An evolved ClickFix campaign variant is actively delivering a trojanized desktop application signed with a legitimate-appearing code certificate, allowing it to bypass automated detection in Microsoft Defender for Endpoint. The malware impersonates WorkFlowy (v1.4.1050), a legitimate workplace productivity tool, and uses Windows-native file-sharing commands to load malicious code without triggering standard antivirus signatures. Organizations relying solely on automated endpoint detection are exposed; this campaign was only identified through manual threat hunting, meaning undetected infections may already exist in affected environments.