Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign
Essential information
- Published
- 12/09/2025 14:56
- Modified
- 15/09/2025 18:49
- Tags
- 2025-09-12 anti-vm castlebot castleloader deerstealer hijackloader infostealer lumma multi-stage nekostealer obfuscation phishing powershell
- Related entities
- 14 observables, 9 techniques (mitre), 6 malware
Description
This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It employs advanced anti-analysis methods, including anti-VM checks and registry manipulation. The final payload, typically an infostealer like NekoStealer or Lumma, is delivered via a multi-stage process involving packed .NET executables and protected DLLs. The loader's evolution and its role in the broader malware-as-a-service ecosystem underscore the need for organizations to focus on detecting initial access and intermediate stages rather than just final payloads.