TL;DR: A fake Booking-themed portal used ClickFix social engineering to push malicious PowerShell, stage ZIP payloads, establish persistence, and deploy PureHVNC for remote control, according to Gurucul. The chain shows that user-assisted execution, trusted binaries, and in-memory delivery can defeat controls built around static detection and file-based inspection.
NHIMG editorial — based on content published by Gurucul: ClickFix to PureHVNC: Multi-Stage Malware Delivery via Fake Booking Portal
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when users are allowed to execute PowerShell from untrusted prompts?
A: What breaks is the assumption that initial execution will be caught by malware signatures or exploit controls.
Q: Why do trusted binaries and DLL side-loading increase malware risk in Windows environments?
A: Trusted binaries increase risk because defenders often trust the parent process more than the code it loads.
Q: How do security teams know whether persistence has moved from a foothold to an active compromise?
A: Persistence becomes active compromise when a foothold can survive logon, restart, or user cleanup and then reconnect to command-and-control infrastructure.
Practitioner guidance
- Detect user-assisted command execution Alert on PowerShell launched from the Run dialog, hidden windows, execution-policy bypasses, and iex(irm ...) usage together.
- Hunt for DLL side-loading conditions Review signed binaries that load DLLs from user-writable or temporary paths, especially where the DLL name resembles a legitimate component.
- Correlate persistence with post-execution activity Join registry Run key changes, scheduled task creation, process injection, and outbound beaconing into one investigative view.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- Command-level examples of the malicious PowerShell used for ClickFix delivery and how it was chained with hidden execution.
- File, path, and process details for the ZIP stage, DLL side-loading setup, and PureHVNC payload staging.
- Indicators of compromise, including hashes, domains, URLs, and IP:port values for hunt enrichment.
- Detection and mitigation recommendations mapped to suspicious PowerShell, persistence, side-loading, and injection telemetry.
👉 Read Gurucul's analysis of the ClickFix-to-PureHVNC malware chain →
ClickFix to PureHVNC: what IAM and security teams should watch?
Explore further
Social engineering has become an identity control bypass, not just a malware lure. This campaign succeeds because the user is turned into the initial execution mechanism, which means the access decision happens outside the normal security workflow. That shifts the problem from endpoint hygiene alone to governance over user-assisted code execution, especially where trusted utilities like PowerShell are allowed to bootstrap later stages.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What should teams do before an in-memory injection chain completes?
A: Teams should isolate the host, preserve volatile telemetry, and block outbound command-and-control paths before the attacker can finish process injection and payload staging. Once the payload is mapped into a legitimate process, the forensic trail becomes thinner and containment costs rise quickly. Rapid correlation across endpoint and network telemetry is essential.
👉 Read our full editorial: ClickFix-to-PureHVNC shows how social engineering bypasses control gaps