A new wave of cyberattacks is shaking the financial sector in Portugal. Researchers have uncovered a revitalized campaign leveraging the Lampion banking trojan, a malware strain first detected in 2019 — now back with sharper tactics, deceptive lures, and an advanced technical backbone.

What makes this latest iteration particularly alarming is its integration of “ClickFix” lures, a novel social engineering trick that convinces victims they must “fix” non-existent technical issues. With a single click, they unknowingly open the door to one of the most elusive trojans operating today.

From Classic Phishing to Modern Deception

The Lampion campaign starts with carefully crafted phishing emails disguised as legitimate bank transfer notifications. Unlike traditional phishing attacks that rely on malicious links, these messages come attached with ZIP files — a deliberate shift that began around mid-September 2024.

“This tactical shift allows attackers to bypass link-based filters and slip malicious payloads past standard email defenses.”

To make matters worse, the threat actors are using compromised legitimate email accounts, lending their campaigns a dangerous level of authenticity that can easily fool even cautious users.

The Rise of ClickFix: A Psychological Trap

In mid-December 2024, researchers from Bitsight observed a striking evolution in the attack chain — the introduction of the ClickFix social engineering technique.

Here’s how it works: after downloading the attachment, victims encounter what looks like a real Windows error notification, complete with familiar icons and design elements. The prompt instructs users to “click to fix” an issue, which seems harmless — but that single click launches the true malware delivery process in the background.

Multi-Stage Infection and Stealth by Design

Under the hood, Lampion employs a multi-stage infection architecture — each layer designed to hide the malware’s intent until it’s too late. The attack begins with heavily obfuscated Visual Basic scripts, which unfold step by step into the final DLL payload responsible for stealing sensitive financial data.

Researchers note that since June 2025, Lampion has gained persistence mechanisms, allowing it to survive system reboots and maintain long-term access to infected machines. This marks a major leap in its technical maturity and staying power.

A Distributed and Adaptive Infrastructure

Lampion’s operators aren’t amateurs. Their backend infrastructure showcases strong operational security (OpSec) practices. The group relies on geographically distributed servers across multiple cloud providers, effectively compartmentalizing operations and reducing the risk of exposure.

To further hinder analysis, the attackers use IP blacklisting to block security researchers from fully tracing the infection chain. Each victim’s infection path is carefully controlled — and with hundreds of unique samples generated automatically, the group has achieved industrial-scale malware automation.

Scope and Impact

Bitsight analysts estimate that Lampion currently maintains dozens of new infections daily, with hundreds of compromised systems under active attacker control. This scale underscores the campaign’s efficiency and the group’s growing sophistication in targeting the Portuguese banking sector.

The Takeaway: A Lesson in Adaptation

The Lampion trojan’s resurgence is more than a regional incident — it’s a case study in how cybercriminals evolve. From exploiting human trust through ClickFix prompts to deploying distributed infrastructure that confounds analysis, Lampion embodies the next generation of stealthy, scalable cyber threats.

Stay Protected

• ⚙️ Educate users about deceptive file attachments and fake “fix” prompts.
• 🔒 Implement robust email filtering and sandboxing for attachments.
• 🧩 Monitor suspicious scripts or DLL executions in real-time.
• 🛡️ Keep systems patched and maintain full endpoint visibility.

The Lampion campaign proves that even an old malware family can be reborn — smarter, stealthier, and more dangerous than before.