Researchers have uncovered a sophisticated campaign leveraging the Lampion banking trojan, a malware strain that has operated since 2019 with a renewed focus on Portuguese financial institutions.
The threat actor group behind these operations has refined its tactics significantly, introducing novel social engineering techniques that make traditional detection increasingly difficult.
What distinguishes this latest iteration is the integration of ClickFix lures, a deceptive method that convinces users they need to fix technical issues before executing malicious payloads.
The infection vector begins with carefully crafted phishing emails mimicking legitimate bank transfer notifications.
Threat actors use compromised email accounts to distribute these messages, lending them authenticity that casual inspection might miss.
The emails contain ZIP file attachments rather than direct links, a tactical shift implemented around mid-September 2024 that demonstrates the group’s adaptive approach to bypassing security controls.
Bitsight analysts identified the campaign’s evolution across three distinct time periods, with the most notable transformation occurring in mid-December 2024 when ClickFix social engineering entered the attack chain.
.webp)
The researchers documented the malware’s active infection rate in the several dozens daily, with hundreds of active compromised systems currently under attacker control.
This scale reflects the campaign’s effectiveness and the group’s operational sophistication. The infection chain reveals a multi-stage architecture designed to evade detection at each step.
After victims download the deceptively labeled attachment, they encounter what appears to be a legitimate Windows error notification, complete with familiar UI elements.
.webp)
This ClickFix lure prompts users to click links that initiate the actual malware delivery, creating a false sense of security while the infection process unfolds behind the scenes.
Infection Mechanism and Persistence Tactics
The technical infrastructure supporting this campaign demonstrates considerable expertise in operational security.
The infection chain progresses through obfuscated Visual Basic scripts, each stage further obfuscating the malicious intent until reaching the final DLL payload containing the stealer functionality.
Notably, persistence mechanisms were added to the first stage around June 2025, enabling the malware to survive system reboots and maintain access across sessions.
The threat actors employ geographically distributed infrastructure spanning multiple cloud providers, effectively compartmentalizing their operations.
IP blacklisting capabilities within their infrastructure prevent security researchers from tracing the complete infection chain, while also enabling fine-grained control over which victims receive which payloads.
Bitsight researchers noted that the hundreds of unique samples at each infection stage suggest automated generation, indicating the group possesses sufficient technical capability to scale their operations efficiently while maintaining operational security throughout the attack cycle.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
