Skip to main content

From ClickFix deception to information stealer deployment

Medium
Published: Wed Jun 18 2025 (06/18/2025, 12:27:27 UTC)
Source: AlienVault OTX General

Description

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details.

AI-Powered Analysis

AILast updated: 06/18/2025, 12:49:37 UTC

Technical Analysis

The threat described involves a sophisticated multi-stage malware campaign that leverages social engineering and advanced malware loaders to deploy a potent Remote Access Trojan (RAT) and information stealer. The attack begins with a deceptive social engineering tactic known as ClickFix, which manipulates users into executing malicious payloads. This initial deception is critical as it bypasses traditional security defenses by exploiting user psychology rather than relying solely on technical vulnerabilities. Once the user is compromised, the GHOSTPULSE loader is deployed. GHOSTPULSE acts as a sophisticated delivery mechanism that loads subsequent malicious components onto the victim's system. The final payload is ARECHCLIENT2, a powerful RAT and infostealer that targets a broad spectrum of sensitive data. This includes cryptocurrency wallets, browser-stored credentials and data, and detailed system information. The campaign's multi-stage nature allows it to evade detection by segmenting the attack into smaller, less suspicious steps, complicating incident response and forensic analysis. The technical details highlight the use of various tactics and techniques mapped to MITRE ATT&CK, such as T1539 (stealing application access tokens), T1566.002 (spearphishing link), T1082 (system information discovery), T1140 (deobfuscate/decode files or information), T1059 (command and scripting interpreter), T1204 (user execution), T1057 (process discovery), T1059.001 (PowerShell), T1574.002 (DLL side-loading), T1105 (ingress tool transfer), and T1204.001 (malicious file execution). These techniques indicate a highly versatile and evasive malware campaign that leverages both social engineering and technical exploitation to achieve persistence, data exfiltration, and remote control. The campaign has seen increased activity in 2025, signaling an evolving threat landscape. The associated infrastructure and malware components are actively analyzed by security researchers, with references such as Elastic Security Labs providing in-depth technical insights.

Potential Impact

For European organizations, the impact of this threat can be significant due to the sensitive nature of the data targeted and the stealthy infection chain. The theft of cryptocurrency wallets can lead to direct financial losses, while the exfiltration of browser data and system information can facilitate further attacks, including identity theft, corporate espionage, and unauthorized access to critical systems. The deployment of a RAT like ARECHCLIENT2 enables persistent remote access, allowing attackers to move laterally within networks, escalate privileges, and potentially disrupt operations. Given the campaign's reliance on social engineering, employees across various sectors are at risk, especially those with access to sensitive financial or personal data. The multi-stage attack complicates detection and mitigation, increasing the likelihood of prolonged undetected presence within networks. This can lead to regulatory compliance issues under GDPR due to data breaches, reputational damage, and financial penalties. Additionally, the targeting of cryptocurrency wallets is particularly relevant in Europe, where digital asset adoption is growing. The campaign's ability to bypass traditional defenses means that organizations relying solely on signature-based detection or basic endpoint protection may be insufficiently protected.

Mitigation Recommendations

To effectively mitigate this threat, European organizations should implement a layered defense strategy that addresses both the social engineering vector and the technical malware components. Specific recommendations include: 1) Conduct targeted security awareness training focusing on the ClickFix social engineering tactics, emphasizing skepticism of unsolicited requests and verification procedures before executing any links or attachments. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous behaviors associated with GHOSTPULSE loader activities and ARECHCLIENT2 RAT operations, such as unusual PowerShell usage, DLL side-loading, and unauthorized ingress tool transfers. 3) Implement strict application control policies to prevent execution of unauthorized scripts and binaries, including PowerShell constrained language mode and script block logging to detect obfuscated or malicious scripts. 4) Utilize network segmentation to limit lateral movement opportunities for attackers who gain initial access. 5) Monitor network traffic for indicators of compromise related to known infrastructure associated with this campaign, leveraging threat intelligence feeds and indicators from sources like AlienVault and Elastic Security Labs. 6) Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 7) Regularly back up critical data and verify the integrity and restorability of backups to mitigate the risk of data loss or ransomware follow-on attacks. 8) Conduct regular vulnerability assessments and penetration testing to identify and remediate potential weaknesses that could be exploited in conjunction with social engineering attacks. 9) Establish incident response plans that include procedures for detecting and responding to multi-stage malware infections, ensuring rapid containment and eradication.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.elastic.co/security-labs/a-wretch-client"]
Adversary
null
Pulse Id
6852b0afd8614200f6174cd4
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip45.141.87.249
ip185.156.72.80
ip45.141.86.159
ip45.141.87.212
ip107.189.18.56
ip107.189.24.67
ip143.110.230.167
ip144.172.101.228
ip144.172.94.120
ip144.172.97.2
ip172.105.148.233
ip172.235.190.176
ip172.86.72.81
ip176.126.163.56
ip185.125.50.140
ip185.156.72.63
ip185.156.72.71
ip192.124.178.244
ip193.149.176.31
ip194.26.27.10
ip194.87.29.62
ip195.82.147.132
ip45.118.248.29
ip45.141.86.149
ip45.141.86.82
ip45.141.87.7
ip45.77.154.115
ip45.94.47.164
ip62.60.247.154
ip66.63.187.22
ip67.220.72.124
ip79.124.62.10
ip82.117.242.178
ip82.117.255.225
ip84.200.17.129
ip85.158.110.179
ip91.184.242.37
ip91.199.163.74

Hash

ValueDescriptionCopy
hash2d4fdba00b7f7b02408a8ea6c199037e
hash82cddf3a9bff315d8fc708e5f5f85f20
hashdeb5bd989c9fdd5fe7f78f00a1216eb0
hash515af087591021580b0c6131cfbc21e2a98153e2
hash88cbe81096581d6ec1a060853a250c9a08d710b4
hash2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a
hash4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9
hasha8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90
hashf92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55

Url

ValueDescriptionCopy
urlhttps://clients.contology.com/captcha/
urlhttps://koonenmagaziner.click/counter/<IP_address
urlhttps://shorter.me/XOWyT'

Domain

ValueDescriptionCopy
domaincontology.com
domainkoonenmagaziner.click

Threat ID: 6852b258a8c921274388513e

Added to database: 6/18/2025, 12:34:32 PM

Last enriched: 6/18/2025, 12:49:37 PM

Last updated: 8/15/2025, 12:35:29 PM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats