A malicious website posing as an online photo background removal tool is using SEO poisoning and ClickFix tactics to infect user devices with sophisticated infostealing malware.

Key Points

• Cybersecurity firm Huntress identified a fake photo editing site that ranks highly in search results to lure unsuspecting users.
• The site uses ClickFix social engineering to trick victims into executing a malicious command via the Windows Run dialog.
• Initial infection occurs through CastleLoader, which subsequently deploys the NetSupport RAT and a custom .NET tool called CastleStealer.
• The malware targets sensitive data, including browser credentials, cryptocurrency wallet information, Discord tokens, and Telegram session files.
• Experts recommend disabling the Windows Run shortcut and educating users to avoid executing commands provided by unknown websites.

Why it Matters

This campaign demonstrates how attackers leverage search engine optimization to compromise systems by exploiting common user tasks. It highlights the growing risk of credential theft and remote access attacks that bypass traditional security by manipulating users into performing the malicious installation themselves.