Lampion Stealer’s Deceptive Tactics: Unveiling the ClickFix Attack Targeting Banking Credentials
In the ever-evolving landscape of cyber threats, the Lampion banking trojan has resurfaced with a sophisticated campaign aimed at Portuguese financial institutions. Operating since 2019, Lampion’s operators have continually refined their methods, now employing advanced social engineering techniques that challenge traditional detection mechanisms.
The Emergence of ClickFix Lures
A notable advancement in this campaign is the integration of ClickFix lures—a deceptive strategy that convinces users to address non-existent technical issues, thereby facilitating the execution of malicious payloads. This method significantly enhances the malware’s ability to infiltrate systems undetected.
Phishing Emails as the Primary Vector
The attack initiates with meticulously crafted phishing emails that mimic legitimate bank transfer notifications. By utilizing compromised email accounts, these messages gain an air of authenticity, making them more convincing to recipients. Unlike previous tactics that included direct links, the current approach involves ZIP file attachments—a strategic shift observed since mid-September 2024, designed to circumvent security controls.
Evolution of the Campaign
Analysts from Bitsight have identified three distinct phases in the campaign’s evolution, with a significant transformation occurring in mid-December 2024 when ClickFix social engineering was incorporated into the attack chain. This evolution underscores the threat actors’ adaptability and commitment to enhancing their methods.
Infection Chain and Technical Sophistication
The infection process is multi-staged and meticulously crafted to evade detection at each step. Upon downloading the deceptive attachment, victims encounter what appears to be a legitimate Windows error notification, complete with familiar user interface elements. This ClickFix lure prompts users to click links that initiate the malware delivery, creating a false sense of security while the infection unfolds covertly.
Persistence Mechanisms and Infrastructure
Technical analysis reveals that the malware employs obfuscated Visual Basic scripts, each stage further concealing the malicious intent until the final DLL payload is executed, which contains the stealer functionality. Notably, persistence mechanisms were introduced around June 2025, enabling the malware to survive system reboots and maintain access across sessions.
The threat actors utilize a geographically distributed infrastructure across multiple cloud providers, effectively compartmentalizing their operations. IP blacklisting capabilities within their infrastructure prevent security researchers from tracing the complete infection chain, while also allowing precise control over which victims receive specific payloads.
Automated Sample Generation
Bitsight researchers observed hundreds of unique samples at each infection stage, suggesting automated generation. This indicates that the group possesses the technical capability to scale their operations efficiently while maintaining operational security throughout the attack cycle.
Implications and Recommendations
The resurgence of Lampion with enhanced tactics like ClickFix lures highlights the increasing sophistication of cyber threats targeting financial institutions. Organizations must remain vigilant, implementing robust email filtering, user education programs, and advanced threat detection systems to mitigate such risks.
