{
  "name": "Investigating a new Click-fix variant",
  "slug": "investigating-a-new-click-fix-variant",
  "description": "A new variant of the ClickFix technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code.",
  "published": "2026-03-16T09:28:13+00:00",
  "created_at": "2026-03-16T09:28:13+00:00",
  "modified_at": "2026-03-16T09:52:38+00:00",
  "created_at_opencti": "2026-03-16T09:28:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-16",
    "clickfix"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "144.31.165.173"
      },
      {
        "id": "",
        "name": "https://cloudflare.report/forever/e/"
      },
      {
        "id": "",
        "name": "http://cloudflare.report/forever/e/"
      },
      {
        "id": "",
        "name": "dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829"
      },
      {
        "id": "",
        "name": "9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42"
      },
      {
        "id": "",
        "name": "a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063"
      }
    ],
    "malware": [
      {
        "id": "2d2c305e-d8f7-4cb6-8195-6cce5631c6c9",
        "name": "ClickFix",
        "slug": "clickfix"
      }
    ],
    "attack_patterns": [
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "cloudflare.report"
      },
      {
        "id": "",
        "name": "happyglamper.ro"
      }
    ]
  },
  "external_refs": [
    "https://atos.net/en/lp/cybershield/investigating-a-new-click-fix-variant",
    "https://otx.alienvault.com/pulse/69b7db3dcc28a49fbcbad5df"
  ]
}