TL;DR: A ClickFix campaign used a spoofed licensing site, staged PowerShell, Donut shellcode, and in-memory .NET execution to deliver PureLogs stealer, targeting browser credentials, Windows Credential Manager, and cryptocurrency wallets, according to Gurucul. The case shows how fileless delivery blurs endpoint and identity boundaries, making credential exposure and runtime telemetry the real control points.
At a glance
What this is: This is a threat research post about a ClickFix-driven, fileless malware chain that uses staged PowerShell and in-memory execution to deploy PureLogs stealer and harvest credentials, browser data, and wallet artifacts.
Why it matters: It matters to IAM and NHI teams because the campaign targets secrets and session material rather than only endpoints, so identity controls, credential storage, and detection around PowerShell activity all become part of the defence surface.
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
👉 Read Gurucul's full threat research on the Canndelta ClickFix PureLogs campaign
Context
ClickFix campaigns exploit user trust by turning a fake verification prompt into a command execution path. In this case, the primary keyword is fileless malware delivery, and the attacker used that pattern to move from social engineering to PowerShell execution, then to in-memory payload staging and credential theft.
For IAM, PAM, and NHI programmes, the issue is not only the malware family. The operational failure is that browser credentials, session tokens, password managers, and Windows Credential Manager artefacts can be harvested once a user is tricked into running attacker-controlled code, which means identity telemetry and endpoint telemetry now need to be correlated rather than treated as separate problems.
The starting position is typical of modern commodity stealers: lure the user, execute a script, hide the payload, and exfiltrate secrets. What makes it operationally useful for defenders is that the campaign exposes where detection and identity governance still assume a file-based or permission-based attack model.
Key questions
Q: How should security teams detect ClickFix-style PowerShell abuse in practice?
A: Teams should correlate user-initiated shell execution, hidden PowerShell windows, remote script retrieval, and memory-only payload staging in a single detection path. The goal is to identify the moment a browser-driven trust event becomes local code execution. That requires endpoint telemetry, process lineage, and network signals to be analysed together, not in separate dashboards.
Q: Why do fileless stealers create a bigger credential risk than ordinary malware?
A: Fileless stealers matter because they target reusable identity material such as browser cookies, session tokens, password manager data, and Windows Credential Manager contents. Once those artefacts are exposed, the attacker may not need the original host again. The compromise can spread into other systems, services, and sessions that trust the stolen material.
Q: What do teams get wrong about PowerShell-based malware campaigns?
A: Many teams still treat PowerShell abuse as an endpoint hygiene issue rather than an identity and access issue. In reality, the script often becomes the path to credential theft, session hijacking, and downstream service access. If the response does not include credential-store review and identity telemetry, the real blast radius stays hidden.
Q: How should organisations respond when browser credentials may have been harvested?
A: Contain the user session, invalidate exposed cookies and tokens, reset any reused credentials, and check whether the same secrets are used by service accounts or downstream integrations. Because browser stores can hold reusable identity material, the response should cover both human accounts and any linked non-human access.
Technical breakdown
ClickFix social engineering as the initial access path
ClickFix is a social engineering pattern that replaces a conventional download with a user-instructed execution step, often through Win+R and clipboard abuse. In this campaign, the spoofed licensing prompt induced the victim to run malicious PowerShell, which then retrieved the next stage from remote infrastructure. The key architectural point is that initial access is not a binary compromise event. It is a human-triggered execution bridge that bypasses browser protections and shifts trust from the website to the local shell.
Practical implication: monitor for user-initiated shell execution paths that originate from web browsing and treat them as identity-relevant events, not just endpoint noise.
Why staged PowerShell and RWX memory reduce detection
The malware chain uses multiple PowerShell stages, remote payload retrieval, and memory-only execution to avoid writing obvious binaries to disk. One stage allocates executable memory with VirtualAlloc and PAGE_EXECUTE_READWRITE, then starts execution with CreateThread. That pattern matters because endpoint tools that rely heavily on file reputation or on-disk artefacts will miss or downgrade the signal. Hidden windows, obfuscated variables, and Invoke-Expression further compress the defender’s response window by moving execution into the runtime rather than the filesystem.
Practical implication: alert on PowerShell with hidden windows, RWX memory allocation, and remote script retrieval as a combined detection pattern.
In-memory CLR loading turns the stealer into a fileless credential harvester
Donut shellcode bridges unmanaged execution into the .NET runtime, allowing the PureLogs assembly to be reconstructed and loaded entirely in memory. That gives the operator a portable delivery mechanism for a stealer that can enumerate browser profiles, credential stores, SSH-related files, and cryptocurrency wallet artefacts. The important technical detail is that the final payload is not merely downloaded. It is instantiated in memory, which makes it harder to map to a single executable file and easier to pair with runtime exfiltration over TCP.
Practical implication: correlate .NET runtime initialisation from non-standard parent processes with access to credential stores and browser profile directories.
Threat narrative
Attacker objective: The attacker’s objective is to steal reusable authentication material, wallet artefacts, and session data that can be monetised or repurposed for follow-on access.
- Entry occurs when a victim visits the spoofed canndelta[.]com site and is induced through ClickFix to run a malicious PowerShell command from the local shell.
- Escalation occurs as staged PowerShell loaders fetch additional payloads, allocate RWX memory, and transition execution into shellcode and in-memory CLR loading.
- Impact occurs when PureLogs enumerates browser credentials, Windows Credential Manager artefacts, wallet data, and session tokens, then exfiltrates the harvested material to attacker-controlled infrastructure.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Credential theft has become an identity workflow problem, not just a malware problem. PureLogs is valuable to defenders because it shows the attacker’s real target is stored authentication material, session tokens, and wallet artefacts, not the host in isolation. That means the security boundary is now the identity surface exposed by browser stores, password managers, and Windows Credential Manager. Practitioners should treat credential repositories as active attack infrastructure.
ClickFix works because user execution still short-circuits many identity assumptions. The campaign depends on a person being convinced to run code locally, which means the control gap sits between human behaviour and machine execution. Identity programmes that separate endpoint response from IAM telemetry miss that the same action can create both malware execution and credential compromise. Practitioners need a shared view of user-initiated code execution as an access event.
Fileless delivery creates a runtime visibility gap that traditional file-centric controls do not close. The use of staged PowerShell, RWX memory, and in-memory CLR execution means the payload never needs to become a durable artefact on disk. That undermines detection models built around hashes, file scanning, and post-write analysis. The practical conclusion is that runtime telemetry, command-line scrutiny, and memory events must sit inside the identity detection model.
Browser and credential-store abuse is the modern blast-radius multiplier. Once a stealer reaches Chromium profiles, Windows Credential Manager, or wallet extensions, the compromise can extend far beyond the original user session. This is why NHI governance matters even in a human-user attack: one compromised workstation can expose reusable secrets that authenticate machines, services, and downstream sessions. Practitioners should map where human sessions and non-human secrets intersect.
PureLogs is a reminder that the first control failure is often trust in execution timing. The operator only needs one successful, user-paced execution event to start a chain that rapidly shifts into machine-paced staging and exfiltration. That speed collapses the value of delayed review processes and isolated endpoint alerts. Practitioners should anchor response around the earliest execution cue, not the final theft event.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For the broader identity context, The 52 NHI breaches Report shows how exposed credentials and unmanaged access recur across real incidents.
What this signals
Runtime visibility is now a governance requirement. Campaigns like this compress the time between human execution and secret theft, which means your programme needs to detect user-driven shell activity before the stealer reaches browser stores or credential managers. One useful signal is the combination of script execution and RWX memory creation, especially where the host then touches identity-bearing data.
Credential repositories are part of your attack surface, even when the original incident begins on a workstation. If attackers can enumerate browser profiles, session tokens, SSH files, or password manager artefacts, the compromise is already moving across identity domains. That is why teams need to connect endpoint telemetry to IAM, PAM, and secrets governance, rather than treating them as separate control planes.
Identity blast radius: this campaign shows how a single successful execution event can expose reusable credentials that outlive the infected session. That is the point at which offboarding, rotation, and token revocation stop being administrative chores and become containment mechanics. Teams should expect more attacks that target the credential layer first and the device layer second.
For practitioners
- Correlate user-executed PowerShell with identity telemetry Tie Win+R initiated script execution, hidden PowerShell windows, and outbound connections into a single detection path so analysts can see when a browsing session becomes an execution event. Include browser profile access and credential-store reads in the same investigation queue.
- Harden access to browser credential stores and wallet artefacts Review which accounts and processes can read Chromium profile data, Windows Credential Manager paths, and browser session files. Use local least privilege to reduce the chance that a single user trick can expose high-value authentication material.
- Detect RWX memory allocation from script hosts Alert on VirtualAlloc with PAGE_EXECUTE_READWRITE followed by CreateThread when the parent process is PowerShell or another script host. Pair that signal with .NET runtime initialisation from unmanaged contexts to catch fileless loaders earlier.
- Instrument the credential exposure path, not just the endpoint Track accesses to credential repositories, browser stores, SSH files, and password manager directories as identity-relevant events. This helps distinguish normal user activity from a stealer enumerating reusable secrets for later abuse.
Key takeaways
- This campaign shows that social engineering, not just malware tooling, can be the entry point for identity compromise.
- The scale of the risk is defined by how many reusable secrets a stealer can harvest from browser stores, credential managers, and wallet artefacts.
- Teams should treat script execution, memory-only payloads, and credential access as one detection problem, not three separate ones.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 Initial Access; TA0006 Credential Access; TA0009 Collection; TA0010 Exfiltration | The article maps a full attack chain from social engineering to credential theft and exfiltration. |
| OWASP Non-Human Identity Top 10 | NHI-01 | The campaign targets secrets and identity artefacts that OWASP NHI addresses directly. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control failures are central because stolen secrets enable downstream access. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential storage and management are directly implicated by the theft of reusable secrets. |
| NIST Zero Trust (SP 800-207) | The attack breaks trust at the endpoint and then exploits identity artefacts beyond the original session. |
Treat user endpoints as untrusted and require continuous verification before secrets or session access is reused.
Key terms
- ClickFix: A ClickFix campaign uses a deceptive prompt that persuades the victim to copy and execute a command locally, often through the operating system shell. The technique converts user trust into code execution and can bypass normal download and warning flows, making it effective for staged malware delivery.
- Fileless Malware: Fileless malware executes primarily in memory instead of leaving a traditional executable on disk. That makes it harder to detect with file-based controls, while allowing attackers to chain scripts, shellcode, and runtime loaders into a compact infection flow that is visible mainly through process and memory telemetry.
- Credential Store Abuse: Credential store abuse is the theft or enumeration of saved authentication material from browser profiles, password managers, or operating system credential repositories. In practice, this turns local secrets into reusable access tokens that can be repurposed for account takeover, session theft, or later movement into connected systems.
- RWX Memory Allocation: RWX memory allocation means memory is marked readable, writable, and executable at the same time. Attackers use it to place shellcode or loaders directly into memory and run them without writing a normal file, which reduces artefacts and complicates host-based detection.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- The exact PowerShell execution chain used to retrieve and stage the payloads.
- The Donut shellcode and CLR-loading sequence that reconstructs PureLogs in memory.
- The indicators of compromise, including hashes, IPs, and command-and-control artefacts.
- The detection opportunities section with process, memory, and network correlations used for hunting.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org