From ClickFix deception to information stealer deployment
The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details.
AI Analysis
Technical Summary
The threat described involves a sophisticated multi-stage malware campaign that leverages social engineering and advanced malware loaders to deploy a potent Remote Access Trojan (RAT) and information stealer. The attack begins with a deceptive social engineering tactic known as ClickFix, which manipulates users into executing malicious payloads. This initial deception is critical as it bypasses traditional security defenses by exploiting user psychology rather than relying solely on technical vulnerabilities. Once the user is compromised, the GHOSTPULSE loader is deployed. GHOSTPULSE acts as a sophisticated delivery mechanism that loads subsequent malicious components onto the victim's system. The final payload is ARECHCLIENT2, a powerful RAT and infostealer that targets a broad spectrum of sensitive data. This includes cryptocurrency wallets, browser-stored credentials and data, and detailed system information. The campaign's multi-stage nature allows it to evade detection by segmenting the attack into smaller, less suspicious steps, complicating incident response and forensic analysis. The technical details highlight the use of various tactics and techniques mapped to MITRE ATT&CK, such as T1539 (stealing application access tokens), T1566.002 (spearphishing link), T1082 (system information discovery), T1140 (deobfuscate/decode files or information), T1059 (command and scripting interpreter), T1204 (user execution), T1057 (process discovery), T1059.001 (PowerShell), T1574.002 (DLL side-loading), T1105 (ingress tool transfer), and T1204.001 (malicious file execution). These techniques indicate a highly versatile and evasive malware campaign that leverages both social engineering and technical exploitation to achieve persistence, data exfiltration, and remote control. The campaign has seen increased activity in 2025, signaling an evolving threat landscape. The associated infrastructure and malware components are actively analyzed by security researchers, with references such as Elastic Security Labs providing in-depth technical insights.
Potential Impact
For European organizations, the impact of this threat can be significant due to the sensitive nature of the data targeted and the stealthy infection chain. The theft of cryptocurrency wallets can lead to direct financial losses, while the exfiltration of browser data and system information can facilitate further attacks, including identity theft, corporate espionage, and unauthorized access to critical systems. The deployment of a RAT like ARECHCLIENT2 enables persistent remote access, allowing attackers to move laterally within networks, escalate privileges, and potentially disrupt operations. Given the campaign's reliance on social engineering, employees across various sectors are at risk, especially those with access to sensitive financial or personal data. The multi-stage attack complicates detection and mitigation, increasing the likelihood of prolonged undetected presence within networks. This can lead to regulatory compliance issues under GDPR due to data breaches, reputational damage, and financial penalties. Additionally, the targeting of cryptocurrency wallets is particularly relevant in Europe, where digital asset adoption is growing. The campaign's ability to bypass traditional defenses means that organizations relying solely on signature-based detection or basic endpoint protection may be insufficiently protected.
Mitigation Recommendations
To effectively mitigate this threat, European organizations should implement a layered defense strategy that addresses both the social engineering vector and the technical malware components. Specific recommendations include: 1) Conduct targeted security awareness training focusing on the ClickFix social engineering tactics, emphasizing skepticism of unsolicited requests and verification procedures before executing any links or attachments. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous behaviors associated with GHOSTPULSE loader activities and ARECHCLIENT2 RAT operations, such as unusual PowerShell usage, DLL side-loading, and unauthorized ingress tool transfers. 3) Implement strict application control policies to prevent execution of unauthorized scripts and binaries, including PowerShell constrained language mode and script block logging to detect obfuscated or malicious scripts. 4) Utilize network segmentation to limit lateral movement opportunities for attackers who gain initial access. 5) Monitor network traffic for indicators of compromise related to known infrastructure associated with this campaign, leveraging threat intelligence feeds and indicators from sources like AlienVault and Elastic Security Labs. 6) Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 7) Regularly back up critical data and verify the integrity and restorability of backups to mitigate the risk of data loss or ransomware follow-on attacks. 8) Conduct regular vulnerability assessments and penetration testing to identify and remediate potential weaknesses that could be exploited in conjunction with social engineering attacks. 9) Establish incident response plans that include procedures for detecting and responding to multi-stage malware infections, ensuring rapid containment and eradication.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Switzerland, Belgium, Italy
Indicators of Compromise
- ip: 45.141.87.249
- ip: 185.156.72.80
- ip: 45.141.86.159
- ip: 45.141.87.212
- hash: 2d4fdba00b7f7b02408a8ea6c199037e
- hash: 82cddf3a9bff315d8fc708e5f5f85f20
- hash: deb5bd989c9fdd5fe7f78f00a1216eb0
- hash: 515af087591021580b0c6131cfbc21e2a98153e2
- hash: 88cbe81096581d6ec1a060853a250c9a08d710b4
- hash: 2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a
- hash: 4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9
- hash: a8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90
- hash: f92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55
- ip: 107.189.18.56
- ip: 107.189.24.67
- ip: 143.110.230.167
- ip: 144.172.101.228
- ip: 144.172.94.120
- ip: 144.172.97.2
- ip: 172.105.148.233
- ip: 172.235.190.176
- ip: 172.86.72.81
- ip: 176.126.163.56
- ip: 185.125.50.140
- ip: 185.156.72.63
- ip: 185.156.72.71
- ip: 192.124.178.244
- ip: 193.149.176.31
- ip: 194.26.27.10
- ip: 194.87.29.62
- ip: 195.82.147.132
- ip: 45.118.248.29
- ip: 45.141.86.149
- ip: 45.141.86.82
- ip: 45.141.87.7
- ip: 45.77.154.115
- ip: 45.94.47.164
- ip: 62.60.247.154
- ip: 66.63.187.22
- ip: 67.220.72.124
- ip: 79.124.62.10
- ip: 82.117.242.178
- ip: 82.117.255.225
- ip: 84.200.17.129
- ip: 85.158.110.179
- ip: 91.184.242.37
- ip: 91.199.163.74
- url: https://clients.contology.com/captcha/
- url: https://koonenmagaziner.click/counter/<IP_address
- url: https://shorter.me/XOWyT'
- domain: contology.com
- domain: koonenmagaziner.click
From ClickFix deception to information stealer deployment
Description
The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details.
AI-Powered Analysis
Technical Analysis
The threat described involves a sophisticated multi-stage malware campaign that leverages social engineering and advanced malware loaders to deploy a potent Remote Access Trojan (RAT) and information stealer. The attack begins with a deceptive social engineering tactic known as ClickFix, which manipulates users into executing malicious payloads. This initial deception is critical as it bypasses traditional security defenses by exploiting user psychology rather than relying solely on technical vulnerabilities. Once the user is compromised, the GHOSTPULSE loader is deployed. GHOSTPULSE acts as a sophisticated delivery mechanism that loads subsequent malicious components onto the victim's system. The final payload is ARECHCLIENT2, a powerful RAT and infostealer that targets a broad spectrum of sensitive data. This includes cryptocurrency wallets, browser-stored credentials and data, and detailed system information. The campaign's multi-stage nature allows it to evade detection by segmenting the attack into smaller, less suspicious steps, complicating incident response and forensic analysis. The technical details highlight the use of various tactics and techniques mapped to MITRE ATT&CK, such as T1539 (stealing application access tokens), T1566.002 (spearphishing link), T1082 (system information discovery), T1140 (deobfuscate/decode files or information), T1059 (command and scripting interpreter), T1204 (user execution), T1057 (process discovery), T1059.001 (PowerShell), T1574.002 (DLL side-loading), T1105 (ingress tool transfer), and T1204.001 (malicious file execution). These techniques indicate a highly versatile and evasive malware campaign that leverages both social engineering and technical exploitation to achieve persistence, data exfiltration, and remote control. The campaign has seen increased activity in 2025, signaling an evolving threat landscape. The associated infrastructure and malware components are actively analyzed by security researchers, with references such as Elastic Security Labs providing in-depth technical insights.
Potential Impact
For European organizations, the impact of this threat can be significant due to the sensitive nature of the data targeted and the stealthy infection chain. The theft of cryptocurrency wallets can lead to direct financial losses, while the exfiltration of browser data and system information can facilitate further attacks, including identity theft, corporate espionage, and unauthorized access to critical systems. The deployment of a RAT like ARECHCLIENT2 enables persistent remote access, allowing attackers to move laterally within networks, escalate privileges, and potentially disrupt operations. Given the campaign's reliance on social engineering, employees across various sectors are at risk, especially those with access to sensitive financial or personal data. The multi-stage attack complicates detection and mitigation, increasing the likelihood of prolonged undetected presence within networks. This can lead to regulatory compliance issues under GDPR due to data breaches, reputational damage, and financial penalties. Additionally, the targeting of cryptocurrency wallets is particularly relevant in Europe, where digital asset adoption is growing. The campaign's ability to bypass traditional defenses means that organizations relying solely on signature-based detection or basic endpoint protection may be insufficiently protected.
Mitigation Recommendations
To effectively mitigate this threat, European organizations should implement a layered defense strategy that addresses both the social engineering vector and the technical malware components. Specific recommendations include: 1) Conduct targeted security awareness training focusing on the ClickFix social engineering tactics, emphasizing skepticism of unsolicited requests and verification procedures before executing any links or attachments. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous behaviors associated with GHOSTPULSE loader activities and ARECHCLIENT2 RAT operations, such as unusual PowerShell usage, DLL side-loading, and unauthorized ingress tool transfers. 3) Implement strict application control policies to prevent execution of unauthorized scripts and binaries, including PowerShell constrained language mode and script block logging to detect obfuscated or malicious scripts. 4) Utilize network segmentation to limit lateral movement opportunities for attackers who gain initial access. 5) Monitor network traffic for indicators of compromise related to known infrastructure associated with this campaign, leveraging threat intelligence feeds and indicators from sources like AlienVault and Elastic Security Labs. 6) Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 7) Regularly back up critical data and verify the integrity and restorability of backups to mitigate the risk of data loss or ransomware follow-on attacks. 8) Conduct regular vulnerability assessments and penetration testing to identify and remediate potential weaknesses that could be exploited in conjunction with social engineering attacks. 9) Establish incident response plans that include procedures for detecting and responding to multi-stage malware infections, ensuring rapid containment and eradication.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.elastic.co/security-labs/a-wretch-client"]
- Adversary
- null
- Pulse Id
- 6852b0afd8614200f6174cd4
- Threat Score
- null
Indicators of Compromise
Ip
Value | Description | Copy |
---|---|---|
ip45.141.87.249 | — | |
ip185.156.72.80 | — | |
ip45.141.86.159 | — | |
ip45.141.87.212 | — | |
ip107.189.18.56 | — | |
ip107.189.24.67 | — | |
ip143.110.230.167 | — | |
ip144.172.101.228 | — | |
ip144.172.94.120 | — | |
ip144.172.97.2 | — | |
ip172.105.148.233 | — | |
ip172.235.190.176 | — | |
ip172.86.72.81 | — | |
ip176.126.163.56 | — | |
ip185.125.50.140 | — | |
ip185.156.72.63 | — | |
ip185.156.72.71 | — | |
ip192.124.178.244 | — | |
ip193.149.176.31 | — | |
ip194.26.27.10 | — | |
ip194.87.29.62 | — | |
ip195.82.147.132 | — | |
ip45.118.248.29 | — | |
ip45.141.86.149 | — | |
ip45.141.86.82 | — | |
ip45.141.87.7 | — | |
ip45.77.154.115 | — | |
ip45.94.47.164 | — | |
ip62.60.247.154 | — | |
ip66.63.187.22 | — | |
ip67.220.72.124 | — | |
ip79.124.62.10 | — | |
ip82.117.242.178 | — | |
ip82.117.255.225 | — | |
ip84.200.17.129 | — | |
ip85.158.110.179 | — | |
ip91.184.242.37 | — | |
ip91.199.163.74 | — |
Hash
Value | Description | Copy |
---|---|---|
hash2d4fdba00b7f7b02408a8ea6c199037e | — | |
hash82cddf3a9bff315d8fc708e5f5f85f20 | — | |
hashdeb5bd989c9fdd5fe7f78f00a1216eb0 | — | |
hash515af087591021580b0c6131cfbc21e2a98153e2 | — | |
hash88cbe81096581d6ec1a060853a250c9a08d710b4 | — | |
hash2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a | — | |
hash4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9 | — | |
hasha8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90 | — | |
hashf92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55 | — |
Url
Value | Description | Copy |
---|---|---|
urlhttps://clients.contology.com/captcha/ | — | |
urlhttps://koonenmagaziner.click/counter/<IP_address | — | |
urlhttps://shorter.me/XOWyT' | — |
Domain
Value | Description | Copy |
---|---|---|
domaincontology.com | — | |
domainkoonenmagaziner.click | — |
Threat ID: 6852b258a8c921274388513e
Added to database: 6/18/2025, 12:34:32 PM
Last enriched: 6/18/2025, 12:49:37 PM
Last updated: 8/15/2025, 12:35:29 PM
Views: 16
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumSupply Chain Risk in Python: Termcolor and Colorama Explained
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.