New ClickFix Scam Tricks Users Into Mapping Hacker-Controlled Drives
A new ClickFix scam variant tricks Windows users into executing hidden clipboard commands that map hacker-controlled network drives and load a compromised WorkFlowy app. The attack uses native Windows tools (Win+R, Ctrl+V) to bypass traditional security measures, delivers a trojanized legitimate application with malicious code embedded in its asar archive, and communicates with attacker C2 servers while leaving minimal disk forensics.
Summary
A new ClickFix scam variant tricks Windows users into executing hidden clipboard commands that map hacker-controlled network drives and load a compromised WorkFlowy app. The attack uses native Windows tools (Win+R, Ctrl+V) to bypass traditional security measures, delivers a trojanized legitimate application with malicious code embedded in its asar archive, and communicates with attacker C2 servers while leaving minimal disk forensics.
Full text
Security Cyber Attacks Scams and FraudNew ClickFix Scam Tricks Users Into Mapping Hacker-Controlled DrivesbyDeeba AhmedMarch 18, 20262 minute read A new ClickFix scam tricks Windows users into running hidden commands that map hacker-controlled drives and load malware through trusted apps. Cybersecurity researchers have discovered a cunning new twist on a well-known scam that targets everyday Windows users. This latest ClickFix attack, identified by the firm Atos, is particularly dangerous because it doesn’t rely on commonly know malware, and tricks victims into using your own device tools to open the door for hackers. According to Atos, the scam starts on a dodgy website like ‘happyglamper.ro’ that greets visitors with a fake Captcha (the usual “prove you aren’t a robot” test). However, rather than clicking images of buses, the site tells you to press Windows + R, then Ctrl + V, and finally Enter. By following these steps, you are actually running a hidden command that the website has already silently copied to your clipboard. One of the phishing websites (Source: Atos) The Brain-Swap Inside Trusted Apps Researchers assessed that this version is stealthier than previous ones because it uses a standard Windows command called net use to connect your PC to a remote server. To your computer, this looks like a harmless connection to an office network drive. Once the connection is made, your PC automatically downloads a legitimate note-taking app called WorkFlowy (version 1.4.1050), originally signed by FunRoutine Inc. However, the attackers have performed a brain swap on the app. They replaced a hidden file inside the software, known as an asar archive, with their own malicious code. Because the app itself is genuine, most security software simply looks the other way. A Spy in the Background Because the malware is hidden inside a trusted app, it gains high-level access to your system. Researchers noted that, “The malicious code runs in the Node.js main process with the full privileges of the logged-in user, allowing for the malicious code to executes any actions user is allowed to do on the system. No files are actually written to disk.” This means, the virus bypasses the security sandboxes that usually stop apps from prying into your files. Once active, it generates a unique Victim ID and saves it in a file called id.txt, then begins messaging a hacker-controlled server at cloudflare.report every two seconds. The threat has caught the attention of the wider security community. On X, Steven Lim, a cloud security expert and Microsoft MVP, raised the alarm about this “Cloudflare Win + R” variant. Using intelligence tools, Lim identified several other domains linked to this campaign, including modacontractors.uk, itexe.pl, and a spoofed static.cloudflareinsights.com, urging defenders to block them immediately. Attack overview (Source: Atos) Atos researchers caught the scam by hunting through the RunMRU registry key, a digital ledger that records every command typed into the Windows Run box. Because the malware leaves almost no other trace on the hard drive, this registry footprint was the only proof the attack had occurred. It shows that since these scams now hide behind native Windows tools, we must be more careful than ever about which keys we are told to press. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ClickFixCyber AttackCybersecurityFraudMalwareScamWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Legendary Hacker Kevin Mitnick Passes Away Kevin Mitnick was battling pancreatic cancer. byWaqas Read More Security How Red Teaming Helps Meet DORA Requirements The Digital Operational Resilience Act (DORA) sets strict EU rules for financial institutions and IT providers, emphasizing strong… byUzair Amir Security Malware Fake Zoom installers infect PCs with RevCode WebMonitor RAT Zoom is being actively targeted by hackers in the past few weeks. Now, hackers are dropping fake Zoom installers with RevCode WebMonitor RAT. byDeeba Ahmed Cyber Crime Hacking News Scams and Fraud Security Sophisticated ‘MoneyTaker’ group stole millions from Russian & US banks The IT security researchers at Moscow based cybercrime prevention firm Group-IB has identified the presence of a dangerous… byWaqas
Indicators of Compromise
- domain — cloudflare.report
- domain — happyglamper.ro
- domain — modacontractors.uk
- domain — itexe.pl
- domain — static.cloudflareinsights.com
- malware — ClickFix (Cloudflare Win+R variant)