ClickFix Removes Your Background but Leaves the Malware
BackgroundFix is a malicious campaign masquerading as a free image-editing tool that uses social engineering to trick users into executing commands that download and install malware. The infection chain delivers CastleLoader, which installs NetSupport RAT and a custom . NET stealer called CastleStealer. CastleStealer targets browser credentials, cryptocurrency wallets, and Telegram sessions using DPAPI decryption and Restart Manager APIs. The loader employs advanced techniques such as reflective PE injection, API hashing, and encrypted command-and-control communications. An implementation error in the malware causes silent failures in one launch method, but the campaign remains active. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
BackgroundFix is a social engineering lure disguised as an image background removal tool that prompts users to verify they are human by copying malicious commands to their clipboard. These commands invoke finger.exe to download additional payloads, leading to the deployment of CastleLoader. CastleLoader uses reflective PE injection, API hashing, and ChaCha20 encryption for C2 communications to deliver NetSupport RAT and CastleStealer. CastleStealer steals browser credentials, cryptocurrency wallet extensions, and Telegram session data by leveraging DPAPI decryption and Restart Manager APIs. The campaign uses Bring Your Own Interpreter (BYOI) tactics with embedded Python interpreters and multiple shellcode stages. A notable flaw in the malware references regsrv32.exe instead of regsvr32.exe, causing silent launch failures. There is no indication of known exploits in the wild or vendor advisories providing patches.
Potential Impact
The malware enables attackers to steal sensitive user data including browser credentials, cryptocurrency wallet information, and Telegram session data. It establishes persistent remote access via NetSupport RAT, allowing ongoing control of infected systems. The use of encrypted communications and advanced injection techniques complicates detection and analysis. The social engineering aspect increases the likelihood of user infection. The implementation flaw causing silent failures may reduce some infection success but does not eliminate the threat.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this threat. Defenders should focus on user education to recognize and avoid social engineering lures like BackgroundFix. Blocking known malicious domains and URLs associated with this campaign can help reduce exposure. Endpoint detection and response solutions should be tuned to detect behaviors related to reflective PE injection, API hashing, and the presence of NetSupport RAT and CastleStealer components. Monitor for suspicious clipboard activity and execution of finger.exe or similar unusual processes. Since this is not a vulnerability but a malware campaign, traditional patching does not apply.
Indicators of Compromise
- domain: trindastal.com
- domain: poronto.com
- domain: brionter.com
- hash: bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92
- hash: ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9
- hash: f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb
- ip: 38.146.28.30
- url: http://giovettiadv.com:688
- url: http://poronto.com:688
- url: https://brionter.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/net40.bin
- url: https://obelnamevalf.org/OaTS7yE9zd/default
- url: https://trindastal.com/8250d149-9bf8-566d-9d7d-ea925eae0a4
- domain: ai-scan.digital
- domain: background-off.com
- domain: background-ready.online
- domain: backgroundformat.online
- domain: bg-go.online
- domain: bg-ready.online
- domain: bg-removerok.online
- domain: bg-transparency.online
- domain: cheeshomireciple.com
- domain: giovettiadv.com
- domain: obelnamevalf.org
ClickFix Removes Your Background but Leaves the Malware
Description
BackgroundFix is a malicious campaign masquerading as a free image-editing tool that uses social engineering to trick users into executing commands that download and install malware. The infection chain delivers CastleLoader, which installs NetSupport RAT and a custom . NET stealer called CastleStealer. CastleStealer targets browser credentials, cryptocurrency wallets, and Telegram sessions using DPAPI decryption and Restart Manager APIs. The loader employs advanced techniques such as reflective PE injection, API hashing, and encrypted command-and-control communications. An implementation error in the malware causes silent failures in one launch method, but the campaign remains active. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
BackgroundFix is a social engineering lure disguised as an image background removal tool that prompts users to verify they are human by copying malicious commands to their clipboard. These commands invoke finger.exe to download additional payloads, leading to the deployment of CastleLoader. CastleLoader uses reflective PE injection, API hashing, and ChaCha20 encryption for C2 communications to deliver NetSupport RAT and CastleStealer. CastleStealer steals browser credentials, cryptocurrency wallet extensions, and Telegram session data by leveraging DPAPI decryption and Restart Manager APIs. The campaign uses Bring Your Own Interpreter (BYOI) tactics with embedded Python interpreters and multiple shellcode stages. A notable flaw in the malware references regsrv32.exe instead of regsvr32.exe, causing silent launch failures. There is no indication of known exploits in the wild or vendor advisories providing patches.
Potential Impact
The malware enables attackers to steal sensitive user data including browser credentials, cryptocurrency wallet information, and Telegram session data. It establishes persistent remote access via NetSupport RAT, allowing ongoing control of infected systems. The use of encrypted communications and advanced injection techniques complicates detection and analysis. The social engineering aspect increases the likelihood of user infection. The implementation flaw causing silent failures may reduce some infection success but does not eliminate the threat.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this threat. Defenders should focus on user education to recognize and avoid social engineering lures like BackgroundFix. Blocking known malicious domains and URLs associated with this campaign can help reduce exposure. Endpoint detection and response solutions should be tuned to detect behaviors related to reflective PE injection, API hashing, and the presence of NetSupport RAT and CastleStealer components. Monitor for suspicious clipboard activity and execution of finger.exe or similar unusual processes. Since this is not a vulnerability but a malware campaign, traditional patching does not apply.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/clickfix-castleloader-backgroundfix"]
- Adversary
- ClickFix
- Pulse Id
- 69f36a0940fe2fa665ebe32e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaintrindastal.com | — | |
domainporonto.com | — | |
domainbrionter.com | — | |
domainai-scan.digital | — | |
domainbackground-off.com | — | |
domainbackground-ready.online | — | |
domainbackgroundformat.online | — | |
domainbg-go.online | — | |
domainbg-ready.online | — | |
domainbg-removerok.online | — | |
domainbg-transparency.online | — | |
domaincheeshomireciple.com | — | |
domaingiovettiadv.com | — | |
domainobelnamevalf.org | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashbde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 | — | |
hashed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9 | — | |
hashf5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip38.146.28.30 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://giovettiadv.com:688 | — | |
urlhttp://poronto.com:688 | — | |
urlhttps://brionter.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/net40.bin | — | |
urlhttps://obelnamevalf.org/OaTS7yE9zd/default | — | |
urlhttps://trindastal.com/8250d149-9bf8-566d-9d7d-ea925eae0a4 | — |
Threat ID: 69f884b6cbff5d86101065e1
Added to database: 5/4/2026, 11:36:22 AM
Last enriched: 5/4/2026, 11:51:41 AM
Last updated: 5/4/2026, 3:09:45 PM
Views: 167
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.