How ClickFix Opens the Door to Stealthy StealC Information Stealer

This report analyzes a multi-stage cybercrime campaign that deploys the StealC infostealer via a ClickFix fake CAPTCHA social-engineering lure; the chain runs PowerShell → Donut position-independent shellcode → reflective PE downloader → process-injected StealC, which exfiltrates browser credentials, wallets, Steam/Outlook accounts, system fingerprints and screenshots to RC4+Base64-encrypted C2 endpoints. The analysis includes technical details, IOCs (IPs, URLs, hashes), detection recommendations, and a Python decryption tool for captured C2 traffic.