Potential ClickFix Execution Pattern - Registry

 1title: Potential ClickFix Execution Pattern - Registry
 2id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
 3related:
 4    - id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
 5      type: similar
 6status: experimental
 7description: |
 8    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
 9    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
10    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
11    such as one-liners that execute remotely hosted malicious files or scripts.    
12references:
13    - https://github.com/JohnHammond/recaptcha-phish
14    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
15    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
16    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
17    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
18    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
19    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
20    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
21    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
22author: Swachchhanda Shrawan Poudel (Nextron Systems)
23date: 2025-03-25
24modified: 2025-11-19
25tags:
26    - attack.execution
27    - attack.t1204.001
28logsource:
29    category: registry_set
30    product: windows
31detection:
32    selection_registry:
33        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
34    selection_details:
35        Details|contains:
36            - 'http://'
37            - 'https://'
38    selection_susp_pattern:
39        - Details|contains:
40              # Add more suspicious keywords
41              - 'account'
42              - 'anti-bot'
43              - 'botcheck'
44              - 'captcha'
45              - 'challenge'
46              - 'confirmation'
47              - 'fraud'
48              - 'human'
49              - 'identification'
50              - 'identificator'
51              - 'identity'
52              - 'robot'
53              - 'validation'
54              - 'verification'
55              - 'verify'
56        - Details|contains:
57              - '%comspec%'
58              - 'bitsadmin'
59              - 'certutil'
60              - 'cmd'
61              - 'cscript'
62              - 'curl'
63              - 'finger'
64              - 'mshta'
65              - 'powershell'
66              - 'pwsh'
67              - 'regsvr32'
68              - 'rundll32'
69              - 'schtasks'
70              - 'wget'
71              - 'wscript'
72    condition: all of selection_*
73falsepositives:
74    - Legitimate applications using RunMRU with HTTP links
75level: high

References

• GitHub - JohnHammond/recaptcha-phish: Phishing with a fake reCAPTCHA

  

  Phishing with a fake reCAPTCHA. Contribute to JohnHammond/recaptcha-phish development by creating an account on GitHub.

  
  Read More

• DeepSeek Lure Used To Spread Malware | ThreatLabz

  

  Malicious actors are already creating fraudulent DeepSeek look-alike sites to spread malware using CAPTCHAs.

  
  Read More

• Clipboard hijacker tries to install a Trojan

  

  Criminals are attempting to get users to install malware from the clipboard.

  
  Read More

• ANY.RUN

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• NetSupport RAT Clickfix Distribution

  

  THE THREAT Beginning in early January 2025, eSentire Threat Response Unit (TRU) observed an increase in the number of incidents involving the…

  
  Read More

• https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724

  
  Read More

• Fix the Click: Preventing the ClickFix Attack Vector

  

  ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware.

  
  Read More

• Preventing Lnk and FakeCaptcha Threats: A System Hardening Approach

  

  LNK files have long been a preferred method for threat actors to deliver and execute malware. They often disguise LNK files to resemble…

  
  Read More

• Decades-old ‘Finger’ protocol abused in ClickFix malware attacks - Secure Contain Protect

  

  The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still

  
  Read More

Related rules

• Suspicious ClickFix/FileFix Execution Pattern
• Suspicious Execution via macOS Script Editor
• Symlink Etc Passwd
• DNS Query by Finger Utility
• FileFix - Command Evidence in TypedPaths