Lampion Stealer’s New ClickFix Tactic Silently Compromises Login Credentials
Cybersecurity researchers have recently identified a sophisticated campaign involving the Lampion banking trojan, a malware strain active since 2019, now exhibiting a renewed focus on Portuguese financial institutions. The threat actors behind these operations have significantly refined their tactics, introducing advanced social engineering techniques that make traditional detection methods increasingly ineffective.
A notable feature of this latest iteration is the incorporation of ClickFix lures—a deceptive strategy that convinces users they need to resolve technical issues, thereby facilitating the execution of malicious payloads.
Infection Vector and Evolution
The attack initiates with meticulously crafted phishing emails that mimic legitimate bank transfer notifications. To enhance authenticity, threat actors utilize compromised email accounts to distribute these messages, making them appear credible upon casual inspection. These emails contain ZIP file attachments instead of direct links, a tactical shift observed around mid-September 2024, demonstrating the group’s adaptive approach to circumventing security controls.
Analysts from Bitsight have traced the campaign’s evolution through three distinct phases, with a significant transformation occurring in mid-December 2024 when ClickFix social engineering tactics were integrated into the attack chain.
Infection Chain and ClickFix Lure
The infection chain reveals a multi-stage architecture designed to evade detection at each step. Upon downloading the deceptively labeled attachment, victims encounter what appears to be a legitimate Windows error notification, complete with familiar user interface elements. This ClickFix lure prompts users to click links that initiate the actual malware delivery, creating a false sense of security while the infection process unfolds covertly.
Technical Infrastructure and Persistence Mechanisms
The technical infrastructure supporting this campaign demonstrates considerable expertise in operational security. The infection chain progresses through obfuscated Visual Basic scripts, each stage further concealing the malicious intent until reaching the final DLL payload containing the stealer functionality.
Notably, persistence mechanisms were added to the first stage around June 2025, enabling the malware to survive system reboots and maintain access across sessions. The threat actors employ geographically distributed infrastructure spanning multiple cloud providers, effectively compartmentalizing their operations.
IP blacklisting capabilities within their infrastructure prevent security researchers from tracing the complete infection chain, while also enabling fine-grained control over which victims receive which payloads. Bitsight researchers noted that the hundreds of unique samples at each infection stage suggest automated generation, indicating the group possesses sufficient technical capability to scale their operations efficiently while maintaining operational security throughout the attack cycle.
Broader Implications and Recommendations
The integration of ClickFix lures into the Lampion stealer’s attack methodology underscores a broader trend in cyber threats: the increasing sophistication of social engineering tactics. By exploiting users’ trust and familiarity with routine technical procedures, attackers can bypass traditional security measures and achieve higher infection rates.
To mitigate the risks associated with such advanced phishing campaigns, individuals and organizations are advised to:
– Exercise Caution with Email Attachments: Be wary of unsolicited emails, especially those containing attachments or urging immediate action.
– Verify Sender Authenticity: Confirm the legitimacy of the sender through secondary channels before interacting with the content.
– Implement Advanced Email Filtering: Utilize email security solutions that can detect and quarantine suspicious messages.
– Educate Users: Conduct regular training sessions to raise awareness about emerging phishing tactics and social engineering techniques.
– Maintain Updated Security Software: Ensure that all systems are equipped with up-to-date antivirus and anti-malware solutions capable of detecting and mitigating such threats.
By adopting a proactive and informed approach to cybersecurity, individuals and organizations can better defend against the evolving landscape of cyber threats exemplified by the Lampion stealer’s latest campaign.
