Researchers have discovered a new wave of attacks using the Lampion banking trojan, a malware active since 2019 and now targeting users of Portuguese banks more aggressively.
The attackers have improved their methods by using smarter social engineering techniques that are harder to detect.
Lampion banking trojan
In this latest campaign, they are using a tactic called ClickFix, which tricks users into thinking they need to “fix” a fake technical issue. When users follow the instructions, the malware is unknowingly executed.
The attack starts with phishing emails that look like legitimate bank transfer notifications. These emails are sent from compromised email accounts, making them appear more credible.
Instead of links, the attackers now attach ZIP files containing the malware — a strategy they started using around mid-September 2024 to avoid security filters.
According to Bitsight researchers, the attackers changed their methods over three phases, with the biggest shift in mid-December 2024 when ClickFix was added to the infection process.
Researchers observed dozens of new infections every day, with hundreds of devices already under the attackers’ control. This shows how effective and well-planned the campaign is.
The malware uses multiple steps to avoid being detected. After the victim opens the attached file, a fake Windows error message appears, making everything look legitimate while the malware continues to run in the background.
The ClickFix trick gets users to click a link, making them believe they’re fixing an issue while the malware installs silently in the background.
Infection Process & Persistence
This campaign shows a high level of technical skill and planning.
The malware infection happens in multiple steps using hidden (obfuscated) Visual Basic scripts. Each step hides the true purpose of the malware until it finally loads the main DLL file, which is responsible for stealing information.
Around June 2025, the attackers added a persistence feature, allowing the malware to stay active even after the computer is restarted.
The threat actors use servers spread across different cloud providers, making it harder to trace or shut down their operations. Their system also blocks certain IP addresses, preventing security researchers from analyzing the full attack sequence.
Researchers found hundreds of unique malware files at every stage of the infection, suggesting that the group uses automated tools to generate new versions quickly and operate at scale while staying hidden.
Leave A Comment