‘What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords’: Experts warn that free image editor tool could actually be dangerous malware

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business — (Image credit: Shutterstock)

A fake photo tool ranked high in search results tricks users into running malware via ClickFix tactics
Victims first get infected with CastleLoader, which then deploys NetSupport RAT and a custom CastleStealer
The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise

A website promising to remove backgrounds from selfie photos is actually just dropping infostealing malware on people’s computers, security researchers are saying.

Cybersecurity experts at Huntress outlined how they discovered a website which, through SEO poisoning, managed to work its way to the top of search engine results pages. Therefore, when people search for background removal tools, there is a good chance they’ll land on this particular, malicious site.

When they upload their photos to this service, it doesn’t really get processed. Nothing gets uploaded or shared in any way. However, the site then requests the user to “verify they’re human” by opening up the Windows Run program and pasting a command that was copied onto their clipboard.

Latest Videos From

In typical ClickFix fashion, the attackers actually demand the victims to run malware themselves, first infecting their devices with CastleLoader. This is the main loader that is used to deliver additional payloads.

Through CastleLoader, the miscreants can then deploy stage-two malware, including NetSupport RAT, and CastleStealer.

The former is a remote access trojan (RAT) which grants the attackers remote access to infected systems, while the latter is a custom .NET stealer that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files.

“What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords, crypto wallet vaults, and Telegram session, plus a NetSupport RAT dropped on disk for follow-up access,” Huntress explained.

ClickFix attacks can be mitigated through education – users should know that no legitimate service will ask users to verify they’re not a bot with on-device activity (such as, running a program locally). Alternatively, admins can disable the Win + R shortcut for Run, making it less likely for the victims to actually run the malicious code.

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News andadd us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS

Harvard Canvas Site Goes Down After University Listed in Instructure Breach | News

Cybersecurity breach impacting University of Minnesota, colleges across the country

Indiana colleges impacted by Canvas cybersecurity hack

Hackers threaten to leak data from 275M users after breaching major college platform used nationwide

Financial Stability Risks Mount As Artificial Intelligence Fuels Cyberattacks

New TCLBanker malware self-spreads over WhatsApp and Outlook

This Malware Trap Targets Mac Users Looking For Tech Help, More Disk Space

Hackers Use Fake Claude AI Site to Infect Users With New Beagle Malware

Miller Industries Q1 2026 slides: earnings miss amid geopolitical pressures

Best Stocks For Building A Barbell For Midterms And Geopolitical Risk

Liberty Media projects stability for racing properties despite geopolitical headaches

Apollo’s Marc Rowan Warns of Fallout From ‘Massive Geopolitical’ Shift

Global Market Today: Asian stocks drop, oil climbs on Iran tensions

GLOBAL MARKETS-Oil jumps and stock futures slip on renewed US-Iran fighting

The Morning catch-Up: ASX set to slide as geopolitical tensions unsettle global markets

Macquarie Profit Leaps 30% on Boost from Energy Shock and Global Markets

Educational technology company used by Northwest faces data breach, shutdown

How Technology Can Assist the 2026 State of Student Transportation

Virginia Tech, Liberty University release statements regarding Canvas outage affecting multiple universities

Moore Norman Technology Center celebrates graduates

Fresno grants downtown housing project another last chance, citing ‘global military conflicts’

Ted Turner Sought to Quell Global Conflicts Through Sports, Business

China’s diplomatic and evacuation responses to international conflicts

All Hail the Military

‘What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords’: Experts warn that free image editor tool could actually be dangerous malware

Harvard Canvas Site Goes Down After University Listed in Instructure Breach | News

Global Market Today: Asian stocks drop, oil climbs on Iran tensions

Financial Stability Risks Mount As Artificial Intelligence Fuels Cyberattacks

GLOBAL MARKETS-Oil jumps and stock futures slip on renewed US-Iran fighting