Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

    Thursday, September 18, 2025 In: Threat Research Print

    Date: 09/18/2025

    Severity: High

    Summary

    The Clickfix HijackLoader phishing campaign highlights the growing threat of attack loaders in modern cyberattacks. Since mid-2025, attackers have used Clickfix to trick victims into downloading malicious .msi installers, leading to the execution of HijackLoader—a sophisticated Malware-as-a-Service tool. Known for delivering stealers like DeerStealer, HijackLoader employs advanced evasion techniques such as process doppelgänging, unhooking DLLs, and call-stack spoofing. Its rapid evolution, global distribution via fake installers and SEO poisoning, and integration into broader MaaS ecosystems like TAG-150’s CastleLoader, underline its significance as a persistent threat requiring continuous monitoring and defense.

    Indicators of Compromise (IOC) List 

    URL/Domains

    cosi.com.ar 

    https://rs.mezi.bet/samie_bower.mp3 

    http://77.91.101.66/ 

    https://1h.vuregyy1.ru/3g2bzgrevl.hta

    IP Address

    91.212.166.51 

    37.27.165.65

    Hash : 

    1b272eb601bd48d296995d73f2cdda54ae5f9fa534efc5a6f1dab3e879014b57 

    37fc6016eea22ac5692694835dda5e590dc68412ac3a1523ba2792428053fbf4 

    3552b1fded77d4c0ec440f596de12f33be29c5a0b5463fd157c0d27259e5a2df 

    782b07c9af047cdeda6ba036cfc30c5be8edfbbf0d22f2c110fd0eb1a1a8e57d 

    921016a014af73579abc94c891cd5c20c6822f69421f27b24f8e0a044fa10184 

    e2b3c5fdcba20c93cfa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82 

    52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd 

    c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e 

    D0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4 

    50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://1h.vuregyy1.ru/3g2bzgrevl.hta" or siteurl like "https://1h.vuregyy1.ru/3g2bzgrevl.hta" or url like "https://1h.vuregyy1.ru/3g2bzgrevl.hta" or domainname like "cosi.com.ar" or siteurl like "cosi.com.ar" or url like "cosi.com.ar" or domainname like "http://77.91.101.66/" or siteurl like "http://77.91.101.66/" or url like "http://77.91.101.66/" or domainname like "https://rs.mezi.bet/samie_bower.mp3" or siteurl like "https://rs.mezi.bet/samie_bower.mp3" or url like "https://rs.mezi.bet/samie_bower.mp3"

    Detection Query 2 :

    dstipaddress IN ("91.212.166.51","37.27.165.65") or srcipaddress IN ("91.212.166.51","37.27.165.65")

    Detection Query 3 :

    sha256hash IN ("1b272eb601bd48d296995d73f2cdda54ae5f9fa534efc5a6f1dab3e879014b57","c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e","37fc6016eea22ac5692694835dda5e590dc68412ac3a1523ba2792428053fbf4","3552b1fded77d4c0ec440f596de12f33be29c5a0b5463fd157c0d27259e5a2df","782b07c9af047cdeda6ba036cfc30c5be8edfbbf0d22f2c110fd0eb1a1a8e57d","921016a014af73579abc94c891cd5c20c6822f69421f27b24f8e0a044fa10184","e2b3c5fdcba20c93cfa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82","52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd","D0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4","50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee")

    Reference:

    https://www.seqrite.com/blog/deconstructing-a-cyber-deception-an-analysis-of-the-clickfix-hijackloader-phishing-campaign/


    Tags

    MalwarePhishingHijackLoaderClickFixDeerStealerStealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.