ClickFix Removes Your Background but Leaves the Malware
Essential information
- Published
- 30/04/2026 16:41
- Modified
- 04/05/2026 11:59
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- castleloader clickfix netsupport rat reflective loader social engineering
- Tags
- 2026-04-30 castleloader clickfix netsupport rat reflective loader social engineering
- Related entities
- 23 indicators, 23 observables, 1 intrusion sets (apt), 18 techniques (mitre), 3 malware, 14 others
Description
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.