{ "id": "02241093-5564-4d47-bc77-58717b3c76e3", "created_at": "2026-04-06T01:31:17.80862Z", "updated_at": "2026-04-10T03:37:08.873705Z", "deleted_at": null, "sha1_hash": "44c741bbf1dd50026a125a1cfdcc946571d36f01", "title": "How ClickFix Opens the Door to Stealthy StealC Information Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3642817, "plain_text": "How ClickFix Opens the Door to Stealthy StealC Information\r\nStealer\r\nBy Rodel Mendrez\r\nPublished: 2026-02-12 · Archived: 2026-04-06 00:36:00 UTC\r\nFebruary 12, 2026 10 Minute Read by Rodel Mendrez\r\nThis analysis examines a complete attack chain targeting Windows systems through social engineering using fake\r\nCAPTCHA verification pages to trick users into executing PowerShell commands.\r\nJust a quick recap.\r\nThe attack chain downloads and executes position-independent shellcode that reflectively loads a 64-bit PE\r\ndownloader, which finally injects the StealC information stealer into legitimate Windows processes. StealC\r\nexfiltrates browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, system information,\r\nand screenshots to a command-and-control (C2) server using RC4-encrypted HTTP traffic. All IOCs and\r\ndecryption tools are provided.\r\nHow the Campaign Starts\r\nThe campaign begins with a fraudulent Cloudflare verification prompt to execute malicious PowerShell\r\ncommands. What follows is a carefully orchestrated multi-stage infection process that deploys the StealC\r\ninformation stealer, which is a commodity malware designed to harvest sensitive data from compromised systems.\r\nKey Findings:\r\nInitial Vector: ClickFix social engineering campaign disguised as CAPTCHA verification\r\nMalware Family: StealC information stealer (C/C++, MSVC compiled)\r\nInfection Stages: Multiple stages (PowerShell → Shellcode → PE Downloader → StealC)\r\nPrimary Capabilities: Supports various data theft modules targeting credentials, wallets, and system data\r\nC2 Communication: HTTP with Base64+RC4 encryption\r\nEvasion: Fileless execution, string obfuscation, memory-only operation, process injection\r\nThe attack uses techniques including reflective PE loading, API hashing, string encryption, and process hollowing\r\nto evade detection while maintaining persistence-free operation.\r\nThe Attack Chain: A Multi-stage Infection\r\nAttack Chain Overview\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 1 of 23\n\nFigure 1. Multi-stage infection chain from initial PowerShell command to StealC deployment, showing four\r\ndistinct stages of payload delivery and execution.\r\nStage 0: Initial PowerShell Attack Vector\r\nThe attack begins when users visit what appears to be a legitimate website. In this case, the victim visited\r\nmadamelam.com, a Vietnamese restaurant's website that had been compromised by threat actors. The\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 2 of 23\n\ncompromised site loads a malicious JavaScript payload from goveanrs.org/jsrepo , which in turn delivers a fake\r\nCAPTCHA verification page hosted on cptoptious.com.\r\nThe Infection Chain:\r\n1. User visits compromised website: madamelam.com\r\n2. Compromised site loads malicious script: hxxps[:]//goveanrs.org/jsrepo?rnd=\u003cRANDOM\u003e\r\n3. Malicious script injects fake CAPTCHA from: https[:]//cptoptious.com\r\nFigure 2. The compromised website loads a malicious script.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 3 of 23\n\nFigure 3. Malicious JavaScript code loads a ClickFix/Fake CAPTCHA.\r\nThe fake CAPTCHA page mimics a legitimate Cloudflare security check, then instructs victims to:\r\n1. Press Windows Key + R to open the Run dialog\r\n2. Press Ctrl + V to paste a pre-loaded command from their clipboard\r\n3. Press Enter to execute\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 4 of 23\n\nFigure 4. Fake CAPTCHA page.\r\nThe malicious commands waiting in the clipboard are deceptively simple, with attackers frequently rotating\r\nbetween different PowerShell execution techniques:\r\nFigure 5. The malicious commands in the clipboard.\r\nThis command downloads and executes a PowerShell script directly in memory, leaving no files on disk.\r\nThe ClickFix technique exploits user trust. Users believe they're completing a legitimate verification step and do\r\nnot realize they are executing malware. The use of keyboard shortcuts (Win+R, Ctrl+V) makes the process feel\r\ntechnical and legitimate, while the clipboard hijacking ensures the user unknowingly pastes malicious code.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 5 of 23\n\nFigure 6. Obfuscated JavaScript in CAPTCHA.The HTML contains the initial PowerShell command that\r\ndownloads and executes the malicious loader script.\r\nStage 1: PowerShell Loader Script\r\nOnce executed, the PowerShell command connects to 91.92.240.219 and retrieves a loader PowerShell script. This\r\nscript performs in-memory shellcode injection through the following steps:\r\n1. Shellcode Download\r\nThe script first retrieves the shellcode payload from a remote server using PowerShell's built-in web request\r\ncapabilities.\r\n2. Memory Allocation\r\nThe script allocates executable memory using Windows API calls:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 6 of 23\n\n3. Shellcode Execution\r\nThe downloaded shellcode is copied to the allocated memory and executed in a new thread:\r\nThis loader uses several evasion techniques, including fileless execution without writing any malware to disk,\r\ndirect memory manipulation that bypasses many security tools, dynamic API resolution via .NET reflection to call\r\nWindows APIs, and thread-based execution within an isolated execution context.\r\nStage 2: Position-Independent Shellcode Loader\r\nThe downloaded file cptch.bin (SHA-256:\r\n5ad34f3a900ec243355dea4ac0cd668ef69f95abc4a18f5fc67af2599d1893bd) is a 32-bit position-independent\r\nshellcode generated using Donut, a well-known shellcode generation framework.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 7 of 23\n\nFigure 7. Detect It Easy analysis revealing cptch.bin as position-independent shellcode (Donut loader) with\r\nembedded payload.\r\nWhat is Donut?\r\nDonut is a shellcode generation framework that converts .NET executables and native Windows PE files into\r\nposition-independent shellcode. Being position-independent means the code can execute from any memory\r\naddress without requiring relocation, making it ideal for fileless malware attacks. Donut embeds the entire PE file\r\nwithin the shellcode payload, allowing attackers to execute legitimate or malicious binaries directly in memory\r\nwhile evading traditional disk-based detection.\r\nHow Reflective PE Loading Works\r\nReflective PE loading is a technique that allows executables to be loaded and executed entirely in memory without\r\nusing Windows' native loader.\r\nThe process begins by parsing the PE headers to extract DOS and NT headers and understand the executable\r\nstructure. Next, it allocates virtual memory space equal to the PE's total image size to hold the loaded executable.\r\nThe process then maps each section (.text, .data, .rdata) to its designated virtual addresses within the allocated\r\nmemory. Since the PE may not load at its preferred base address, all hardcoded memory addresses must be\r\nadjusted based on the actual load address through relocation processing. The loader then dynamically loads\r\nrequired DLLs and resolves imported function addresses to restore the executable's dependencies. Memory\r\nprotections are subsequently applied to each section with appropriate permissions (execute, read, write) to match\r\nthe original PE specifications. If present, Thread Local Storage initialization routines are executed before the main\r\nentry point. Finally, control is transferred to the PE's main entry point to begin normal execution.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 8 of 23\n\nFigure 8. Shellcode setup routine establishing context array and calculating callback function addresses for\r\npayload execution.\r\nFigure 9. Memory dump showing embedded strings including payload URL and \"SeDebugPrivilege\" string used\r\nfor privilege escalation.\r\nStage 3: The PE Downloader/Injector\r\nThe reflectively loaded Stage 3 payload is a 64-bit Windows PE executable compiled with Microsoft Visual C++.\r\nIts sole purpose is to download the final payload and inject it into a legitimate Windows process.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 9 of 23\n\nBelow is a high-level attack flow of the process injector and downloader.\r\nFigure 10. Process injector and downloader attack chain.\r\nNetwork Configuration:\r\nThe downloader connects to “http://94.154.35.115/user_profiles_photo/cptchbuild.bin” using a GET request with\r\nthe User-Agent string \"Loader\" and a 30-second timeout.\r\nFigure 11. The downloader connects to an IP address using a GET request.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 10 of 23\n\nThe User-Agent \"Loader\" is a strong indicator of malicious activity. Legitimate software uses descriptive User-Agent strings that identify the application and version.\r\nInjection Process:\r\nAfter downloading cptchbuild.bin (the StealC payload), the downloader identifies a target process\r\n(`svchost.exe`), allocates memory in the target process, writes the StealC payload to allocated memory, creates a\r\nremote thread to execute the injected code, and terminates itself to remove evidence. This process injection\r\ntechnique allows StealC to run under the identity of a legitimate Windows service, making detection significantly\r\nmore difficult.\r\nStage 4: StealC Information Stealer - Deep Dive\r\nMalware Profile\r\nAttribute Value\r\nMalware Family StealC\r\nArchitecture x64 (64-bit)\r\nCompiler Microsoft Visual C++\r\nPDB Path C:\\builder_v2\\stealc\\x64\\Release\\stealc.pdb\r\nBuild System builder_v2 (MaaS framework)\r\nConfig ID ca0de16dff5e468f\r\nC2 Server http://91.92.240.190/fbfde0da45a9450b.php\r\nThe PDB path reveals this is a builder-based malware-as-a-service operation, where different threat actors can\r\npurchase customized builds of the stealer.\r\nString Obfuscation: Base64+RC4 Encryption\r\nStealC uses dual-layer encryption to protect its strings from static analysis:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 11 of 23\n\nEncryption Process:\r\n1. Plaintext string → RC4 encryption (hardcoded key: rOIBXiPtf9)\r\n2. Encrypted bytes → Base64 encoding\r\n3. Store in binary\r\nDecryption Implementation:\r\nThis obfuscation hides critical strings including, C2 server URLs, targeted file paths, database queries, module\r\nnames, and registry keys.\r\nThe StealC Data Stealing Capabilities\r\nStealC implements a modular architecture with distinct stealing capabilities:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 12 of 23\n\n1. Browser Credential Theft\r\nChromium-Based Browsers:\r\nChrome, Edge, Brave, Opera, Opera GX, Vivaldi\r\nTarget Databases:\r\nStealC targets the Login Data database for passwords, the Cookies database for session cookies, the Web Data\r\ndatabase for credit cards and autofill information, and the History database for browsing history.\r\nDecryption Chain:\r\nChromium passwords are protected with multiple layers of encryption. The malware first reads the Local State file\r\nin JSON format, then extracts the Base64-encoded os_crypt.encrypted_key value. After decoding the Base64 to\r\nretrieve the encrypted key, it calls the Windows DPAPI CryptUnprotectData function to decrypt the key, and,\r\nfinally, uses the decrypted key with AES-GCM to decrypt the stored passwords.\r\nFirefox-Based Browsers:\r\nFirefox, Waterfox, Pale Moon\r\nTarget Files:\r\nFor Firefox-based browsers, StealC targets the logins.json file for encrypted credentials, cookies.sqlite for session\r\ncookies, formhistory.sqlite for form data, places.sqlite for history and bookmarks, and profiles.ini for profile\r\nlocations.\r\nNSS3 Decryption:\r\nFirefox uses Mozilla's NSS library for credential protection. The malware loads the NSS3.dll library, initializes it\r\nwith the Firefox profile path using NSS_Init, and then decrypts the stored usernames and passwords using the\r\nPK11SDR_Decrypt function.\r\nOutput Format:\r\nThe extracted browser credentials are formatted as structured data, including the browser name (such as Chrome),\r\nprofile name (like Default), target URL, username/login, and the decrypted password.\r\n2. Cryptocurrency Wallet Theft\r\nBrowser Extensions:\r\nStealC targets 50+ cryptocurrency wallet extensions by accessing their storage:\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\\r\nTargeted Extensions:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 13 of 23\n\nThe malware specifically targets popular cryptocurrency wallet extensions, including MetaMask, Phantom,\r\nCoinbase Wallet, Trust Wallet, Exodus, Atomic Wallet, and many other widely used browser-based wallet\r\nsolutions.\r\nDesktop Wallets:\r\nThe malware also hunts for desktop wallet applications, targeting Electrum installations in the\r\n%APPDATA%\\Electrum directory, Exodus Desktop, Bitcoin Core in %APPDATA%\\Bitcoin, Ethereum Wallet,\r\nand Monero GUI applications.\r\nStolen Data:\r\nFrom these cryptocurrency wallets, StealC extracts private keys, seed phrases (recovery phrases), wallet\r\npasswords, configuration files, and transaction history data that can provide attackers with complete access to\r\nvictims' digital assets.\r\n3. Gaming Platform Credentials\r\nSteam Account Theft:\r\nStealC first locates Steam installations by querying the registry key HKCU\\Software\\Valve\\Steam\\SteamPath to\r\nidentify the Steam directory path.\r\nTarget Files:\r\nThe malware then targets critical Steam configuration and authentication files including ssfn* files which contain\r\nSteam Guard bypass tokens, config.vdf for general configuration settings, loginusers.vdf for saved login\r\ncredentials, libraryfolders.vdf for game library paths, DialogConfig.vdf for overlay settings, and\r\nDialogConfigOverlay*.vdf files for additional overlay configurations.\r\n4. Email Credential Extraction\r\nStealC extracts Outlook credentials stored in the Windows Registry. The malware accesses Outlook credentials by\r\nquerying specific Windows Registry locations including HKCU\\Software\\Microsoft\\Office\\\r\n\u003cversion\u003e\\Outlook\\Profiles\\ for Office-specific profiles and HKCU\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Windows Messaging Subsystem\\ for messaging system configurations.\r\nDecryption:\r\nOutlook passwords are protected by Windows DPAPI (Data Protection Application Programming Interface). The\r\nmalware first extracts the encrypted password from the registry using RegQueryValueExA, then constructs a\r\nDATA_BLOB structure containing the encrypted data, and finally calls CryptUnprotectData to decrypt the\r\npassword using the current user's credentials:\r\nExtracted Output:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 14 of 23\n\nThe extracted Outlook credentials are formatted as structured records containing the email address, mail server\r\nhostname, username (typically the same as email), and the decrypted password, providing attackers with complete\r\nemail account access.\r\n5. System Fingerprinting\r\nStealC collects extensive system information for victim profiling:\r\nNetwork Information:\r\nFor network reconnaissance, StealC collects the victim's public IP address through IP geolocation services,\r\ndetermines their country and geographic location, and gathers network configuration details to profile the target's\r\ninternet connectivity and location.\r\nSystem Summary:\r\nThe malware generates a comprehensive system fingerprint that includes a unique hardware identifier (HWID)\r\ncreated from a SHA256 hash of hardware components, complete operating system details such as Windows 10 Pro\r\n22H2 Build 19045, system architecture (x64), current username and computer name, both local and UTC\r\ntimestamps, system language and installed keyboard layouts, laptop detection status, and the current execution\r\npath where the malware is running.\r\nHardware Details:\r\nFor hardware profiling, StealC enumerates detailed system specifications, including CPU model and clock speed\r\n(such as Intel Core i7-9700K at 3.60GHz), processor core and thread counts, total system RAM in megabytes,\r\ndisplay resolution and color depth configuration, and graphics card information (like NVIDIA GeForce RTX\r\n2070) to create a unique hardware signature for victim identification and targeting.\r\nProcess Enumeration:\r\nThe malware lists all running processes:\r\nInstalled Software:\r\nRegistry enumeration:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 15 of 23\n\n6. Screenshot Capture\r\nThe module named `take_screenshot` takes a screenshot by obtaining the desktop window handle and device\r\ncontext, then queries the screen resolution using `GetSystemMetrics` to determine the capture dimensions. Next, it\r\ncreates a compatible bitmap buffer to store the screen data, copies all screen pixels using the `BitBlt` function for\r\nefficient memory transfer, converts the captured bitmap to JPEG format using GDI+ compression, saves the\r\ncompressed image as `screenshot.jpg` locally, and finally uploads the screenshot file to the C2 server for\r\nexfiltration.\r\nGDI+ Implementation would look something like this pseudocode:\r\n7. File Grabber Module\r\nThe file grabber searches for specific file types based on configuration:\r\nConfiguration Parameters:\r\nTargeted File Types:\r\nDocuments: .doc, .docx, .pdf, .txt\r\nWallet files: .wallet, .dat, .key\r\nDatabase files: .db, .sql, .sqlite\r\nArchives: .zip, .rar, .7z\r\nConfiguration: .ini, .conf, .cfg\r\nSearch Algorithm:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 16 of 23\n\nThe file search algorithm recursively traverses directories using Windows FindFirst/FindNext APIs, checking each\r\ndiscovered file against configured file masks and size limits before copying matching files to the staging area for\r\nexfiltration.\r\nData Staging and Folder Organization\r\nAll stolen data is organized in a structured directory under C:\\ProgramData\\:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 17 of 23\n\nThis organization allows for efficient bulk exfiltration and automated processing on the attacker's side.\r\nCommand and Control Communication\r\nC2 Server Configuration:\r\nEncryption Key:\r\nUnlike the string obfuscation key (rOIBXiPtf9), C2 traffic uses the Build ID as the RC4 key:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 18 of 23\n\nThis allows the C2 server to decrypt traffic from specific builds, enabling campaign tracking and victim\r\nattribution.\r\nJSON Communication Protocol\r\nUpload Request Example:\r\nStealC formats stolen data into structured JSON payloads containing operation codes, victim identification, build\r\ninformation, and Base64-encoded file contents for transmission to the C2 server.\r\nEncryption Process:\r\nBefore transmission, StealC applies a multi-layer encryption scheme to protect the JSON payload from network\r\ndetection and analysis.\r\nChunked Upload:\r\nFor large files that exceed size thresholds, StealC implements a chunked upload mechanism to avoid network\r\ntimeouts and detection by breaking files into smaller, manageable segments.\r\nEach chunk is limited to 256 KB to avoid detection by network monitoring tools.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 19 of 23\n\nOperational Features\r\n1. No Persistence\r\nStealC does not establish persistence mechanisms. It executes once, exfiltrates data, and terminates. This reduces\r\nforensic footprint.\r\n2. Self-Deletion\r\nThe “self-delete” capability removes the malware after successful exfiltration:\r\n3. Admin Elevation Attempt\r\nIf needed, StealC can request UAC elevation:\r\nThis allows access to protected locations such as C:\\Program Files\\ or system-wide credential stores.\r\nConclusion\r\nThis StealC campaign reveals multi-stage attack techniques. The use of social engineering (ClickFix), fileless\r\nexecution, reflective loading, and encrypted C2 communication creates a formidable threat that evades traditional\r\nsecurity controls.\r\nKey Takeaways:\r\n1. Social Engineering Remains the Weakest Link\r\nDespite advanced technical controls, the attack succeeds because it exploits user trust. Security awareness training\r\nmust address fake CAPTCHA and verification prompts.\r\n2. Fileless Malware is the New Normal\r\nAll stages except the final payload operate in memory, defeating disk-based scanning and leaving minimal\r\nforensic artifacts.\r\n3. Commodity Malware Rivals Custom Tools\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 20 of 23\n\nStealC's builder-based model (Malware-as-a-Service) democratizes access to sophisticated capabilities previously\r\nreserved for advanced threat actors.\r\n4. Encrypted C2 Traffic Requires Deep Inspection\r\nWhile HTTP traffic is cleartext at the network level, the Base64+RC4 encryption means traditional signature-based detection is ineffective. Behavioral analysis and traffic anomaly detection are essential.\r\n5. Process Injection Enables Stealth\r\nBy injecting into legitimate processes like svchost.exe, StealC operates under the trust of a Windows service,\r\nevading application whitelisting and behavioral analysis.\r\nDetection Strategies\r\nNetwork Level:\r\nMonitor for suspicious User-Agent strings (such as “Loader”)\r\nFlag HTTP POST requests with Base64-encoded JSON bodies\r\nDetect connections to known malicious IPs (see IOCs below)\r\nAlert on large data uploads to recently registered domains\r\nHost Level:\r\nMonitor PowerShell execution with -EncodedCommand or iex(irm ...)\r\nDetect process creation from Office applications or browsers\r\nFlag VirtualAlloc + CreateThread patterns (shellcode injection indicators)\r\nMonitor access to browser credential databases while the browser is running\r\nAlert on DPAPI calls from unusual processes\r\nBehavioral:\r\nDetect mass file access across multiple user profiles\r\nFlag rapid enumeration of browser extension directories\r\nMonitor for screenshot capture followed by network activity\r\nAlert on access to Steam ssfn* files outside Steam process\r\nIndicators of Compromise (IOCs)\r\nNetwork Indicators\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 21 of 23\n\nCommand \u0026 Control Infrastructure:\r\nIP Addresses:\r\n94.154.35.115 - Stage 2 payload delivery\r\n91.92.240.219 - PowerShell loader\r\n178.16.53.70 - PowerShell loader\r\n91.92.240.190 - StealC C2 server\r\nURLs:\r\nhxxp[:]//94.154.35.115/user_profiles_photo/cptch.bin\r\nhxxp[:]//94.154.35.115/user_profiles_photo/cptchbuild.bin\r\nhxxp[:]//91.92.240.219/\r\nhxxp[:]//91.92.240.190/fbfde0da45a9450b.php\r\nhxxps[:]//goveanrs.org/jsrepo\r\nhxxps[:]//madamelam.com\r\nNetwork Signatures:\r\nUser-Agent: Loader\r\nURI Pattern: /user_profiles_photo/*.bin\r\nURI Pattern: /\u003c16_hex_chars\u003e.php\r\nContent-Type: application/json (with Base64 payloads)\r\nFile Indicators\r\nSHA-256 Hashes:\r\ncptch.bin (Stage 2 Shellcode):\r\n5ad34f3a900ec243355dea4ac0cd668ef69f95abc4a18f5fc67af2599d1893bd\r\ncptchbuild.bin (StealC Payload):\r\ndc38f3f3c8d495da8c3b0aca8997498e9e4d19738e1e2a425af635d37d0e06b8\r\nPDB Path:\r\nC:\\builder_v2\\stealc\\x64\\Release\\stealc.pdb\r\nAppendix: StealC C2 Traffic Decryption Tool[\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 22 of 23\n\nA Python script for decrypting StealC C2 traffic is provided below. This tool can:\r\nDecrypt individual Base64+RC4 encrypted payloads\r\nExtract and decrypt traffic from PCAP files\r\nSupport both RC4 keys (string obfuscation and C2)\r\nTool available from this GitHub repo: https://github.com/drole/StealC-C2-Traffic-Decryption-Tool\r\nSource: https://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer" ], "report_names": [ "how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439077, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44c741bbf1dd50026a125a1cfdcc946571d36f01.pdf", "text": "https://archive.orkl.eu/44c741bbf1dd50026a125a1cfdcc946571d36f01.txt", "img": "https://archive.orkl.eu/44c741bbf1dd50026a125a1cfdcc946571d36f01.jpg" } }