From ClickFix deception to information stealer deployment
Essential information
- Published
- 18/06/2025 12:27
- Modified
- 18/06/2025 13:00
- Tags
- 2025-06-18 arechclient2 clickfix eddiestealer ghostpulse infostealer lumma multi-stage attack remote access trojan social engineering
- Related entities
- 47 observables, 11 techniques (mitre), 4 malware
Description
The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details.