ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
Summary
Hide ▲
Show ▼
Analysis of ClickFix payload delivery shows operators moving to API-driven servers and a Downloads-folder orchestrator, increasing stealth across live campaigns. The backend returns a fresh disguise for each visitor, while the payload itself is unpacked from a downloaded file instead of being pasted directly. That design helps the chain slip past AMSI and leaves fewer obvious traces than the older Windows+R flow. The shift makes clipboard-based initial access harder to catch with conventional email and endpoint controls.
Related Happenings
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Timeline
-
30.06.2026 03:00 2 articles · 1d ago
ClickFix payload servers generate per-visitor disguises and a Downloads-folder orchestrator
Technical Analysis UpdateSecurity researcher Bert-Jan Pals published findings on June 30 after analyzing roughly 3,000 live ClickFix payloads, showing API-driven servers that return a freshly disguised command for each visitor and a Downloads-folder delivery method that pastes only an orchestrator line so the hidden script can run while helping evade AMSI.
Show sources
- Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery — thehackernews.com — 01.07.2026 08:32
- Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery — thehackernews.com — 01.07.2026 08:32