By NHI Mgmt Group Editorial TeamPublished 2026-05-07Domain: Governance & RiskSource: Gurucul

TL;DR: A fake Booking-themed portal used ClickFix social engineering to push malicious PowerShell, stage ZIP payloads, establish persistence, and deploy PureHVNC for remote control, according to Gurucul. The chain shows that user-assisted execution, trusted binaries, and in-memory delivery can defeat controls built around static detection and file-based inspection.


At a glance

What this is: This threat research explains a ClickFix social-engineering campaign that uses fake booking verification, PowerShell abuse, persistence, and DLL side-loading to deliver PureHVNC RAT.

Why it matters: It matters because identity and endpoint teams need to treat user-executed code, trusted-binary abuse, and staged payload delivery as governance problems, not just malware problems.

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
  • Only 5.7% of organisations have full visibility into their service accounts.
  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Gurucul's analysis of the ClickFix-to-PureHVNC malware chain


Context

ClickFix-style campaigns turn user interaction into the initial execution path. Instead of exploiting a software vulnerability first, the attacker depends on a person to run a command that starts the malware chain, which makes identity, endpoint, and user behaviour controls part of the same defence surface.

In this case, the fake Booking-themed portal is only the delivery mechanism. The wider issue is that legitimate Windows utilities, staged payloads, and signed binary abuse can all be combined to defeat controls that assume malicious code will look obviously malicious at the point of first execution.


Key questions

Q: What breaks when users are allowed to execute PowerShell from untrusted prompts?

A: What breaks is the assumption that initial execution will be caught by malware signatures or exploit controls. If a user can be persuaded to run a hidden PowerShell command, the attacker inherits a legitimate execution context and can stage follow-on activity before traditional controls see a clearly malicious file. Behavioural monitoring becomes the only dependable early warning.

Q: Why do trusted binaries and DLL side-loading increase malware risk in Windows environments?

A: Trusted binaries increase risk because defenders often trust the parent process more than the code it loads. If an attacker can place a malicious DLL beside a legitimate binary, the code runs under the appearance of normal software execution. That weakens allow-listing, especially when the parent process is signed and commonly seen on endpoints.

Q: How do security teams know whether persistence has moved from a foothold to an active compromise?

A: Persistence becomes active compromise when a foothold can survive logon, restart, or user cleanup and then reconnect to command-and-control infrastructure. Registry Run keys, scheduled tasks, and repeated beaconing together show that the attacker can re-enter the endpoint and continue operating. Teams should look for those linked behaviours, not just single persistence events.

Q: What should teams do before an in-memory injection chain completes?

A: Teams should isolate the host, preserve volatile telemetry, and block outbound command-and-control paths before the attacker can finish process injection and payload staging. Once the payload is mapped into a legitimate process, the forensic trail becomes thinner and containment costs rise quickly. Rapid correlation across endpoint and network telemetry is essential.


Technical breakdown

User-assisted PowerShell execution as the entry point

The entry path is social engineering, not exploit code. The victim is persuaded to open the Windows Run dialog and execute a PowerShell command that hides the window, bypasses execution policy, and pulls code directly into memory with iex(irm ...). That pattern matters because the command is executed by the user context, which gives the attacker a legitimate starting point and reduces the chance that traditional exploit-based controls will trigger. Once PowerShell is running, the campaign can stage additional activity without dropping an obvious executable first.

Practical implication: monitor for hidden PowerShell, execution-policy bypasses, and Run-dialog initiated command chains.

Staged ZIP payloads, trusted binary abuse, and DLL side-loading

The second stage uses remote ZIP delivery, temporary directories, and cleanup to minimise artifacts. The payload is then unpacked beside psl.exe so the legitimate binary loads a malicious DLL through DLL search order hijacking. This is a classic trust-abuse pattern: the attacker does not need to replace the binary, only shape the file layout so a trusted process loads attacker-controlled code. In practice, DLL side-loading is especially effective when the signed parent binary and the malicious DLL path both look routine enough to evade simple allow-lists.

Practical implication: detect signed-binary proxy execution and unusual DLL loads from user-writable paths.

In-memory process injection and persistence mechanics

After staging, the malware moves to persistence and stealth. Registry Run keys and scheduled tasks ensure re-entry at logon, while process injection into AddInProcess32.exe and in-memory PE loading reduce forensic visibility. The result is a multi-stage chain that survives reboots, blends into normal process trees, and keeps the payload largely off disk. This is why defenders need telemetry that correlates process creation, registry writes, section mapping, and outbound beaconing instead of looking at each event in isolation.

Practical implication: correlate persistence creation, process injection, and beaconing into one detection timeline.


Threat narrative

Attacker objective: The attacker wants durable remote access to the victim endpoint while keeping execution fileless, blended into trusted processes, and hard to forensically reconstruct.

  1. Entry: The campaign begins when a victim visits a fake Booking-themed verification portal and is instructed to execute a malicious PowerShell command from the Windows Run dialog.
  2. Escalation: The attacker uses PowerShell to download staged content, perform system profiling, exfiltrate host details, and prepare a ZIP-based second stage that sets up persistence and DLL side-loading.
  3. Impact: The chain culminates in PureHVNC RAT deployment with process injection, giving the attacker persistent remote access and covert control of the compromised endpoint.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Social engineering has become an identity control bypass, not just a malware lure. This campaign succeeds because the user is turned into the initial execution mechanism, which means the access decision happens outside the normal security workflow. That shifts the problem from endpoint hygiene alone to governance over user-assisted code execution, especially where trusted utilities like PowerShell are allowed to bootstrap later stages.

Trusted-binary abuse creates an identity confusion problem for defenders. When psl.exe loads a malicious DLL, the execution path inherits trust from a legitimate binary while the payload remains attacker-controlled. That undermines detection models that assume signed or familiar processes are safe by default, and it reinforces why defenders need to treat file placement and parent-child execution relationships as part of identity-aware monitoring.

Persistence is the real control gap in multi-stage malware chains. Registry Run keys and scheduled tasks convert a one-time compromise into repeated execution, which is the point where containment becomes materially harder. In this campaign, the attacker does not need fast exploitation if re-entry is already established, so the operational question is whether the environment can spot and remove durable footholds before they become routine.

Identity blast radius in endpoint malware is governed by the first trusted boundary that falls. Once the attacker can combine user context, PowerShell, and signed-binary proxy execution, every later stage inherits more legitimate-looking access. The practical implication is that defenders must understand which trusted execution paths can be chained together, because that chain determines how far the compromise can spread.

Behavioural correlation is the only reliable way to see the full attack story. No single event in this chain is enough on its own: reconnaissance, staging, persistence, side-loading, and injection each look ordinary in isolation. The field should treat multi-stage malware as a sequence of identity and execution decisions, not as separate alerts, because the attack only becomes obvious when those events are joined together.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
  • That gap reinforces why NHI Lifecycle Management Guide is the right next stop for teams closing offboard and rotation exposure.

What this signals

ClickFix-style intrusion chains widen the boundary of identity governance. The issue is not only whether the malware lands, but whether a user can be coerced into acting as an execution principal for the attacker. Teams should treat user-driven code execution as a governance event and align controls with the behaviour of the actor, not just the tool name.

PowerShell abuse and signed-binary proxy execution make endpoint trust less binary. Once a trusted utility is used as the loader, the old distinction between legitimate process and malicious process becomes less useful. Security programmes that still depend on static allow-lists need to absorb behaviour-based correlation, or they will keep missing the chain in progress.

With only 5.7% of organisations having full visibility into service accounts, the broader lesson is that identity programmes already struggle to see non-human activity clearly. That same visibility gap shows up here as an endpoint governance problem, where trusted execution paths are exploited faster than teams can classify them.


For practitioners

  • Detect user-assisted command execution Alert on PowerShell launched from the Run dialog, hidden windows, execution-policy bypasses, and iex(irm ...) usage together. Those patterns are the earliest reliable indicators that a user has become the execution path for the attacker.
  • Hunt for DLL side-loading conditions Review signed binaries that load DLLs from user-writable or temporary paths, especially where the DLL name resembles a legitimate component. File layout is part of the attack surface when a trusted binary becomes a loader.
  • Correlate persistence with post-execution activity Join registry Run key changes, scheduled task creation, process injection, and outbound beaconing into one investigative view. The campaign only becomes operationally dangerous once persistence and remote access are both established.
  • Prioritise behavioural detections over static indicators Treat hashes, domains, and URLs as supporting intelligence, not the primary detection layer. This campaign uses fileless execution, temporary files, and trusted processes specifically to outpace signature-only controls.

Key takeaways

  • This campaign shows that social engineering can serve as the first execution control, which turns user behaviour into part of the attack surface.
  • The scale of the risk is not limited to the initial lure, because persistence, side-loading, and process injection give the attacker durable access and a much thinner forensic trail.
  • The control that matters most is behavioural correlation across execution, persistence, and network activity, because each stage looks normal until the full chain is assembled.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers credential and execution abuse that extends attack dwell time.
NIST CSF 2.0DE.CM-1Behavioural correlation across endpoint events supports continuous monitoring.
NIST Zero Trust (SP 800-207)PR.AC-4Trusted process abuse shows why access assumptions need continuous verification.

Apply PR.AC-4 by restricting privileged execution paths and verifying anomalous code-loading behaviour.


Key terms

  • ClickFix: ClickFix is a social-engineering pattern that tricks users into executing attacker-supplied commands, often by presenting them as verification or troubleshooting steps. It is effective because the malicious action is performed by the victim's own trusted context, which reduces the value of purely exploit-based detection.
  • DLL side-loading: DLL side-loading is a code-loading abuse technique where a legitimate program loads a malicious library placed in a location the program searches first. The binary appears trusted, but the attacker controls the loaded code, which makes signed-process monitoring and file path hygiene critical.
  • Process injection: Process injection is the act of placing malicious code into a running legitimate process so the payload inherits that process's appearance and sometimes its permissions. In endpoint defence, it matters because the malicious activity is harder to spot once execution is blended into a normal process tree.
  • Persistence mechanism: A persistence mechanism is any method that lets malware survive logoff, restart, or cleanup and re-establish execution later. Registry Run keys, scheduled tasks, and similar startup hooks are common examples, and they matter because they turn a temporary compromise into an ongoing access problem.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • Command-level examples of the malicious PowerShell used for ClickFix delivery and how it was chained with hidden execution.
  • File, path, and process details for the ZIP stage, DLL side-loading setup, and PureHVNC payload staging.
  • Indicators of compromise, including hashes, domains, URLs, and IP:port values for hunt enrichment.
  • Detection and mitigation recommendations mapped to suspicious PowerShell, persistence, side-loading, and injection telemetry.

👉 Gurucul's full blog covers the fake booking portal, persistence methods, and IOC set in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org