Clickfix to PureHVNC Multi Stage Malware Delivery via Fake Booking Portal

    Friday, May 8, 2026 In: Threat Research Print

    Date: 05/08/2026

    Severity: High

    Summary

    This campaign demonstrates how ClickFix-style social engineering continues to evolve into an effective initial access technique for delivering sophisticated malware frameworks. By combining user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection, the operators behind this activity achieve stealthy deployment of the PureHVNC RAT while minimizing forensic visibility. The campaign also highlights increasing abuse of legitimate Windows utilities and trusted binaries to evade conventional security controls. Organizations should prioritize behavioral detection strategies focused on suspicious PowerShell execution, persistence creation, DLL side-loading, and anomalous process injection activity rather than relying solely on static indicators.

    Indicators of Compromise (IOC) List

    Domain : 

    https://58gold.com/h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7

    https://clubcampestrededurango.com/clubcampestrededurango.zip

    IP Address

    94.26.90.216

    Hash : 

    ca1dbbbd75b898b5df5ff2a63b592ecdcd2777b0d370eb3848d9604e02627e64

    526cd0ca695d223e6c244c7a557f9d115fe2f68fbe2684fe403a04de908c70d3

    354daf11614e9c0097798f213e0867aa68c8d736b26e54ef67c0ba9c3da415a1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://clubcampestrededurango.com/clubcampestrededurango.zip" or url like "https://clubcampestrededurango.com/clubcampestrededurango.zip" or siteurl like "https://clubcampestrededurango.com/clubcampestrededurango.zip" or domainname like "https://58gold.com/h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7" or url like "https://58gold.com/h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7" or siteurl like "https://58gold.com/h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7"

    Detection Query 2 :

    dstipaddress IN ("94.26.90.216") or srcipaddress IN ("94.26.90.216") 

    Detection Query 3 :

    sha256hash IN ("526cd0ca695d223e6c244c7a557f9d115fe2f68fbe2684fe403a04de908c70d3","354daf11614e9c0097798f213e0867aa68c8d736b26e54ef67c0ba9c3da415a1", “ca1dbbbd75b898b5df5ff2a63b592ecdcd2777b0d370eb3848d9604e02627e64”)

    Reference:    

    https://gurucul.com/blog/clickfix-to-purehvnc-multi-stage-malware-delivery-via-fake-booking-portal/


    Tags

    MalwareThreat ActorRATSocial EngineeringPureHVNCClickFixDLLSideLoading

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.