{"id":63887,"date":"2026-02-06T11:20:15","date_gmt":"2026-02-06T10:20:15","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=63887"},"modified":"2026-02-06T14:42:29","modified_gmt":"2026-02-06T13:42:29","slug":"clickfix-and-infostealers-served-fresh-off-the-grill","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/clickfix-and-infostealers-served-fresh-off-the-grill\/","title":{"rendered":"Clickfix and Infostealers served fresh off the grill"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/clickfix-and-infostealers-served-fresh-off-the-grill\/#Indicators_of_Compromise\" >Indicators of Compromise<\/a><\/li><\/ul><\/nav><\/div>\n\n<p class=\"wp-block-paragraph\">The incident showcased in this article was detected by the SECUINFRA Cyber Detection &amp; Response Center (CDRC) as part of an MDR alert. The Falcon Team contributed relevant findings about the malware for handling and mitigation. This case serves as a good example of a complex &#8220;Clickfix&#8221;-style attack chain with steganographic elements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A website \/ shop specializing in barbeque guides and accessories that the user browsed to was identifed as the initial infection vector. While we were only able to recover a low-resolution screenshot of the page (the Clickfix payload was pulled shortly after the initial detection, likely by the threat actor themself), we can confirm that it was indeed a Clickfix prompt that delivered the first stage of the attack. The website was built on a WordPress content management system with an outdated WooCommerce plugin, which we suspect as the initial access vector of the attacker. They were able to modify the website contents, inserting the Clickfix prompt as well as invisible links for SEO-related campaigns. Prior to the publication of this article we notified the owner and adminstrator of this website about the compromise and they were quick to restore it to a clean state.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"433\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-web.jpeg\" alt=\"\" class=\"wp-image-63888\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-web.jpeg 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-web-768x416.jpeg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 1: The compromised website with the Clickfix lure<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Below you can see the Powershell commandline that was executed as part of the Clickfix scheme. A WScript payload is downloaded from a remote system, saved to disk and executed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1600\" height=\"325\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-commandline-1600x325.png\" alt=\"\" class=\"wp-image-63890\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-commandline-1600x325.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-commandline-800x163.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-commandline-768x156.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-commandline-1536x312.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-commandline.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 2: Stage 1 &#8211; The Powershell command delivered via the Clickfix lure<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>The downloaded script contains the second stage script, which is appended to a variable and lightly obfuscated through an inserted recurring string. The function &#8220;mysteriousProcess&#8221; (aptly named by the threat actor) is obviously &#8220;dead code&#8221; and not relevant to the payload decoding. In the portion of the script on the right the recurring string is stripped from the variable and the Powershell command in it is executed via a new process started via the Windows Management Instrumentation (WMI). Interestingly, the threat actor left a comment behind the ShowWindow property, which translates to &#8220;hidden window&#8221; from Portuguese.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1600\" height=\"490\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-wscript-deobf-1600x490.png\" alt=\"\" class=\"wp-image-63891\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-wscript-deobf-1600x490.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-wscript-deobf-800x245.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-wscript-deobf-768x235.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-wscript-deobf-1536x470.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-wscript-deobf-2048x627.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 3: Stage 2 &#8211; Contents of asd1.js (a.js written to disk)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The next Powershell stage is designed to retrieve an image from one of two Google Firebase links, carve out Base64 content from it to decode and reflectively load it via the System.Reflection.Assembly mechanism. The .NET loader then receives a reversed Github URL, likely containing an additional payload, more on that later.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"953\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-powershell-1600x953.png\" alt=\"\" class=\"wp-image-63892\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-powershell-1600x953.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-powershell-800x477.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-powershell-768x458.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-powershell-1536x915.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-powershell-2048x1220.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 4: Stage 3 &#8211; Decoded Powershell script<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Below you can see the image downloaded from Google Firebase on the left and its contents displayed in a Hex Editor on the right. As defined in the Powershell code above, we can search for the BASE64_START marker in the file. The trained eye will quickly recognize by the beginning of the Base64 encoded payload (&#8220;TVqQA\u2026&#8221;) that this is likely a Windows PE file, as expected.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"620\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-stego-1600x620.png\" alt=\"\" class=\"wp-image-63893\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-stego-1600x620.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-stego-800x310.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-stego-768x297.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-stego-1536x595.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-stego-2048x793.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 5: image1.jpg with the steganographic payload (Base64 encoded PE file)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">After extracting and decoding the payload from the image we can take a closer look to determine that it is a .NET executable, partially obfuscated with SmartAssembly, but the general functionality of the program is still easily traceable. This exact .NET loader has been spotted in other attack chains as well, e.g. via E-Mail as documented by <a  href=\"https:\/\/www.malware-traffic-analysis.net\/2026\/01\/09\/index.html\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Malware-Traffic-Analysis.net<\/a> in early January 2026.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"746\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper1-1600x746.png\" alt=\"\" class=\"wp-image-63894\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper1-1600x746.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper1-800x373.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper1-768x358.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper1-1536x716.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper1-2048x955.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 6: .NET-based Loader obfuscated with SmartAssembly<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In Figure 7 you can see the portion of the code to which the Powershell script passes the parameters along with the Github payload URL. After the payload is downloaded and decoded, it is executed via the &#8220;Inject&#8221; function, so it does not need to be saved to disk. Depending on the passed parameter, the loader is also able to establish basic persistence via the Start Menu Startup folder.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"531\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper2-1600x531.png\" alt=\"\" class=\"wp-image-63895\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper2-1600x531.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper2-800x265.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper2-768x255.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper2-1536x510.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-dropper2.png 1688w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 7: .NET-based Loader executing the payload from Github<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Again, as expected from investigating the decoding logic earlier, we can see that the payload staged on Github is Base64 encoded and reversed. Decoding it yields the final payload, a Windows PE executable compiled with MinGW.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"209\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-github-1600x209.png\" alt=\"\" class=\"wp-image-63896\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-github-1600x209.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-github-800x105.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-github-768x100.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-github-1536x201.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-github.png 1744w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 8: Payload hosted on Github (Base64 encoded and reversed)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For the purposes of this article we will not be analyzing the final payload in detail, as it is not obfuscated and most of its logic is easily recognizable as Infostealer malware, seemingly internally referred to as &#8220;Evelyn&#8221;. It was previously analyzed by fellow researchers at <a  href=\"https:\/\/www.trendmicro.com\/de_de\/research\/26\/a\/analysis-of-the-evelyn-stealer-campaign.html\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >TrendMicro<\/a>, when it was distributed via a malicious Visual Studio Code extension in the same general timeframe as this incident. We just wanted to highlight that this Stealer is capable of exfiltrating cryptocurrency information, Browser contents, Messenger sessions (e.g. Whatsapp, Telegram) and credentials for WiFi networks as well as VPN and FTP services. Data is exfiltrated via HTTP and SMTP, you can find the C2 servers below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"532\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-strings-1600x532.png\" alt=\"\" class=\"wp-image-63897\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-strings-1600x532.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-strings-800x266.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-strings-768x255.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-strings-1536x511.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/stealer-strings-2048x681.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\">Figure 9: Significant strings from the Evelyn infostealer binary<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember191\"><span class=\"ez-toc-section\" id=\"Indicators_of_Compromise\"><\/span>Indicators of Compromise<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember192\">Network-based Indicators<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>185.113.8&#91;.]55\n5.181.157&#91;.]172\nwxqdcakvuv&#91;.]com<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember193\">Host-based Indicators<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>cb7180e324435e4c9126e573b3a1b3e3585af4325abbaa27c6445cdc24cc8388 - asd1.js\n573507ffbef1dcbc354c0ae29c71051c8790b4bbd06d71ee6d68078862cf0ab4 - image1.jpg\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - .NET Loader\nb0ff2921bbc16f5446c5bb808fc86f0097e98feee79ed175e01ec4a17c0158c0 - Evelyn Infostealer<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\" id=\"ember194\">Thank you for reading our article to the very end. If you enjoy our analysis and would like to stay up to day with our publications, consider following us on Linkedin! Stay safe \ud83d\ude42<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The incident showcased in this article was detected by the SECUINFRA Cyber Detection &#038; Response Center (CDRC) as part of an MDR alert. The Falcon Team contributed relevant findings about the malware for handling and mitigation. This case serves as a good example of a complex &#8220;Clickfix&#8221;-style attack chain with steganographic elements.<\/p>\n","protected":false},"author":6,"featured_media":63889,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[86,81],"tags":[241,805,804,352,240],"dpc_coauthors":[],"class_list":["post-63887","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-incident-response","category-techtalk","tag-analysis","tag-clickfix","tag-infostealer","tag-it-security-en","tag-malware"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/63887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=63887"}],"version-history":[{"count":13,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/63887\/revisions"}],"predecessor-version":[{"id":63917,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/63887\/revisions\/63917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/63889"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=63887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=63887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=63887"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=63887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}