Cybernews
Malicious Background Removal Tool Distributes RATs and Infostealers
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A new cyber threat identified by Huntress involves a fake background removal website that tricks users into executing malicious commands. Dubbed BackgroundFix, this site masquerades as a free image-editing service, targeting individuals who may not have established tools for photo editing. The attack initiates when users interact with a CAPTCHA-like checkbox, which leads to a command being copied to their clipboard. This command installs CastleLoader, which subsequently drops the NetSupport RAT and a custom infostealer known as CastleStealer. CastleStealer is designed to harvest sensitive information, including saved passwords and session files. The campaign is ongoing, with multiple domains identified using the same malicious template. Users are advised to avoid copy-paste verification prompts and to be cautious with unfamiliar web tools.
Key Points: • BackgroundFix masquerades as a legitimate photo editing tool to distribute malware. • The attack uses social engineering tactics to execute malicious commands on victims' systems. • CastleStealer targets sensitive data, including passwords and crypto wallet information.