This selfie background editor is a password-stealing trap

Published: 1 May 2026
microsoft edge, pink lips, white teeth, password rays
By Cybernews.

A convincing fake “remove your photo background” website is being used to trick people into infecting their own computers, a new threat report by security firm Huntress has uncovered.

The campaign, dubbed BackgroundFix, disguises itself as a free image-editing service which is potentially just one Google search away for users who don’t yet have their own go-to editing tools.

The fake background removal service looks convincing – offering familiar upload buttons, progress bars and download prompts, but none of it works, it only exists trick victims into running malicious commands.

ADVERTISEMENT
BackgroundremovalFAKE
Tool presents like a background removal app, but there's nothing behind it but malware. Image: Huntress

The lure, uncovered by Huntress analyst Anna Pham, uses a social engineering tactic known as ClickFix to deliver malware, specifically infostealers and Remote Access Trojans (RATs).

How the attack progresses

According to Pham, the attack begins when a user clicks an “I’m not a robot” checkbox.

At that moment, the site copies a hidden command to the clipboard, and helpful instructions on how to run it, while the command covertly reaches out to an attacker-controlled server.

Pham notes one small mercy, “the images you upload don’t go anywhere”. They are not processed or stolen. The danger begins only when the user follows the fake verification steps.

Once launched, the chain installs a malware, CastleLoader, that can deliver additional tools for attackers.

ADVERTISEMENT

For this campaign, it drops NetSupport RAT, a legitimate remote-support tool abused for hands-on access, as well as a custom .NET stealer Huntress calls “CastleStealer”.

CastleStealer targets saved browser passwords, cookies, crypto wallet extension data and Telegram session files.

Pham also found evidence that this is not a one-off scam. Using Validin, they identified eight related domains using the same BackgroundFix template, suggesting an active campaign.

Validin resized to medium
Validin search results based on the title. Image from Huntress

Recommended precautions include avoiding copy-paste verification prompts and to be aware of any commands that involve pressing Win+R, pasting a command and hitting Enter.

Researchers also advise keeping Chrome and other Chromium browsers updated, blocking unused legacy tools such as finger.exe, and treating free web tools promoted through ads or unfamiliar domains with caution.

Unlock exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked