Posted in

ClickFix Attack Uses Cmdkey and Regsvr32 Payload

by Rakesh0

Social engineering attacks continue to evolve, and the latest ClickFix campaign shows just how far attackers are willing to go to bypass modern security controls. Instead of relying on traditional tools like PowerShell, this new variant abuses native Windows utilities such as cmdkey and regsvr32 to execute a fileless, multi-stage attack chain.

Security researchers have observed attackers tricking users into pasting malicious commands through fake CAPTCHA verification pages. Once executed, the attack silently retrieves and runs remote payloads without dropping visible files on disk.

What makes this campaign especially dangerous is its reliance on Living off the Land Binaries (LOLBins)—legitimate Windows tools that blend malicious activity into normal system behavior.

In this article, we break down how the updated ClickFix attack works, why it is harder to detect, and what security teams can do to defend against it.

What Is the ClickFix Attack?

ClickFix is a social engineering-based attack technique where victims are manipulated into executing attacker-controlled commands on their own system.

Traditionally, the attack worked like this:

  • Victim visits a fake verification or CAPTCHA page
  • User is instructed to open Windows Run dialog (Win + R)
  • A command is pasted and executed
  • PowerShell downloads and runs malicious payload

This latest version removes PowerShell entirely and replaces it with native Windows tools, making detection significantly harder.

How the New ClickFix Variant Works

Security researchers from CyberProof identified a more advanced ClickFix variant that shifts execution away from PowerShell and toward built-in Windows binaries.

Instead of obvious script execution, attackers now use:

  • cmdkey for credential manipulation
  • regsvr32 for remote DLL execution
  • cmd.exe for chained command execution

This creates a stealthy, fileless attack chain that is difficult for traditional endpoint detection tools to identify.

Infection Flow: Step-by-Step Breakdown

The attack begins with a convincing phishing page that mimics a legitimate CAPTCHA verification screen, often branded to resemble trusted services.

1. Social Engineering Entry Point

The victim is instructed to:

  • Press Win + R
  • Paste a command
  • Run it as part of a “verification process”

The page often displays messages such as “I am not a robot” to build trust.

2. Credential and Remote Access Setup

Once executed, the command chain uses cmdkey to store credentials pointing to an attacker-controlled IP address.

This step prepares the system for remote resource access without raising immediate suspicion.

3. Remote DLL Execution via regsvr32

Next, regsvr32 is used to load a remote DLL hosted on a network share.

Instead of downloading a visible file, the system loads it directly through a UNC path, such as:

  • \\attacker-ip\share\demo.dll

Because regsvr32 is a trusted Windows utility, this behavior often bypasses basic security checks.

4. Hidden Payload Execution

Once the DLL is loaded, its export function triggers a hidden execution flow that launches a system process.

This process can:

  • Create scheduled tasks
  • Maintain persistence
  • Execute additional payloads

5. Remote Task Scheduler Abuse

The final stage involves creating a scheduled task (e.g., “RunNotepadNow”), but with a twist:

Instead of storing task definitions locally, the attacker retrieves them from a remote XML file.

This allows:

  • Dynamic payload updates
  • Long-term persistence
  • Minimal forensic footprint on the endpoint

Why This Attack Is Harder to Detect

The key challenge for defenders is that this attack does not rely on traditional malware behavior.

Instead, it abuses trusted Windows tools:

  • cmd.exe
  • cmdkey
  • regsvr32
  • Task Scheduler

These are commonly used in legitimate system administration tasks, making it difficult to distinguish between normal and malicious activity.

Key Detection Challenges

  • No obvious malware file dropped on disk
  • No PowerShell execution logs in newer variants
  • Use of signed Windows binaries
  • Encrypted or remote execution paths
  • Blending with normal administrative behavior

Security Risks for Organizations

This variant of ClickFix significantly increases risk exposure across enterprise environments.

Credential Exposure

cmdkey misuse can store attacker-controlled credentials for remote access.

Fileless Persistence

Remote DLL execution enables attackers to operate without leaving traditional forensic artifacts.

Evasion of Endpoint Security

LOLBin abuse reduces detection effectiveness for signature-based tools.

Rapid Payload Evolution

Remote XML-based task definitions allow attackers to change behavior without reinfection.

Indicators of Compromise (IOCs)

Security teams should monitor for the following indicators:

  • 151.245.195.142
  • \\151.245.195.142\hi\demo.dll
  • \\151.245.195.142\hi\777.xml
  • SHA256: b2d9a99de44a7cd8faf396d0482268369d14a315edaf18a36fa273ffd5500108

Detection and Mitigation Strategies

Monitor LOLBin Abuse

Track unusual usage of:

  • cmdkey accessing external IPs
  • regsvr32 loading remote DLLs
  • cmd.exe chained execution patterns

Restrict UNC and SMB Traffic

Block or tightly control:

  • External SMB connections
  • UNC path execution from untrusted networks

Harden Endpoint Visibility

Ensure EDR tools are configured to detect:

  • Process chaining
  • Unsigned remote module loading
  • Scheduled task creation from external sources

Improve User Awareness

Train users to recognize:

  • Fake CAPTCHA prompts
  • “Paste this command” instructions
  • Unexpected Windows Run dialog usage

Strengthen Network Monitoring

Flag:

  • Outbound SMB connections
  • Suspicious IP-based credential storage
  • Remote task definition retrieval

Expert Insight: Why This Matters

The evolution of ClickFix highlights a broader cybersecurity trend: attackers are moving away from malware and toward trusted system abuse.

Instead of introducing malicious binaries, they are:

  • Reusing legitimate Windows tools
  • Reducing forensic evidence
  • Increasing reliance on social engineering
  • Targeting user behavior instead of system weaknesses

This shift means traditional detection models must evolve toward behavior-based and context-aware security monitoring.

FAQs

What is the ClickFix attack?

ClickFix is a social engineering attack where users are tricked into executing malicious commands through fake verification pages.

Why is this new ClickFix variant more dangerous?

It replaces PowerShell with trusted Windows tools like cmdkey and regsvr32, making detection harder.

What are LOLBins?

LOLBins are legitimate Windows tools abused by attackers to carry out malicious actions without installing malware.

How do attackers deliver the payload?

They use remote DLL loading via UNC paths and execute it using regsvr32.

Can antivirus detect this attack?

Traditional antivirus may struggle, but modern EDR and behavior-based detection tools can help identify suspicious activity.

What is the best defense against ClickFix?

User awareness, endpoint monitoring, and restricting abuse of Windows administrative tools.

Conclusion

The latest ClickFix campaign demonstrates a clear evolution in modern cyberattacks: less malware, more system abuse. By leveraging native Windows tools like cmdkey and regsvr32, attackers are able to bypass traditional defenses and execute fileless, persistent payloads.

For defenders, this reinforces the need for behavior-based detection, strict endpoint monitoring, and continuous user awareness training.

As attacks become more “native,” security must become more behavioral.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *