Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

310
active users

toad.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#clickfix

3 posts3 participants0 posts today
Public *
Taggart :donor:

I think I have a nice compromise #ClickFix ...fix for those places that just can't live without some Explorer niceties.

There is an alternative to the "Disable Windows shortcuts" GPO, which not only disables Win+ shortcuts, but also things like using UNC paths in the Explorer address bar.

Of course, Geoff Chappell lights the way.

I believe that GPO applies the REST_NORUN reg key and not REST_NOWINKEYS policies—despite the name.

If I apply the REST_NORUN reg setting directly, I get the same behavior as the GPO. The popup pictured here appears.

But if I instead set the REST_NOWINKEYS dialog, the Win+R shortcut is disabled, but other stuff (like UNC paths in explorer) still works! Now, this doesn't remove the Run command from the start menu, but it is at least a safety. Oh and one more thing: because that shortcut is now unregistered, you can register it yourself for something like a lil daemon that pops a message box saying Hey did a website tell you to do this? Don't!

You can try both settings.

REST_NORUN: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

REST_NOWINKEYS: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys

UPDATE: You can additionally disable only Win+R by setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\Advanced\DisabledHotkeys to a String value containing the Win shortcuts you want to disable. So a single R will do the trick. Note this only works at the user level.

Windows error popup: this operation has been cancelled due to restrictions on this computer. Please contact your system administrator.
Public
nemo™ 🇺🇦

🚨 New ClickFix campaign alert! 🚨 This evolving cyberattack now targets both Windows & Linux users by tricking them into running malicious console commands under the guise of “browser updates” or CAPTCHA tests. 🖥️🔒 Currently harmless but watch out! Threat actor: APT36 (Pakistan). Stay safe & informed! 🔐 #CyberSecurity #ClickFix #Linux #Windows #APT36 #InfoSec #TechRadar #newz

Read more: techradar.com/pro/security/new

TechRadar pro · New ClickFix campaign spotted hitting both Windows and Linux machinesBy Sead Fadilpašić
Public
ANY.RUN

🚨 New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages.
⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.
🎯 The #phishing page loads only for US-based victims, as observed during analysis with a residential IP in #ANYRUN Sandbox.

👨‍💻 Analysis session: app.any.run/browses/50395c46-4

📍 URL: iaccindia[.]com
The page hijacks the full-screen mode and displays a fake “Windows Defender Security Center” popup.

🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user.

Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation.

🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a #malicious Run command.
Take a look: app.any.run/tasks/e83a5861-600

#IOCs:
supermedicalhospital[.]com
adflowtube[.]com
knowhouze[.]com
ecomicrolab[.]com
javascripterhub[.]com
virtual[.]urban-orthodontics[.]com

Streamline threat analysis for your SOC with #ANYRUN 🚀
#ExploreWithANYRUN

Screenshot of a phishing page analyzed in ANY.RUN Sandbox
Screenshot of a phishing page analyzed in ANY.RUN Sandbox
Screenshot of a phishing page analyzed in ANY.RUN Sandbox
Screenshot of a phishing page analyzed in ANY.RUN Sandbox
Public *
B'ad Samurai 🐐

Bingo! Lots of modern techniques were tapped in this Unit 42 Timely threat intel repo:

  • Adware affiliates on South African TLD .za, routing to a CrimeFlare TDS with short-lived URL params
  • After expiration, they appear as benign "blogs"
  • MSI files are different for each download
  • MSI files do not work outside the infection chain
  • MSI download pages are all .com and while odd they are readable word combinations.
  • Win+R ClickFix technique, but in this case they are loading curl which in PS5 is an alias of Invoke-WebRequest. This can be seen with gal -Definition Invoke-WebRequest wget is also an alias and were removed in v7.

github.com/PaloAltoNetworks/Un

GitHubUnit42-timely-threat-intel/2025-03-31-IOCs-for-evasive-campaign-pushing-Legion-Loader.txt at ef284c86b45e329415e45bb2c38cc5c628bbbd49 · PaloAltoNetworks/Unit42-timely-threat-intelA collection of files with indicators supporting social media posts from Palo Alto Network's Unit 42 team to disseminate timely threat intelligence. - PaloAltoNetworks/Unit42-timely-threat-intel
#threatintel#infosec#blockthis
Replied in thread
Public
B'ad Samurai 🐐

@jernej__s so Win+X is a tricky one, because you can't remove it with the same registry path you would for Run. This is because Run is an Explorer shortcut and WinX is system shortcut. I'm not actually targeting WinX itself but the PowerShell shortcuts, so I'm fine with it's basic function.

I have seen some ClickFix, I assume to work around the Win+R mitigations, request the user launch PowerShell with Win+X.

To remove the 2 shortcuts, simply rename the .lnk to like .lnk.disabled and it will immediately take effect, removing the shortcuts seen in Win+X.

The files are in the user's folder, so I just deployed a script to do this for all profiles in /users/

#clickfix#malware#phishing
Public
B'ad Samurai 🐐

ClickFix and malware seem to prefer PowerShell aliases: iwr iex for obfuscation, so I thought why not simply disable and turn them into canaries.

Of course impact is highly org and user dependent, but since it's deployed per user+host profile, we can easily apply it to the primary, non-privileged or service identity.

And yes, still disable Win+R, Win+X, log and get control on EPs. If you're already hunting iwr, you hopefully know where they run as current user.

PowerShell window of iwr pulling from a gist and a iex performing a base64 decoding
Windows Event for the Click Canary with a JSON object of the source user, computer, command and PowerShell version.
#powershell#clickfix#infosec
ExploreLive feeds
About