Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by the threat actors behind the Lampion banking malware has been uncovered.

Active since at least 2019, Lampion is an infostealer notorious for extracting sensitive banking information.

This latest operation, active between late 2024 and early 2025, has zeroed in on dozens of Portuguese organizations across government, finance, and transportation sectors.

What sets this campaign apart is the adoption of ClickFix lures-a social engineering tactic gaining traction among malware families.

ClickFix tricks victims into copying and executing malicious commands under the pretense of resolving computer issues, a technique also seen in strains like Lumma Stealer and NetSupport RAT.

Complex Infection Chain and Obfuscation Tactics

The Lampion campaign initiates with a phishing email containing a malicious ZIP file, which includes an HTML file redirecting victims to a fake Portuguese tax authority website, autoridade-tributaria[.]com.

Users are prompted to copy a malicious PowerShell command into the Run dialog, disguised with a Portuguese comment translating to “Enable File Preview.”

According to the Report, this command downloads an obfuscated Visual Basic Script (VBS), kicking off a multi-stage infection chain designed to evade detection.

The chain involves several non-consecutive processes, including heavily obfuscated VBS scripts ranging from 30 MB to 50 MB in size, bloated with junk variables and indirect ASCII conversions.

These scripts perform reconnaissance, check for security software using Windows Management Instrumentation (WMI), and detect virtual machines or sandboxes.

The third stage communicates with a cloud-hosted command-and-control (C2) server, sending encoded victim data, while a fourth-stage DLL loader-over 700 MB in size-hinders analysis by exceeding upload limits on threat intelligence platforms.

Notably, the final Lampion payload was commented out in this instance, possibly indicating a testing phase or an upcoming wave of attacks.

The attack’s dispersed execution, involving hidden scheduled tasks and startup folder commands, further complicates detection, as individual events may appear benign in isolation.

Shared infrastructure and tactics, techniques, and procedures (TTPs) with past Lampion campaigns confirm the threat actors’ consistent modus operandi.

This campaign underscores the growing danger of ClickFix lures, exacerbated by low user awareness.

Security practitioners are urged to educate personnel on recognizing such social engineering ploys and to monitor PowerShell scripting and clipboard activity for suspicious behavior.

Palo Alto Networks customers are safeguarded through solutions like Cortex XDR and XSIAM, which detect and prevent malicious VBS scripts, while Advanced URL Filtering and DNS Security flag associated malicious domains.

For urgent concerns, the Unit 42 Incident Response team offers global support. As cyber threats evolve, proactive defense and awareness remain critical to countering sophisticated attacks like Lampion.

Indicators of Compromise (IoC)

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download