The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details. Author: AlienVault
Related Tags:
EDDIESTEALER
clickfix
multi-stage attack
T1566.002
T1204.001
remote access trojan
T1059.001
T1574.002
T1539
Associated Indicators:
4DC5BA5014628AD0C85F6E8903DE4DD3B49FED65796978988DF8C128BA7E7DE9
2EC47CBE6D03E6BDCCCC63C936D1C8310C261755AE5485295FECAC4836D7E56A
F92B491D63BB77ED3B4C7741C8C15BDB7C44409F1F850C08DCE170F5C8712D55
515AF087591021580B0C6131CFBC21E2A98153E2
88CBE81096581D6EC1A060853A250C9A08D710B4
82CDDF3A9BFF315D8FC708E5F5F85F20
DEB5BD989C9FDD5FE7F78F00A1216EB0
2D4FDBA00B7F7B02408A8EA6C199037E
koonenmagaziner.click