Evasive Clickfix Injection Delivers a Rat Hidden in Image Files

    Monday, June 8, 2026 In: Threat Research Print

    Date: 06/08/2026

    Severity: High

    Summary

    A multi-step ClickFix attack was detected using brand squatting, clipboard decoys, and multi-stage payloads disguised as logs or images. The threat actor registered lirunex[.]tech, mimicking the legitimate payment platform lirnunex.com, and launched an evasive attack. Multi-stage payloads ultimately delivered a cross-platform RAT hidden as image files. When victims paste what they believe is an SSL certificate path, the attacker silently replaces it via the clipboard, executing the first stage with conhost --headless. This acts as a two-stage dropper for the RAT. The site cloaks itself from non-targets by showing a Swagger UI clone of the legitimate Lirunex API, controlled server-side.

    Indicators of Compromise (IOC) List

    Domains/URLs  : 

    aromi-fr.shop

    aromi-fr.com

    convmasters.com

    lirunex.tech

    http://95.179.240.32:9999/build

    http://104.207.131.216:16443

    http://188.166.20.222:8000

    https://colafunfacts.net/firefox.zip

    https://colafunfacts.net/log

    Hash : 

    0bd04e6b054a45d642adb9338862f8253e94b83365a81f95e6a4fc740bac9c0c

    b18d6a77ed2693485dabb2d86fc28cb7946b5e3ecbd89f7656365de8474ad012

    b1cd7e6f87ba5b6532df928277f0ecfed2b4345667835d64be27fd434cbbfc63

    01b33a2b65bff3c4f3ea686dd545ea4d4214605a7db27b11c5c931058b6f6fbe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://95.179.240.32:9999/build" or url like "http://95.179.240.32:9999/build" or siteurl like "http://95.179.240.32:9999/build" or domainname like "http://104.207.131.216:16443" or url like "http://104.207.131.216:16443" or siteurl like "http://104.207.131.216:16443" or domainname like "http://188.166.20.222:8000" or url like "http://188.166.20.222:8000" or siteurl like "http://188.166.20.222:8000" or domainname like "aromi-fr.com" or url like "aromi-fr.com" or siteurl like "aromi-fr.com" or domainname like "https://colafunfacts.net/log" or url like "https://colafunfacts.net/log" or siteurl like "https://colafunfacts.net/log" or domainname like "https://colafunfacts.net/firefox.zip" or url like "https://colafunfacts.net/firefox.zip" or siteurl like "https://colafunfacts.net/firefox.zip" or domainname like "lirunex.tech" or url like "lirunex.tech" or siteurl like "lirunex.tech" or domainname like "convmasters.com" or url like "convmasters.com" or siteurl like "convmasters.com" or domainname like "aromi-fr.shop" or url like "aromi-fr.shop" or siteurl like "aromi-fr.shop"

    Detection Query 2 :

    sha256hash In ("0bd04e6b054a45d642adb9338862f8253e94b83365a81f95e6a4fc740bac9c0c","b18d6a77ed2693485dabb2d86fc28cb7946b5e3ecbd89f7656365de8474ad012","b1cd7e6f87ba5b6532df928277f0ecfed2b4345667835d64be27fd434cbbfc63","01b33a2b65bff3c4f3ea686dd545ea4d4214605a7db27b11c5c931058b6f6fbe")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-05-%20Evasive-ClickFix-Injection-Delivers-RAT.txt  


    Tags

    MalwareThreat ActorRATClickFixMimicFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.