A ClickFix social engineering campaign tricks users into executing a malicious command via a fake CAPTCHA on fraudulent background removal websites. This command uses the legacy finger.exe utility to download CastleLoader, an advanced Python-based loader that employs reflective PE loading and API evasion (such as ReplaceTextW hooking) to deploy NetSupport RAT and a custom .NET stealer (CastleStealer) for credential and data exfiltration.