Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ClickFix fileless malware: what IAM and NHI teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: A ClickFix campaign used a spoofed licensing site, staged PowerShell, Donut shellcode, and in-memory .NET execution to deliver PureLogs stealer, targeting browser credentials, Windows Credential Manager, and cryptocurrency wallets, according to Gurucul. The case shows how fileless delivery blurs endpoint and identity boundaries, making credential exposure and runtime telemetry the real control points.

NHIMG editorial — based on content published by Gurucul: LLMjacking: How Attackers Hijack AI Using Compromised NHIs

By the numbers:

Questions worth separating out

Q: How should security teams detect ClickFix-style PowerShell abuse in practice?

A: Teams should correlate user-initiated shell execution, hidden PowerShell windows, remote script retrieval, and memory-only payload staging in a single detection path.

Q: Why do fileless stealers create a bigger credential risk than ordinary malware?

A: Fileless stealers matter because they target reusable identity material such as browser cookies, session tokens, password manager data, and Windows Credential Manager contents.

Q: What do teams get wrong about PowerShell-based malware campaigns?

A: Many teams still treat PowerShell abuse as an endpoint hygiene issue rather than an identity and access issue.

Practitioner guidance

  • Correlate user-executed PowerShell with identity telemetry Tie Win+R initiated script execution, hidden PowerShell windows, and outbound connections into a single detection path so analysts can see when a browsing session becomes an execution event.
  • Harden access to browser credential stores and wallet artefacts Review which accounts and processes can read Chromium profile data, Windows Credential Manager paths, and browser session files.
  • Detect RWX memory allocation from script hosts Alert on VirtualAlloc with PAGE_EXECUTE_READWRITE followed by CreateThread when the parent process is PowerShell or another script host.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • The exact PowerShell execution chain used to retrieve and stage the payloads.
  • The Donut shellcode and CLR-loading sequence that reconstructs PureLogs in memory.
  • The indicators of compromise, including hashes, IPs, and command-and-control artefacts.
  • The detection opportunities section with process, memory, and network correlations used for hunting.

👉 Read Gurucul's full threat research on the Canndelta ClickFix PureLogs campaign →

ClickFix fileless malware: what IAM and NHI teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Credential theft has become an identity workflow problem, not just a malware problem. PureLogs is valuable to defenders because it shows the attacker’s real target is stored authentication material, session tokens, and wallet artefacts, not the host in isolation. That means the security boundary is now the identity surface exposed by browser stores, password managers, and Windows Credential Manager. Practitioners should treat credential repositories as active attack infrastructure.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How should organisations respond when browser credentials may have been harvested?

A: Contain the user session, invalidate exposed cookies and tokens, reset any reused credentials, and check whether the same secrets are used by service accounts or downstream integrations. Because browser stores can hold reusable identity material, the response should cover both human accounts and any linked non-human access.

👉 Read our full editorial: ClickFix malware turns PowerShell into a fileless stealers chain



   
ReplyQuote
Share: