ATOS Researchers have identified a new variant of the ClickFix technique in which attackers prompt users to run a malicious command via the Win+R Run dialog, mapping a network drive with a batch file from an external server. The variant uses net use to connect to a WebDAV share and then executes a hosted update[.]cmd, which downloads a ZIP archive and extracts it to the user’s local app data before launching WorkFlowy[.]exe.
The dropped payload hides inside the WorkFlowy Electron app by replacing resources/app[.]asar’s main[.]js with obfuscated code, effectively turning the app into a dropper and beacon, with the C2 hosted at cloudflare[.]report/forever/e/ and an origin IP 144.31.165[.]173. The threat uses a 2‑second beacon to exfiltrate a victim ID and system details to the C2, and the dropper writes an id[.]txt file to %APPDATA% for persistent fingerprinting, although OS‑level persistence is left to the delivered payload.
This variant relies on replacing the legitimate app with a trojanised main[.]js inside an ASAR archive and is notable for bypassing Microsoft Defender for Endpoint and evading many common detections by running within the Electron main process.
According to Atos, detection relied on threat hunting that focused on the Run dialog’s suspicious command execution originating from the RunMRU registry key, underscoring the growing importance of proactive hunting as ClickFix campaigns increasingly leverage native utilities and trusted applications.