Lampion is Back With ClickFix Lures

    Date: 05/07/2025

    Severity: Medium

    Summary

    A newly uncovered targeted campaign has revealed the resurgence of the Lampion malware, focusing on Portuguese organizations in the government, finance, and transportation sectors. Active since 2019, Lampion now incorporates ClickFix lures—a social engineering tactic that tricks users into executing malicious commands disguised as system fixes. The campaign maintains previously observed TTPs, including obfuscated Visual Basic scripts and familiar infrastructure. Though the final payload was not deployed in this case, the full infection chain was identified, indicating potential for future attacks and underscoring the need for advanced threat detection.

    Indicators of Compromise (IOC) List

    URL/Domain

    Inde-faturas.com

    autoridade-tributaria.com

    http://18.116.63.61/ifeellike.php

    http://18.116.63.61/trogloditas.php

    http://3.135.249.199/prayfor.php

    http://18.217.122.187/proposito.php

    http://18.226.150.56/persistir.php

    http://3.142.40.36/grow.php

    http://18.216.78.94/aceitalo.php

    http://3.23.103.13/stick.php

    IP Address

    18.221.69.167

    18.222.97.143

    18.116.15.129

    18.220.96.58

    3.135.200.135

    18.191.192.110

    18.224.38.123

    18.118.163.100

    3.147.127.14

    3.138.32.196

    18.117.11.70

    18.117.173.119

    18.116.28.153

    3.16.76.203

    3.15.7.241

    3.15.155.141

    18.117.71.203

    3.133.160.140

    3.133.113.215

    3.143.24.42

    18.217.180.185

    3.23.105.171

    3.142.200.117

    3.128.34.187

    18.191.240.233

    3.147.86.100

    5.8.9.77

    83.242.96.159

    Hash

    ee4c8e4cce55bd40afa1fb0bc0eee3d7c23d0ebe2db48c2092e854f6ca1472ce

    4aeb84dd71588a35084109ff5525c7bff2f30e0ed58ce139621b17f2374bdb35

    bba48cf24bb9e6bdcbc79c2241f101e3dd4127ab450e3dbbe1b79fa738f06483

    29b63fcf8e5f08fd12166507b3a85746e3ec685ae0620a124e64125ecd9ccf9b

    58fe2a7d4435c9c24c98d33aff1110add4bf95add31558f51289a028ddafcc6e

    334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d

    1681c3b88ed315543ac1bf07d258d560cf2f85bfd26c10471d71700eaeb57fb3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "http://18.216.78.94/aceitalo.php" or siteurl like "http://18.216.78.94/aceitalo.php" or url like "http://18.216.78.94/aceitalo.php" or domainname like "http://18.116.63.61/ifeellike.php" or siteurl like "http://18.116.63.61/ifeellike.php" or url like "http://18.116.63.61/ifeellike.php" or domainname like "http://18.226.150.56/persistir.php" or siteurl like "http://18.226.150.56/persistir.php" or url like "http://18.226.150.56/persistir.php" or domainname like "http://18.217.122.187/proposito.php" or siteurl like "http://18.217.122.187/proposito.php" or url like "http://18.217.122.187/proposito.php" or domainname like "http://18.116.63.61/trogloditas.php" or siteurl like "http://18.116.63.61/trogloditas.php" or url like "http://18.116.63.61/trogloditas.php" or domainname like "http://3.142.40.36/grow.php" or siteurl like "http://3.142.40.36/grow.php" or url like "http://3.142.40.36/grow.php" or domainname like "autoridade-tributaria.com" or siteurl like "autoridade-tributaria.com" or url like "autoridade-tributaria.com" or domainname like "Inde-faturas.com" or siteurl like "Inde-faturas.com" or url like "Inde-faturas.com" or domainname like "http://3.135.249.199/prayfor.php" or siteurl like "http://3.135.249.199/prayfor.php" or url like "http://3.135.249.199/prayfor.php" or domainname like "http://3.23.103.13/stick.php" or siteurl like "http://3.23.103.13/stick.php" or url like "http://3.23.103.13/stick.php"

    Detection Query 2

    dstipaddress IN ("18.217.180.185","18.117.71.203","18.191.240.233","3.143.24.42","3.15.7.241","3.16.76.203","3.147.127.14","3.138.32.196","18.221.69.167","18.222.97.143","18.116.15.129","18.220.96.58","3.135.200.135","18.191.192.110","18.224.38.123","18.118.163.100","18.117.11.70","18.117.173.119","18.116.28.153","3.15.155.141","3.133.160.140","3.133.113.215","3.23.105.171","3.142.200.117","3.128.34.187","3.147.86.100","5.8.9.77","83.242.96.159") or srcipaddress IN ("18.217.180.185","18.117.71.203","18.191.240.233","3.143.24.42","3.15.7.241","3.16.76.203","3.147.127.14","3.138.32.196","18.221.69.167","18.222.97.143","18.116.15.129","18.220.96.58","3.135.200.135","18.191.192.110","18.224.38.123","18.118.163.100","18.117.11.70","18.117.173.119","18.116.28.153","3.15.155.141","3.133.160.140","3.133.113.215","3.23.105.171","3.142.200.117","3.128.34.187","3.147.86.100","5.8.9.77","83.242.96.159")

    Detection Query 3

    sha256hash IN ("ee4c8e4cce55bd40afa1fb0bc0eee3d7c23d0ebe2db48c2092e854f6ca1472ce","58fe2a7d4435c9c24c98d33aff1110add4bf95add31558f51289a028ddafcc6e","4aeb84dd71588a35084109ff5525c7bff2f30e0ed58ce139621b17f2374bdb35","bba48cf24bb9e6bdcbc79c2241f101e3dd4127ab450e3dbbe1b79fa738f06483","29b63fcf8e5f08fd12166507b3a85746e3ec685ae0620a124e64125ecd9ccf9b","334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d","1681c3b88ed315543ac1bf07d258d560cf2f85bfd26c10471d71700eaeb57fb3")

    Reference:  

    https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/


    Tags

    MalwareLampionPortugalGovernment Services and FacilitiesFinancial ServicesTransportation SystemsClickFixSocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags