EXCLUSIVE: NEW CLICKFIX MALWARE VARIANT EVADES MICROSOFT DEFENDER, USES NETWORK DRIVE TRICK IN MAJOR ZERO-DAY THREAT
A dangerous new variant of the infamous ClickFix malware is actively bypassing leading endpoint security, including Microsoft Defender, in a sophisticated campaign that marks a severe escalation in ransomware threats. Cybersecurity firm Atos has exclusively uncovered the operation, where attackers are now using a "net use" command to map a malicious network drive, a technique never before seen in ClickFix attacks. This critical vulnerability in common user behavior is being exploited with chilling efficiency.
The attack begins on a compromised webpage posing as a captcha, "happyglamper[.]ro". It socially engineers victims into pressing Win+R and pasting a malicious command. This command connects their PC to an attacker-controlled server, mapping it as a drive "Z:". It then silently executes a ".cmd" batch file from that drive, which downloads a ZIP archive. Inside, a legitimate WorkFlowy application is weaponized with malicious logic hidden in an ".asar" archive, acting as a command and control beacon and dropper for the final payload.
"This is a masterclass in evasion," stated a senior threat analyst involved in the investigation. "By shifting from common PowerShell execution to abusing the 'net use' command for network drive mapping, they've sidestepped signature-based detection. The use of a modified, legitimate app as a carrier is particularly insidious. It's a multi-stage exploit designed for one purpose: to deliver ransomware or steal data in a major breach."
Every user is at risk. This isn't a complex phishing email; it's a compromised website that could be anywhere. One wrong click on a fake verification leads to a complete system compromise. The malware's success in evading core defenses proves that traditional antivirus is no longer enough. This campaign leverages a potent mix of social engineering and a zero-day-like exploit of trusted Windows functions.
We predict this network drive method will be copied by ransomware gangs worldwide within weeks, leading to a new wave of crypto-locking attacks. The intersection of advanced malware techniques and simple user deception creates a perfect storm.
Your next click could map a hacker's drive directly onto your desktop. The threat is inside the house.
