The Clickfix HijackLoader phishing campaign is a sophisticated malware distribution operation that has been active since 2023. It begins with a CAPTCHA-based phishing attack designed to bypass automated detection and lure victims into executing malicious content. The campaign employs multiple stages of obfuscated PowerShell scripts, which complicate detection and analysis efforts. These scripts incorporate advanced anti-analysis techniques such as anti-virtual machine (anti-VM) checks and registry manipulation to evade sandbox environments and forensic tools. The multi-stage infection chain culminates in the delivery of infostealer malware, primarily variants like NekoStealer or Lumma, which are known for harvesting sensitive information such as credentials, cookies, and system details. The payload delivery involves packed .NET executables and protected DLLs, adding layers of complexity to reverse engineering and detection. This campaign exemplifies the malware-as-a-service model, where loaders like HijackLoader facilitate the distribution of various payloads for different threat actors. The campaign’s sophistication and modularity highlight the importance of detecting early-stage indicators such as phishing attempts and intermediate script execution, rather than focusing solely on the final payload. Indicators of compromise include numerous file hashes, suspicious domains, and an IP address linked to the campaign infrastructure. The campaign leverages multiple MITRE ATT&CK techniques, including T1566.002 (phishing), T1497.001 (virtualization/sandbox evasion), T1059.001 (PowerShell), and T1071.001 (application layer protocol), among others, underscoring its complexity and evasive capabilities.

For European organizations, the Clickfix HijackLoader campaign poses a significant risk to confidentiality and operational security. The infostealer payloads can exfiltrate sensitive corporate data, including user credentials, personal identifiable information (PII), and intellectual property, potentially leading to identity theft, financial fraud, and corporate espionage. The multi-stage and obfuscated nature of the attack complicates detection, increasing the likelihood of prolonged undetected presence within networks. This can result in lateral movement, privilege escalation, and further compromise of critical systems. The campaign’s use of phishing as an initial vector exploits human vulnerabilities, which remain a persistent challenge despite technical controls. Given the campaign’s malware-as-a-service nature, it can rapidly adapt and target various sectors, including finance, healthcare, government, and critical infrastructure, all of which are prominent in Europe. The campaign’s evasion techniques may also hinder incident response and forensic investigations, delaying remediation efforts and increasing potential damage. Additionally, the presence of protected DLLs and packed executables complicates signature-based detection, necessitating more advanced behavioral and heuristic analysis methods.

European organizations should implement a layered defense strategy focusing on early detection and prevention of initial access and intermediate stages. Specific recommendations include: 1) Enhance phishing defenses by deploying advanced email filtering solutions that incorporate machine learning to detect CAPTCHA-based and obfuscated phishing attempts; 2) Conduct regular user awareness training emphasizing the risks of phishing and the importance of verifying unexpected CAPTCHA challenges or links; 3) Deploy endpoint detection and response (EDR) solutions capable of monitoring and analyzing PowerShell script execution, particularly obfuscated or multi-stage scripts; 4) Implement application whitelisting and restrict execution of unauthorized .NET executables and DLLs; 5) Monitor registry changes and unusual system behaviors indicative of anti-VM or anti-analysis techniques; 6) Utilize network traffic analysis tools to detect anomalous outbound connections, especially to known malicious domains and IPs associated with the campaign; 7) Maintain up-to-date threat intelligence feeds and integrate indicators of compromise (IOCs) such as file hashes, domains, and IP addresses into security monitoring systems; 8) Conduct regular incident response drills simulating multi-stage malware infections to improve detection and containment capabilities; 9) Employ sandbox environments with enhanced evasion detection to analyze suspicious files and scripts; 10) Enforce the principle of least privilege to limit the impact of credential theft and lateral movement.