ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery
Essential information
- Published
- 05/06/2026 00:52
- Modified
- 05/06/2026 06:41
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- castleloader clickfix fileless execution lolbin phishing python rat social engineering typosquatting
- Tags
- 2026-06-04 castleloader clickfix fileless execution lolbin phishing python rat social engineering typosquatting
- Related entities
- 58 indicators, 58 observables, 18 techniques (mitre), 1 malware, 27 others
Description
A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.