ClickFix Attack Replaces PowerShell With Cmdkey and Remote Regsvr32 Payload Delivery

HomeCyber Security News ClickFix Attack Replaces PowerShell With Cmdkey and Remote Regsvr32 Payload Delivery By Tushar Subhra Dutta April 27, 2026 A new and more capable version of the ClickFix attack has been spotted in the wild, and it works a little differently from what security teams have seen before. Instead of relying on PowerShell, attackers are now chaining native Windows tools, specifically cmdkey and regsvr32, to silently deliver a remote payload without dropping a single file on disk. ClickFix has been a growing concern in cybersecurity for some time. The technique works by tricking users into running a malicious command through social engineering. In earlier campaigns, attackers used fake CAPTCHA pages to convince victims to paste and run commands through the Windows Run dialog, which would typically invoke PowerShell to fetch and execute a payload. This latest version steps away from PowerShell entirely, making it harder for traditional detection tools to catch the activity. CyberProof’s Threat Research Team, led by Deepak Nayak, Kithu Shajil, and Veena Sagar, identified this new ClickFix variant and published their findings on April 22, 2026. CyberProof’s researchers noted that the campaign uses a compact command chain that stores credentials, retrieves a remote DLL, and executes it silently through trusted Windows components. By staying within legitimate Windows utilities, the attackers blend their activity into normal system behavior, making detection significantly more difficult. The impact of this shift matters for organizations that rely on behavioral detection. Because the attack uses only built-in Windows tools, also called Living off the Land Binaries (LOLBins), security solutions looking for suspicious software drops or unusual processes may not raise any alerts. A single command typed into the Windows Run dialog is enough to start a multi-stage attack chain that persists on a machine and connects back to attacker-controlled infrastructure. This makes the threat accessible to a wide range of victims, from individual users to corporate employees. What makes this campaign especially concerning is how little the attacker needs from the victim. One paste of a pre-loaded command and the infection begins. The entire process is designed to look routine and believable, with attackers mimicking a real Cloudflare CAPTCHA page to earn the user’s trust before launching the attack. Inside the Infection Mechanism The attack begins when a user visits a phishing page that mimics a CAPTCHA verification screen. The page instructs the user to open the Windows Run dialog using Win + R, paste a pre-loaded command, and press Enter. The observed command calls cmd.exe and chains two primary actions. Attack Chain Summary (Source – CyberProof) First, the cmdkey utility stores credentials for the remote IP address 151.245.195[.]142 under the username “guest.” Second, regsvr32 silently loads demo.dll from the attacker’s SMB share via a UNC path. A REM comment embedded in the command reads “I am not a robot” to disguise the malicious intent and make the whole thing look like a legitimate verification step. Establishing Persistence and Executing the Second-Stage Payload (Source – CyberProof) Once regsvr32 runs the DLL, its DllRegisterServer export triggers a hidden CreateProcessA call that creates a scheduled task named “RunNotepadNow” using Windows Task Scheduler. The task definition is not stored on the infected machine. Instead, it is pulled from a remote XML file on the attacker-controlled server, meaning the attackers can update their second-stage payload at any time without redeploying the initial DLL. This gives the campaign long-term persistence with very few traces left on the host. Malicious Command Execution via Run Dialog (Source – CyberProof) Security teams should monitor cmdkey usage involving external IP addresses and watch for regsvr32 loading remote DLLs via UNC paths. Alerts should be set up for chained command execution through cmd.exe, and Task Scheduler activity referencing remote XML files should be reviewed closely. Outbound SMB and UNC access should be restricted or tightly monitored at the network level. User education is equally important, helping employees recognize ClickFix-style social engineering before they paste or run anything. Indicators of Compromise (IOCs):- 151[.]245.195.142 \\151[.]245.195.142\hi\demo.dll \\151[.]245.195.142\hi\777.xml SHA256: b2d9a99de44a7cd8faf396d0482268369d14a315edaf18a36fa273ffd5500108 Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News 12 Browser Extensions Mimic as TikTok Video Downloaders Compromised 130k Users Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide New PureRAT Campaign Hides PE Payloads in PNG Files and Executes Them Filelessly Attackers Can Backdoor CODESYS Applications by Chaining Vulnerabilities Latest News Cyber Security ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants Cyber Security News Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks Cyber Security News New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials Cyber Security News New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection Uncategorized Hackers Using Fake Income Tax Department’s Notice to Deploy Malware