From ClickFix deception to information stealer deployment
June 18, 2025, 1 p.m.
Description
The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details.
Tags
Date
- Created: June 18, 2025, 12:27 p.m.
- Published: June 18, 2025, 12:27 p.m.
- Modified: June 18, 2025, 1 p.m.
Indicators
- a8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90
- f92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55
- 4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9
- 2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a
- 91.199.163.74
- 91.184.242.37
- 85.158.110.179
- 82.117.255.225
- 84.200.17.129
- 82.117.242.178
- 67.220.72.124
- 79.124.62.10
- 66.63.187.22
- 62.60.247.154
- 45.94.47.164
- 45.77.154.115
- 45.141.87.7
- 45.141.86.82
- 45.141.86.149
- 45.118.248.29
- 195.82.147.132
- 194.87.29.62
- 194.26.27.10
- 193.149.176.31
- 192.124.178.244
- 185.156.72.71
- 185.156.72.63
- 185.125.50.140
- 176.126.163.56
- 172.86.72.81
- 172.235.190.176
- 172.105.148.233
- 144.172.97.2
- 144.172.94.120
- 144.172.101.228
- 143.110.230.167
- 107.189.24.67
- 107.189.18.56
- 45.141.87.212
- 45.141.86.159
- 185.156.72.80
- 45.141.87.249
- https://shorter.me/XOWyT'
- https://koonenmagaziner.click/counter/<IP_address
- https://clients.contology.com/captcha/
- koonenmagaziner.click
- contology.com