Lampion Is Back With ClickFix Lures unit42.paloaltonetworks.com/lampion-m…

Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019.

During our investigation, we found that the group has added ClickFix lures to their arsenal. ClickFix is a social engineering technique that multiple malware families have adopted since late 2024, which lures victims to copy and execute malicious commands on their machine, under the guise of fixing computer problems.

This campaign follows many of the same patterns as previous Lampion malware activity in terms of targets and infrastructure, as well as tactics, techniques and procedures (TTPs). These included multiple, highly obfuscated Visual Basic (VB) scripts as part of the attack chain, and similarities in the initial social engineering themes.