Investigating a new Click-fix variant
Essential information
- Published
- 16/03/2026 10:28
- Modified
- 16/03/2026 10:52
- Tags
- 2026-03-16 clickfix
- Related entities
- 6 observables, 13 techniques (mitre), 1 malware, 2 others
Description
A new variant of the ClickFix technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code.