ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer

hello@craftedsignal.io — Thu, 30 Apr 2026 13:00:00 +0000

The BackgroundFix campaign is a social engineering scheme using fake “remove your photo background” services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.

Attack Chain

Victim searches for an online background removal tool and lands on a malicious BackgroundFix site.
The victim uploads an image to the fake website.
After clicking a checkbox, the site instructs the victim to copy a command to their clipboard.
The copied command executes finger.exe to query cheeshomireciple[.]com
finger.exe retrieves a batch script from the C2 server.
The batch script executes commands to download and execute further payloads.
CastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.
NetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.

Impact

Successful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.

Recommendation

Monitor process creation events for the execution of finger.exe with command-line arguments pointing to external domains (IOC: cheeshomireciple[.]com).
Deploy the Sigma rule to detect the execution of finger.exe to identify potential initial access attempts.
Block the C2 domain cheeshomireciple[.]com at the DNS resolver to prevent initial payload delivery.
Monitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: poronto[.]com:688, giovettiadv[.]com:688).

Registry Persistence via AppInit DLL Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The AppInit DLLs mechanism allows dynamic-link libraries (DLLs) to be loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. This mechanism is intended for customization of the user interface and behavior of Windows-based applications. However, attackers can abuse this by adding malicious DLLs to the registry locations associated with AppInit DLLs. This enables them to execute code with elevated privileges, similar to process injection, and maintain a persistent presence on the compromised machine. This technique is often used to maintain access after initial compromise. Detection focuses on registry modifications to the relevant keys, excluding known legitimate processes to minimize false positives. The referenced Elastic rule was last updated on 2026/05/04.

Attack Chain

An attacker gains initial access to the system through a vulnerability, phishing, or other means.
The attacker identifies the AppInit DLLs registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows.
The attacker modifies the AppInit_DLLs registry value to include the path to their malicious DLL.
The attacker’s DLL is placed on the filesystem, typically in a location where it will persist across reboots.
Any new process that loads user32.dll will automatically load the attacker’s malicious DLL.
The malicious DLL executes arbitrary code within the context of the newly created process.
The attacker can use this code execution to perform further actions, such as installing backdoors or escalating privileges.
The attacker maintains persistent access to the system through the malicious DLL loaded into every user interface process.

Impact

Successful exploitation allows attackers to execute arbitrary code within the context of any process that loads user32.dll. This provides a persistent mechanism for maintaining access to the compromised system. The attacker gains code execution with elevated privileges, similar to process injection. This can lead to data theft, system compromise, or further lateral movement within the network. While no specific victim counts are mentioned, the widespread use of Windows makes this a potentially high-impact vulnerability.

Recommendation

Monitor registry modifications to the AppInit_DLLs value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows using the “Registry Persistence via AppInit DLL Modification” Sigma rule.
Enable Sysmon registry event logging to provide the data required for the Sigma rule to function correctly.
Deploy the “Registry Persistence via AppInit DLL Modification” Sigma rule to your SIEM and tune the filter to exclude known-good DLL paths in your environment.
Investigate any alerts triggered by the Sigma rule, focusing on the parent process and the DLL being loaded.

Microsoft Windows — CraftedSignal Threat Feed

ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer

Attack Chain

Impact

Recommendation

Registry Persistence via AppInit DLL Modification

Attack Chain

Impact

Recommendation