A Wretch Client: From ClickFix deception to information stealer deployment

**Elastic Security Labs** analyzed a ClickFix social-engineering campaign that coerces users into pasting malicious PowerShell to deploy the multi-stage GHOSTPULSE loader, which sideloads a DLL and ultimately loads an x86 .NET loader that reflectively loads ARECHCLIENT2 (SectopRAT) in memory; the report includes technical stage-by-stage analysis, IOCs (domains, many IPs, SHA-256 hashes), infrastructure attribution, and detection recommendations.