{
  "name": "Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign",
  "slug": "deconstructing-a-cyber-deception-an-analysis-of-the-clickfix-hijackloader-phishing-campaign",
  "description": "This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It employs advanced anti-analysis methods, including anti-VM checks and registry manipulation. The final payload, typically an infostealer like NekoStealer or Lumma, is delivered via a multi-stage process involving packed .NET executables and protected DLLs. The loader's evolution and its role in the broader malware-as-a-service ecosystem underscore the need for organizations to focus on detecting initial access and intermediate stages rather than just final payloads.",
  "published": "2025-09-12T12:56:55+00:00",
  "created_at": "2025-09-12T12:56:55+00:00",
  "modified_at": "2025-09-15T16:49:02+00:00",
  "created_at_opencti": "2025-09-12T12:56:55+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-12",
    "anti-vm",
    "castlebot",
    "castleloader",
    "deerstealer",
    "hijackloader",
    "infostealer",
    "lumma",
    "multi-stage",
    "nekostealer",
    "obfuscation",
    "phishing",
    "powershell"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "91.212.166.51"
      },
      {
        "id": "",
        "name": "rs.mezi.bet"
      },
      {
        "id": "",
        "name": "1h.vuregyy1.ru"
      },
      {
        "id": "",
        "name": "cosi.com.ar"
      },
      {
        "id": "",
        "name": "e2b3c5fdcba20c93cfa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82"
      },
      {
        "id": "",
        "name": "c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e"
      },
      {
        "id": "",
        "name": "d0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4"
      },
      {
        "id": "",
        "name": "921016a014af73579abc94c891cd5c20c6822f69421f27b24f8e0a044fa10184"
      },
      {
        "id": "",
        "name": "782b07c9af047cdeda6ba036cfc30c5be8edfbbf0d22f2c110fd0eb1a1a8e57d"
      },
      {
        "id": "",
        "name": "52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd"
      },
      {
        "id": "",
        "name": "50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee"
      },
      {
        "id": "",
        "name": "3552b1fded77d4c0ec440f596de12f33be29c5a0b5463fd157c0d27259e5a2df"
      },
      {
        "id": "",
        "name": "37fc6016eea22ac5692694835dda5e590dc68412ac3a1523ba2792428053fbf4"
      },
      {
        "id": "",
        "name": "1b272eb601bd48d296995d73f2cdda54ae5f9fa534efc5a6f1dab3e879014b57"
      }
    ],
    "malware": [
      {
        "id": "702f20aa-6dfd-460c-965a-ae42f9f392bb",
        "name": "NekoStealer",
        "slug": "nekostealer"
      },
      {
        "id": "65d12e2b-dc5a-47a0-93cd-232b6fc9e93c",
        "name": "CastleBot",
        "slug": "castlebot"
      },
      {
        "id": "e77c0ea5-60eb-4814-82ca-e2553343c1c9",
        "name": "CastleLoader",
        "slug": "castleloader"
      },
      {
        "id": "e4395143-7d7c-450d-8a13-7e17a713fdb6",
        "name": "DeerStealer",
        "slug": "deerstealer"
      },
      {
        "id": "5a707c14-0cb1-4113-a7f6-02c0c32699e3",
        "name": "HijackLoader",
        "slug": "hijackloader"
      },
      {
        "id": "40393205-bf5e-4be2-a843-8064b1c6c5de",
        "name": "Lumma",
        "slug": "lumma"
      }
    ],
    "attack_patterns": [
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://www.seqrite.com/blog/deconstructing-a-cyber-deception-an-analysis-of-the-clickfix-hijackloader-phishing-campaign/",
    "https://otx.alienvault.com/pulse/68c434b702367baa76c87ab9"
  ]
}