TL;DR: Storm-0249’s 2025 ClickFix campaigns combined phishing, fake Microsoft domains, curl-to-PowerShell execution, DLL sideloading, and TLS-hidden C2 to bypass detection and extend dwell time, according to Cybertrust Japan’s analysis of ReliaQuest reporting. The pattern shows that endpoint controls fail when attackers turn trusted tools and signed binaries into delivery and persistence channels.
At a glance
What this is: This is an analysis of Storm-0249’s evolving ClickFix campaigns, showing how phishing, signed-tool abuse, and DLL sideloading are being used to evade EDR and sustain command-and-control.
Why it matters: It matters because identity and access teams must treat trusted execution paths, admin tooling, and endpoint telemetry as governance issues, not just malware detection problems.
👉 Read Cybertrust Japan’s analysis of Storm-0249’s ClickFix attack evolution
Context
ClickFix is a social-engineering led intrusion pattern that lures users into running attacker-controlled code themselves. In this case, the control gap is not a single missed signature but the trust placed in signed binaries, common utilities, and user-driven execution on managed endpoints.
For IAM, PAM, and NHI programmes, the relevance is indirect but real: once attackers gain an execution foothold, they often pivot into credential theft, lateral movement, and privilege abuse. Storm-0249’s tradecraft is a reminder that endpoint compromise frequently becomes identity compromise next.
The article’s starting point is typical of current intrusion chains rather than exceptional. Attackers increasingly reuse legitimate tooling and signed components because that reduces friction and undermines controls built around obvious malware patterns.
Key questions
Q: What breaks when users can run trusted tools in a ClickFix attack?
A: The main failure is that defenders often trust the tool rather than the context. If curl, PowerShell, or a signed installer can execute without strong provenance checks, an attacker can convert normal administration into payload delivery. The control gap is process trust, so teams should baseline expected command chains and investigate deviations immediately.
Q: Why do ClickFix campaigns increase the risk of identity compromise later on?
A: Because endpoint compromise is often the staging point for credential theft and session abuse. Once an attacker controls a workstation, they can harvest tokens, reuse browser sessions, or pivot into SaaS and cloud accounts. That makes endpoint monitoring and identity monitoring inseparable for response and containment.
Q: How can security teams detect DLL sideloading before it becomes a long-dwell intrusion?
A: Watch for signed executables loading libraries from user-writable or unusual directories, especially when the library name matches a legitimate dependency. Pair that with allowlisting, hash validation, and endpoint telemetry that highlights unexpected module loads. The goal is to detect the mismatch between trusted binary and untrusted library.
Q: What should teams do when endpoint telemetry suggests EDR evasion is underway?
A: Isolate the endpoint, preserve process and network telemetry, and look for adjacent account use from the same host before assuming the event is limited to malware removal. If the attacker has already used the machine for credential or token access, the response must expand into identity containment, not just endpoint cleanup.
Technical breakdown
ClickFix phishing and user-assisted execution
ClickFix attacks rely on deception rather than exploit delivery. The victim is pushed to copy, paste, or run instructions that appear legitimate, often through a page designed to resemble a trusted Microsoft service. That turns the user into the execution path, bypassing many email and web filters that expect a direct malware payload. The key problem is that the code launch is initiated through normal user behaviour, so the resulting process tree looks acceptable unless defenders correlate it with the surrounding web and DNS activity.
Practical implication: lock down user-driven script execution and alert on suspicious browser-to-shell handoffs.
Curl-to-PowerShell chaining and signed-tool abuse
Storm-0249’s use of curl.exe piping output into PowerShell is a classic living-off-the-land pattern. curl fetches remote content, PowerShell executes it, and both are common administrative tools that can blend into normal activity. This is not about malware as a file, but malware as a sequence of legitimate commands. When defenders treat tool reputation as sufficient, they miss the real indicator: unexpected parent-child process relationships and outbound connections that do not fit the user’s role or workstation baseline.
Practical implication: instrument process lineage and restrict script execution for endpoints that do not need it.
DLL sideloading and EDR evasion
DLL sideloading works when a legitimate, signed application loads a malicious library from a location the attacker controls. The application remains trusted, while the malicious DLL runs under its cover and inherits that trust. In this campaign, the attackers used the technique to interfere with EDR visibility and keep their code resident inside ordinary-looking binaries. The broader lesson is that detection depends on validating both the executable and the libraries it loads, not just the main signed file.
Practical implication: monitor unsigned DLL placement in user-writable paths and enforce application allowlisting with library controls.
Threat narrative
Attacker objective: The objective is durable foothold and stealthy command-and-control on victim endpoints so the operator can avoid detection and retain operational access.
- Entry begins with phishing pages that imitate Microsoft services and persuade the user to download or execute a malicious package.
- Credential or access is not immediately the target; instead, attacker-controlled code is executed through curl-to-PowerShell chaining and later protected by DLL sideloading inside signed binaries.
- Escalation occurs as the adversary hides command-and-control traffic behind TLS and normal endpoint processes, extending persistence and reducing detection.
- Impact is sustained access to compromised endpoints, allowing the operator to continue campaign activity and prepare follow-on intrusion or monetisation.
NHI Mgmt Group analysis
EDR trust assumptions fail when attackers weaponise legitimate utilities. This campaign is not a contest between malware and antivirus in the traditional sense. It is an abuse of normal administrative tooling, signed binaries, and user-driven execution paths that many environments still treat as low-risk. That shifts the governance problem from detection alone to controlling which tools can execute, where, and under what context. Practitioners should treat trusted-tool abuse as an identity and endpoint governance issue, not a narrow malware problem.
ClickFix-style intrusion chains expose a process trust gap, not just a phishing gap. The real weakness is the assumption that a signed application or familiar command line is inherently safe. Once attackers can hide inside legitimate process trees, endpoint policies need to evaluate provenance, parent-child relationships, and network behaviour together. This is where defenders should connect endpoint controls to broader access governance, because the same weak trust model that lets malicious code run often also enables credential theft and privilege abuse.
Signed-binary abuse deserves a named control lens: process provenance drift. When a trusted binary loads attacker code, the environment loses the ability to distinguish approved behaviour from injected behaviour. That drift is especially dangerous in estate-wide admin tooling where allowlists are broad and exceptions are common. A useful practitioner conclusion is to baseline normal process chains, then investigate any deviation as a possible control failure rather than a benign variation.
Identity teams should care because endpoint compromise is often the first step toward account compromise. In campaigns like this, the immediate goal is not always data theft. The longer game is to obtain credentials, session material, or access paths that can be reused across systems, including cloud and SaaS environments. That is why PAM, secrets hygiene, and device trust must be considered alongside endpoint telemetry. The practitioner takeaway is to assume that endpoint abuse will eventually become identity abuse unless those layers are linked.
Storm-0249 shows how attackers are optimising for dwell time rather than volume. The movement from noisy mass phishing to precision EDR exploitation suggests a maturing tradecraft model focused on stealth, persistence, and reuse of trusted software. That trend matters because it erodes the value of static detections and increases the importance of behavioural controls. Practitioners should expect more campaigns that look like routine admin activity until the endpoint is already compromised.
What this signals
Process trust is becoming a governance problem. Storm-0249’s tactics show that endpoint defence now depends on understanding which tools are allowed to do what in which context. Security teams should align endpoint allowlisting, script control, and administrative privilege reviews so that trusted utilities do not become covert delivery channels.
For identity programmes, the important shift is that endpoint abuse and account abuse increasingly happen in sequence. If a workstation can launch malicious code, the next question is whether that code can reach browser sessions, tokens, or cloud consoles before containment. That is where device trust and identity trust must be correlated in the same operating model.
The broader lesson is that adversaries are optimising for stealth inside routine enterprise behaviour. Teams that still measure success only by malware blocking will miss the growing class of attacks that succeed by looking operationally normal until the compromise is already established.
For practitioners
- Restrict scriptable tool chains Block or tightly control curl.exe, PowerShell, and similar utilities on endpoints that do not require them for business operations. Where they are required, log command lines, parent processes, and destination domains so curl-to-PowerShell chains can be flagged quickly.
- Harden download-to-execution paths Treat browser-to-shell transitions as high-risk events and alert when a user downloads a file and immediately launches a script or installer from a temporary or user-writable path. Pair this with attachment and web filtering that looks for lookalike Microsoft domains and path manipulation.
- Control DLL loading behaviour Monitor signed applications that load libraries from user-writable folders, then deny or quarantine unsigned DLLs placed beside trusted executables. Application allowlisting should extend to library loading rules, not just the main process image.
- Correlate endpoint telemetry with identity signals When a workstation shows suspicious execution chains, immediately look for credential use, unusual SaaS logins, token reuse, and access from the same device. That correlation helps determine whether the intrusion has already crossed from endpoint compromise into account abuse.
Key takeaways
- Storm-0249’s ClickFix campaigns show that attackers can turn legitimate tools, signed binaries, and user actions into an effective EDR evasion path.
- The relevant control gap is process trust and execution provenance, not only malware detection or phishing filtering.
- Identity teams should assume that endpoint compromise can become credential abuse quickly, so device telemetry and identity signals need to be correlated.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0002 , Execution; TA0005 , Defense Evasion | The article centres on phishing-led execution and EDR evasion techniques. |
| NIST CSF 2.0 | DE.CM-7 | Continuous monitoring is needed to spot abnormal tool chaining and sideloading. |
| NIST SP 800-53 Rev 5 | SI-4 | Security monitoring controls apply to endpoint compromise and C2 concealment. |
| CIS Controls v8 | CIS-10 , Malware Defenses | The attack depends on malware behaviours that can slip past weak allowlisting and monitoring. |
Apply CIS-10 with allowlisting, script control, and suspicious-process detection on managed endpoints.
Key terms
- ClickFix: ClickFix is a social-engineering pattern that persuades a user to run or paste attacker-controlled instructions, often under the guise of fixing a problem or verifying access. The technique shifts execution from the attacker to the victim's workstation, making the resulting activity look like ordinary user behaviour.
- DLL Sideloading: DLL sideloading is a technique where a legitimate application loads a malicious dynamic-link library from a location the attacker can influence. Because the host application is trusted, the malicious code can inherit that trust and run with reduced suspicion, especially where library provenance is not tightly enforced.
- Living Off The Land: Living off the land means using built-in or commonly approved tools already present on a system to carry out malicious activity. The attacker benefits from lower detection rates because the commands and binaries often resemble legitimate administrative work unless defenders inspect context and sequence.
What's in the full article
Cybertrust Japan's full blog covers the operational detail this post intentionally leaves for the source:
- The full incident timeline for Storm-0249’s 2025 campaigns, including how the group adapted its tradecraft over time.
- The specific phishing page patterns, file paths, and binary names used to stage the malicious payloads.
- The ReliaQuest-derived analysis of DLL sideloading and C2 concealment that underpins the detection discussion.
- The article’s mitigation notes on tool restriction, C2 monitoring, and endpoint hardening.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to the wider security stack.
Published by the NHIMG editorial team on 2026-01-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org