{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/clickfix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["deepload","clickfix","credential-theft","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDeepLoad is a recently discovered malware family designed for credential theft, malicious browser extension installation, and potential cryptocurrency theft. First advertised on a dark web forum in early February 2026, DeepLoad is now being distributed in the wild via ClickFix campaigns. The malware is delivered through fake browser error messages that instruct victims to execute a PowerShell command, resulting in the persistent execution of a PowerShell loader. This loader dynamically generates a DLL component in the Temp directory to evade detection. DeepLoad also injects into the legitimate \u003ccode\u003eLockAppHost.exe\u003c/code\u003e process to further blend into trusted Windows activity and evade detection by security tools. The threat actor\u0026rsquo;s motivations appear to be financially driven, focusing on credential and cryptocurrency theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim encounters a fake browser error message.\u003c/li\u003e\n\u003cli\u003eThe victim is instructed to paste a command into Windows Run or a terminal.\u003c/li\u003e\n\u003cli\u003eThe command executes a PowerShell loader, which is designed for persistence.\u003c/li\u003e\n\u003cli\u003eThe PowerShell loader drops a DLL component in the Temp directory, compiled on every execution with a different filename.\u003c/li\u003e\n\u003cli\u003eThe loader disables PowerShell command history and calls Windows core functions directly to evade monitoring.\u003c/li\u003e\n\u003cli\u003eThe DLL is injected into \u003ccode\u003eLockAppHost.exe\u003c/code\u003e using asynchronous procedure call (APC) injection.\u003c/li\u003e\n\u003cli\u003eDeepLoad steals credentials via a standalone credential stealer executed alongside the main loader.\u003c/li\u003e\n\u003cli\u003eA rogue browser extension is dropped to intercept user activity, including logins, open tabs, session tokens, and saved passwords. The malware also attempts to spread via USB drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DeepLoad infections can lead to significant credential theft, potentially compromising sensitive user accounts and data. The rogue browser extension can expose all user browser activity, including banking and cryptocurrency exchanges. The spread via USB drives allows the malware to propagate rapidly across an organization. The financial impact can be substantial if cryptocurrency wallets and other financial accounts are compromised. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect DeepLoad PowerShell Loader\u0026rdquo; Sigma rule to detect the initial PowerShell execution used to deliver the malware.\u003c/li\u003e\n\u003cli\u003eMonitor process injection into \u003ccode\u003eLockAppHost.exe\u003c/code\u003e to identify potential DeepLoad infections (reference the Sigma rule \u0026ldquo;Detect Injection into LockAppHost.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and review for suspicious command line arguments indicative of the DeepLoad loader to enhance the effectiveness of the \u0026ldquo;Detect DeepLoad PowerShell Loader\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement USB drive security policies to prevent the spread of malware via removable media.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of executing commands from untrusted sources to prevent initial infection via ClickFix techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-deepload-malware/","summary":"The DeepLoad malware steals credentials, installs malicious browser extensions, spreads via USB drives, and is being distributed via ClickFix campaigns using PowerShell loaders.","title":"DeepLoad Malware Distributed via ClickFix","url":"https://feed.craftedsignal.io/briefs/2026-04-deepload-malware/"}],"language":"en","title":"CraftedSignal Threat Feed — Clickfix","version":"https://jsonfeed.org/version/1.1"}