Threat Research

ClickFix: DarkGate | Point Wild

Securonix
ClickFix: DarkGate | Point Wild

ClickFix is a social-engineering delivery method that tricks users into copying and executing obfuscated PowerShell commands, which download an HTA (dark.hta) from a malicious domain and save it as c:userspublicnC.hta. The multi-stage attack decodes nested base64 payloads, injects a PowerShell command into the clipboard to prompt user execution, and ultimately deploys DarkGate via AutoIt components. #ClickFix #DarkGate

Keypoints

  • ClickFix is a user-targeted social-engineering technique that persuades victims to execute commands (e.g., paste-and-run) rather than relying on autonomous exploitation.
  • The attack embeds nested Base64-encoded payloads within HTML/JavaScript and uses reverse decoding to conceal a PowerShell command.
  • JavaScript copies a decoded PowerShell command to the clipboard and instructs users to press Win+R and paste, causing the system to download and run an HTA from linktoxic34.com (saved as c:userspublicnC.hta).
  • The executed HTA retrieves and runs a PowerShell script that deploys an AutoIt executable and script (e.g., fckhffh.a3x), creates staging folders, drops additional payloads, and executes them silently.
  • Analysis shows DES usage within the AutoIt script, a dropped DOS file, and subsequent DarkGate activity that establishes C2 communications and enables remote access.
  • Mitigations include user education to avoid pasting code, using behavioural security tools, restricting Run (Win+R) via GPOs in enterprise environments, disconnecting infected devices, booting Safe Mode for cleanup, and using UltraAV (detects as Trojan.HTML.DarkGate.ORS).

MITRE Techniques

  • [T1059.001 ] PowerShell – PowerShell was used to download and execute a multi-stage HTA payload and run subsequent scripts (‘the PowerShell script downloads an HTA file from the following URL: https://linktoxic34.com/wp-content/themes/twentytwentytwo/dark.hta’).
  • [T1027 ] Obfuscated Files or Information – Multiple layers of Base64 encoding and a reverse operation were used to conceal the payload and execution logic (‘multiple segments of base64-encoded content were identified.’).
  • [T1036 ] Masquerading – The HTA was presented as a legitimate “How to fix” extension or tool to trick users into executing it (‘The ‘Word Online’ extension is not installed in your browser. To view the document offline, click the ‘How to fix’ button.’).
  • [T1071.001 ] Application Layer Protocol: Web Traffic – Payloads and scripts were retrieved over HTTP(S) from a remote web host (‘the PowerShell script downloads an HTA file from the following URL: https://linktoxic34.com/wp-content/themes/twentytwentytwo/dark.hta’).
  • [T1219 ] Remote Access Tool – The deployed DarkGate components enabled remote control and C2 communications after successful execution (‘DarkGate initiates its malicious operations and establishes communication with its command and control (C2) infrastructure.’).

Indicators of Compromise

  • [Domain/URL ] Malicious download host – https://linktoxic34.com/wp-content/themes/twentytwentytwo/dark.hta (linktoxic34.com)
  • [File Name / Local Path ] Downloaded and staged payloads – c:userspublicnC.hta, dark.hta, and 2 more files
  • [File Name ] Script and payload filenames – fckhffh.a3x, script.a3x, and 2 more files
  • [SHA-256 ] Known file hashes – Dark.hta a628638c20f6a67ac80782dc872e1e06b84cda68accf5e912ade6645c689f04, AutoIt script 4f5f733c7ca71d514991ac3b369e34ce1c3744ff604c88481522edced14cc22c, and 2 more hashes
  • [Detection Name ] AV detection signature – Trojan.HTML.DarkGate.ORS

Read more: https://www.pointwild.com/threat-intelligence/clickfix-darkgate