{ "id": "8626db83-0f71-4ce0-a890-34134dcf881a", "created_at": "2026-04-06T01:31:32.450403Z", "updated_at": "2026-04-10T03:36:48.172111Z", "deleted_at": null, "sha1_hash": "8827d480dc9cfbe4eb7cf1da736ad9605c653d9b", "title": "The ClickFix Deception: How a Fake CAPTCHA Deploys an Evasive Infostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82707, "plain_text": "The ClickFix Deception: How a Fake CAPTCHA Deploys an Evasive\r\nInfostealer\r\nBy Louis Schürmann\r\nPublished: 2025-08-21 · Archived: 2026-04-06 00:22:28 UTC\r\nCybersecurity analyst Louis Schürmann from Swiss Post Cybersecurity investigated an incident that began with a seemingly\r\nharmless email and developed into a multi-stage attack. \r\nSwiss Post Cybersecurity detected and analyzed an infostealer campaign. The attackers use Clickfix for initial access and\r\nDonutLoader for shellcode delivery. In our blog article, we show you step by step how users are being deceived.\r\nThe modern threat landscape is defined by its complexity. Rather than relying on simple email attachments, attackers now\r\nuse complex infection chains that incorporate legitimate system tools to remain invisible. Cybersecurity analyst Louis\r\nSchürmann from Swiss Post Cybersecurity investigated an incident that began with a seemingly harmless email and\r\ndeveloped into a multi-stage attack. First, social engineering was employed, followed by a PowerShell dropper, and finally\r\nan in-memory infostealer payload was delivered.\r\nThis blog post provides a step-by-step deconstruction of this campaign. We will explore how the attackers deceive users, use\r\ndynamic code compilation to hide their tools, and leverage in-memory execution to avoid leaving a trace on disk. By\r\ndissecting these TTPs, we can better understand the current evasion strategies used by modern malware and identify key\r\nopportunities for detection and defence.\r\nThe Lure: Abusing User Trust with \"ClickFix\"\r\nThe initial point of entry is user-driven execution of a PowerShell command, delivered through a social engineering tactic\r\nknown as ClickFix. The user is directed to a malicious URL which presents a fake CAPTCHA. This CAPTCHA instructs\r\nthe user to execute a series of keyboard shortcuts (Win + R, Ctrl + V, Enter), which runs a PowerShell command previously\r\ncopied to the clipboard by the website.\r\nYears of legitimate CAPTCHA challenges and security prompts have conditioned the user to believe that they are\r\nperforming a necessary verification step. In reality, however, they are executing the initial payload of the attacker. This\r\nmethod effectively makes the user an unwitting accomplice in their own compromise. This 'human-in-the-loop' approach is a\r\npowerful evasion technique designed to bypass automated security measures. The attack is structured so that neither the\r\nemail delivering the link nor the URL itself contains any malware as traditionally defined. This effectively renders many\r\nemail security tools and network filters ineffective, as there is no malicious file to scan or signature to match at the\r\nperimeter.\r\nThe command itself is short and inconspicuous. First, a hex string is decoded to extract a malicious URL. Next, a\r\nPowerShell script is retrieved from this URL via the Invoke-RestMethod command and executed directly within the current\r\nprocess. This marks the beginning of the first stage of the infection.\r\nStage 1: PowerShell Dropper with In-Memory Execution\r\nAfter initial access, the PowerShell command loads a script that acts as an in-memory dropper. The script hides its own\r\nconsole window using dynamically compiled C# code and Windows API calls. If this initial method fails, the script uses a\r\nfallback technique based on assigning a unique window title and hiding it by process lookup.\r\nhttps://www.swisspost-cybersecurity.ch/news/the-clickfix-deception\r\nPage 1 of 5\n\nSlide through the 4 Steps:\r\nStage 2 – Donut Loader: pivoting to memory\r\nThe PowerShell Stager injects a compact .NET loader (internally tagged believemesh) directly into its own powershell.exe\r\nprocess. The primary objective of this loader ist to decrypt a Donut shell-code package, map it in place, and start it without\r\ndropping a file or spawning another process. From the first instruction onwards, all unpacking, mapping, and hand-off to the\r\nnative infostealer happen inside the original PowerShell runtime.\r\n2.1 From wrapper to Donut in four seamless steps\r\nWithin the recovered .NET project, the loader’s entry point is located in sytuczzzsgolfnefxrmr.cs. The Main() method is\r\nconcise, with each instruction carefully chosen to ensure seamless execution.\r\nFirst, the code checks the machine’s UI language and exits immediately if it detects a CIS locale, such as Russian (ru),\r\nBelarusian (by), or Kazakh (kz). The test is simple (CultureInfo.CurrentUICulture.TwoLetterISOLanguageName) but it\r\nprevents accidental infections within the threat actor’s home region.\r\nIf the locale is acceptable, the loader turns its attention to a 1.7 MB ASCII-hex string embedded just beneath the class\r\ndefinition.\r\nEight bytes near the start of the string serve double duty as an RC4 key. The loader decodes the text, applies RC4 with the\r\nextracted key, and then passes the result through an LZMA stream. Within less than a second, a 0x69300-byte buffer\r\ncontaining two concatenated binaries is held: a Donut 0.9.3 stub followed by the final native payload binary.\r\nNow that the package is resident in memory, the loader reserves a block of address space using a direct P/Invoke call to\r\nVirtualAlloc. The package is copied, marked as executable and launched in a new thread, all without touching high-level\r\nWin32 APIs. Instead, the loader uses raw syscalls supplied by a small framework that will be revisited in the next\r\nsubsection. Once the thread has begun executing at the start of the Donut blob, the original loader thread enters an infinite\r\nsleep loop so that powershell.exe never terminates.\r\n2.2 Making syscalls the long way round\r\nRelying on ordinary imports, such as NtWriteVirtualMemory, would make the loader vulnerable to user-mode hooks.\r\nTherefore, the authors developed their own indirection layer.\r\nThese user-mode hooks are techniques employed by EDRs (Endpoint Detection and Response) to intercept API calls in user\r\nspace before they reach the kernel. These hooks enable suspicious activity, such as memory manipulation or thread creation,\r\nto be monitored or blocked by injecting custom code into running processes. If malware uses standard Windows APIs, these\r\nhooks can detect it.\r\nTo avoid this, the loader uses a custom syscall implementation involving five source files:\r\nkzxuzlacbtgdylqcgzjz.cs queries RtlGetVersion and converts build numbers into tokens such as\r\nWINDOWS_10_22H2.\r\neiwfcumbsveijxmimpdp.cs looks up, for example, “NTWRITEVIRTUALMEMORY” in a nested dictionary keyed\r\nby the relevant build token, returning the correct syscall number for the current system.\r\nzhvzoykgdxolwkvykjfs.cs stores the classic eleven-byte x64 stub 4C 8B D1 B8 ?? 00 00 00 0F 05 C3.\r\nhttps://www.swisspost-cybersecurity.ch/news/the-clickfix-deception\r\nPage 2 of 5\n\nbcfsizsukpmqlglwqnzc.cs replaces the “??” placeholder with the number obtained from the resolver and returns the\r\nready-to-run stub to the caller.\r\nptieowjalbutmbxcthhv.cs then flips the stub’s heap page to PAGE_EXECUTE_READWRITE, casts it to the\r\nappropriate delegate type, and calls it exactly as if it were managed code.\r\nThe file names were taken from the extracted .NET project.\r\nSince all high-risk operations, such as copying bytes, changing protection and starting a thread, run through these\r\nhandcrafted syscalls, standard API calls to monitor are never seen by common user-land EDR hooks.\r\n2.3 What really happens inside the Donut stub\r\nOnce control passes into the Donut code (verified byte-for-byte as Donut 0.9.3), the stub:\r\n1. Builds its own syscall thunk table, providing subsequent stages with the same hook-evasion privileges enjoyed by the\r\nwrapper.\r\n2. Decrypts and inflates the embedded binary using the same RC4 → LZMA routine.\r\n3. It manually reconstructs the binary in memory without invoking the Windows loader.\r\n4. Jumps to the entry point of the binary at RVA 0xB0F8 on a new thread.\r\n5. Calls Sleep(INFINITE). From this point onwards, the stub performs no additional work and leaves barely a footprint\r\nbeyond two executable memory regions.\r\nAs neither LoadLibrary nor CreateProcess is involved, the binary will never appear in a module list or ImageLoad ETW\r\nevents, and the intrusion will now live exclusively in volatile memory.\r\nStage 3: Infostealer Payload \r\nOnce Donut hands over execution, the mapped binary reveals itself as a bespoke infostealer that does not align with any\r\ncatalogued malware family. Static identifiers, hard-coded into multiple payloads, imply that the same toolkit has been used\r\nin more than one campaign; however, none of the usual signatures match. Functionally, however, its objectives are\r\nunmistakable.\r\nThe code focuses almost exclusively on browsers. In the case of Firefox, it accesses the active profile directly, pulling\r\ncookies.sqlite, cert9.db, key4.db, and places.sqlite. These four files alone provide session cookies, saved logins, certificate\r\nstores, and full browsing history. Immediately after grabbing these files, the stealer takes a one-shot screenshot of the\r\nforeground desktop and stores the PNG image in memory as Screenshot.png. This image is sent to the command-and-control\r\n(C2) channel without being stored locally.\r\nChromium-based browsers receive different treatment. Here, the malware opens a WebSocket to the browser’s debugging\r\nport and uses native Chrome DevTools commands, such as Network.getAllCookies .\r\nThe approach yields live, decrypted cookie objects, meaning there is no need to locate the on-disk cookies database or\r\nwrestle with DPAPI. The paths hard-coded in the binary reference BinanceBrowser\\Default highlight a particular appetite\r\nfor cryptocurrency sessions.\r\nAll collected material is funnelled via a minimalist TCP service listening at 31.177.108.17:12345. The wire protocol begins\r\nwith plain-text control words (PING, PONG and ACK!), then switches to an XOR-obfuscated data block. Each transmission\r\nembeds two constant tags (em1 and a GUID such as 66f89dce-5240-4124-b3ff-54c731c55507 ), which allow the operator to\r\ntrack victims across multiple uploads. Filenames (user.txt, server_info.txt, browser paths) are sent in plain text, followed by\r\nthe encrypted payload of each file.\r\nhttps://www.swisspost-cybersecurity.ch/news/the-clickfix-deception\r\nPage 3 of 5\n\nNo persistence mechanism has been implemented, nor is any residue left on the disk. After the final ACK!, the process\r\nsleeps briefly, releases its working buffers and exits, leaving only the RX memory region created by Donut and a terminated\r\nthread in volatile memory.\r\nConclusion\r\nThis campaign serves as a stark reminder of how far modern malware operations have evolved. From a fake CAPTCHAs\r\nthat trick users into executing malicious code, to a multi-stage loader that hide entirely in memory and bypass virtually all\r\ntraditional defences, this attack showcases the cutting edge of stealth and sophistication.\r\nWhile attribution remains uncertain, the infrastructure, coding patterns, and reuse of modules across campaigns suggest that\r\nthis is the work of an experienced and well-resourced threat actor.\r\nAt Swiss Post Cybersecurity, we continuing to monitor this threat and similar campaigns closely. The message is clear:\r\ndefenders must recognise that traditional IOCs and file-based scanning alone are no longer sufficient. Behavioural detection,\r\nmemory analysis, and user education are mandatory components of any effective security strategy.\r\nAs attackers raise the bar, so must we.\r\nYou can't defend. You can't prevent. The only thing you can do is detect and respond.\r\n– Bruce Schneier\r\nIOC’s\r\nIOC Type Name Context\r\nadmilzsolutions.co[.]ke domain  \r\nClickFix\r\nSubdomain\r\nrtjj[.]store domain   Payload delivery\r\nrtjj[.]store/f/h url   Stage 1 URL\r\nrtjj.store/amountatom/believemesh url   Stage 2 URL\r\n31.177.108[.]17\r\nipv4-\r\naddr\r\n  Stealer C2 server IP\r\n12345 port  \r\nStealer C2 server\r\nport\r\n9d9d5bebe19a536491720424d69cbbc\r\n808e96f5dca9d18e0133ec45bdd39092e\r\nSHA-256\r\nbelievemesh DONUTLOADER\r\n1e52ed52921eedcd858cc0d0ed9164d70840c742ddbad7d3fd65666d24c40cda\r\nSHA-256\r\nh(.ps1) Stager\r\ne0038e6450f74f388e8952e1f7baa15de4631ed99568b0bddf99ab336d7d6343\r\nSHA-256\r\n  DONUTINJECTOR\r\n5a65621791cdcbce3cd1ee200454bec87f99a7e46d2aa0ffcb8e15870e378ecd\r\nSHA-256\r\n  StealerExecutable\r\nhttps://www.swisspost-cybersecurity.ch/news/the-clickfix-deception\r\nPage 4 of 5\n\nReferences\r\nhttps://github.com/TheWover/donut\r\nhttps://github.com/volexity/donut-decryptor\r\nhttps://3xperience.substack.com/p/bite-sized-insights-diving-into-donut?utm_campaign=post\u0026utm_medium=web\r\nhttps://malware.tech/posts/unpacking-shellcode-loaders/#thewover-s-donut\r\nSource: https://www.swisspost-cybersecurity.ch/news/the-clickfix-deception\r\nhttps://www.swisspost-cybersecurity.ch/news/the-clickfix-deception\r\nPage 5 of 5\n\neiwfcumbsveijxmimpdp.cs by the relevant build token, looks up, for returning the example, “NTWRITEVIRTUALMEMORY” correct syscall number for the current in a nested system. dictionary keyed\nzhvzoykgdxolwkvykjfs.cs stores the classic eleven-byte x64 stub 4C 8B D1 B8 ?? 00 00 00 0F 05 C3.\n Page 2 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.swisspost-cybersecurity.ch/news/the-clickfix-deception" ], "report_names": [ "the-clickfix-deception" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439092, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8827d480dc9cfbe4eb7cf1da736ad9605c653d9b.pdf", "text": "https://archive.orkl.eu/8827d480dc9cfbe4eb7cf1da736ad9605c653d9b.txt", "img": "https://archive.orkl.eu/8827d480dc9cfbe4eb7cf1da736ad9605c653d9b.jpg" } }