216.73.217.19

How ClickFix Opens the Door to Stealthy StealC Information Stealer

· Published 17/02/2026 17:58 · Modified 17/02/2026 18:38

Export JSON

Essential information

Published
17/02/2026 17:58
Modified
17/02/2026 18:38
Tags
2026-02-17 clickfix credential-theft fileless execution information stealer multi-stage infection process injection social engineering stealc
Related entities
9 observables, 16 techniques (mitre), 1 malware, 2 others

Description

This analysis examines a sophisticated attack chain targeting Windows systems through . It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The process ultimately deploys the , a commodity malware designed to harvest sensitive data. The attack chain includes PowerShell scripts, position-independent shellcode, and a PE downloader, utilizing techniques like reflective PE loading, API hashing, and to evade detection. 's capabilities include stealing browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, and system information. The malware uses encrypted C2 communication and operates without persistence, making it particularly stealthy.

External references