistication of cybercriminals, who blend social engineering with advanced evasion and payload delivery techniques.

Organizations and individuals are urged to remain vigilant against suspicious prompts and to educate users on the dangers of executing unfamiliar commands.

With the threat landscape constantly evolving, ongoing awareness and robust security practices are crucial for countering such threats in 2025 and beyond.