{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Beyond PowerShell: Analyzing the Multi-Action ClickFix Variant", "protected": false, "publish_timestamp": "1779545354", "published": true, "threat_level_id": "3", "timestamp": "1779545353", "uuid": "58d7bdde-8165-42d2-b6de-aa9716c87157", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#237502", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Transfer Protocols - T1071.002\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#6e0b83", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Regsvr32 - T1218.010\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Window - T1564.003\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942024", "to_ids": false, "type": "link", "uuid": "9ba86287-fe10-488f-ac0f-34209ca665ff", "value": "https://www.cyberproof.com/blog/beyond-powershell-analyzing-the-multi-action-clickfix-variant/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942024", "to_ids": false, "type": "text", "uuid": "b077c501-336b-4750-ba72-fde5e6b057b8", "value": "This analysis documents a newly observed ClickFix variant that abuses native Windows utilities, specifically cmdkey and regsvr32, for payload delivery. Victims are socially engineered through fake CAPTCHA pages to execute a malicious command via the Windows Run dialog. The single command chains multiple actions: staging credentials using cmdkey, retrieving a remote DLL via regsvr32 from a UNC path, and executing it silently. The 64-bit DLL establishes persistence through a scheduled task pulled from a remote XML file hosted on attacker infrastructure. This approach avoids traditional malware drops and leverages exclusively trusted Windows components for high stealth. The variant demonstrates continued evolution of ClickFix techniques, moving beyond PowerShell to use command chaining with legitimate system tools." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942024", "to_ids": false, "type": "text", "uuid": "ca46610f-4f72-4f43-acaf-af3bb3b30485", "value": "Name: Beyond PowerShell: Analyzing the Multi-Action ClickFix Variant\nAuthor: AlienVault\nAdversary: \nTags: [\"scheduled task\", \"social engineering\", \"clickfix\", \"cmdkey\", \"unc path\", \"lolbins\", \"remote dll\", \"regsvr32\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.005\", \"T1036.005\", \"T1204.002\", \"T1082\", \"T1036\", \"T1021.002\", \"T1071.002\", \"T1547.001\", \"T1566\", \"T1027\", \"T1218.010\", \"T1564.003\", \"T1059.003\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "IOC-description:CC=IR ASN=AS58224 iran telecommunication company pjs", "deleted": false, "disable_correlation": false, "timestamp": "1777321552", "to_ids": true, "type": "ip-dst", "uuid": "4dfc75a4-2d72-4706-b00c-bb6cf4a0fa9b", "value": "151.245.195.142", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545353", "uuid": "bf7e3c98-66fd-4878-a0a1-d07ea42fcb24", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545353", "to_ids": true, "type": "md5", "uuid": "3ad61259-d932-489b-bd25-f7998bd3ce99", "value": "9210884e8e28b9fd98528468710063e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545353", "to_ids": true, "type": "sha1", "uuid": "c235fb0d-e302-439e-856b-1c163546e0a9", "value": "640e7fcb3b297de782f34de3d8c582f694b4b1f6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545353", "to_ids": true, "type": "sha256", "uuid": "b95c796f-b8e0-411f-bcc0-d1ecaa29269e", "value": "b2d9a99de44a7cd8faf396d0482268369d14a315edaf18a36fa273ffd5500108", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312605", "to_ids": true, "type": "ssdeep", "uuid": "cec56197-4db4-448c-aa0c-869dca1f74df", "value": "3072:D/tW1QhiflCa2U2a4QYR5n/tRR4dr8aWHVBosLM:D/MQhiflV2tpR5n/zR/qk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312605", "to_ids": false, "type": "size-in-bytes", "uuid": "5d1a3b90-e20a-4644-b7dc-328ebf5e91c8", "value": "111104" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312605", "to_ids": true, "type": "vhash", "uuid": "e6249fc8-e6d7-450a-8052-ce367d15d956", "value": "115076655d151515155az49?z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312605", "to_ids": true, "type": "filename", "uuid": "041e06da-4cd3-43bc-a1ef-034d226f67f2", "value": "demo.dll" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312605", "to_ids": false, "type": "text", "uuid": "9ece61b3-12c4-449c-8dc5-c5c67c566255", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:34/71\nFirst Submission:2026-03-19T15:49:17.000000+00:00\nLast Submission:2026-03-25T15:19:54.000000+00:00" } ] } ] } }