TL;DR: Storm-0249’s 2025 ClickFix campaigns combined phishing, fake Microsoft domains, curl-to-PowerShell execution, DLL sideloading, and TLS-hidden C2 to bypass detection and extend dwell time, according to Cybertrust Japan’s analysis of ReliaQuest reporting. The pattern shows that endpoint controls fail when attackers turn trusted tools and signed binaries into delivery and persistence channels.
NHIMG editorial — based on content published by Cybertrust Japan: Storm-0249’s ClickFix attack analysis and evolving threat behavior
Questions worth separating out
Q: What breaks when users can run trusted tools in a ClickFix attack?
A: The main failure is that defenders often trust the tool rather than the context.
Q: Why do ClickFix campaigns increase the risk of identity compromise later on?
A: Because endpoint compromise is often the staging point for credential theft and session abuse.
Q: How can security teams detect DLL sideloading before it becomes a long-dwell intrusion?
A: Watch for signed executables loading libraries from user-writable or unusual directories, especially when the library name matches a legitimate dependency.
Practitioner guidance
- Restrict scriptable tool chains Block or tightly control curl.exe, PowerShell, and similar utilities on endpoints that do not require them for business operations.
- Harden download-to-execution paths Treat browser-to-shell transitions as high-risk events and alert when a user downloads a file and immediately launches a script or installer from a temporary or user-writable path.
- Control DLL loading behaviour Monitor signed applications that load libraries from user-writable folders, then deny or quarantine unsigned DLLs placed beside trusted executables.
What's in the full article
Cybertrust Japan's full blog covers the operational detail this post intentionally leaves for the source:
- The full incident timeline for Storm-0249’s 2025 campaigns, including how the group adapted its tradecraft over time.
- The specific phishing page patterns, file paths, and binary names used to stage the malicious payloads.
- The ReliaQuest-derived analysis of DLL sideloading and C2 concealment that underpins the detection discussion.
- The article’s mitigation notes on tool restriction, C2 monitoring, and endpoint hardening.
👉 Read Cybertrust Japan’s analysis of Storm-0249’s ClickFix attack evolution →
Storm-0249 ClickFix campaigns: what EDR teams need to rethink?
Explore further
EDR trust assumptions fail when attackers weaponise legitimate utilities. This campaign is not a contest between malware and antivirus in the traditional sense. It is an abuse of normal administrative tooling, signed binaries, and user-driven execution paths that many environments still treat as low-risk. That shifts the governance problem from detection alone to controlling which tools can execute, where, and under what context. Practitioners should treat trusted-tool abuse as an identity and endpoint governance issue, not a narrow malware problem.
A question worth separating out:
Q: What should teams do when endpoint telemetry suggests EDR evasion is underway?
A: Isolate the endpoint, preserve process and network telemetry, and look for adjacent account use from the same host before assuming the event is limited to malware removal. If the attacker has already used the machine for credential or token access, the response must expand into identity containment, not just endpoint cleanup.
👉 Read our full editorial: Storm-0249’s ClickFix tradecraft shows why EDR trust breaks