Deconstructing a cyber deception: an analysis of the clickfix hijackloader phishing campaign

Intel Name: Deconstructing a cyber deception: an analysis of the clickfix hijackloader phishing campaign

Date of Scan: September 18, 2025

Impact: High

Summary:
The Clickfix HijackLoader phishing campaign highlights the growing threat of attack loaders in modern cyberattacks. Since mid-2025, attackers have used Clickfix to trick victims into downloading malicious .msi installers, leading to the execution of HijackLoader—a sophisticated Malware-as-a-Service tool. Known for delivering stealers like DeerStealer, HijackLoader employs advanced evasion techniques such as process doppelgänging, unhooking DLLs, and call-stack spoofing. Its rapid evolution, global distribution via fake installers and SEO poisoning, and integration into broader MaaS ecosystems like TAG-150’s CastleLoader, underline its significance as a persistent threat requiring continuous monitoring and defense.

More Details