Threat ID: TL-2026-0127 | Severity: HIGH | Status: ACTIVE
Actor: Unknown (MaaS toolkit seller) | Motivation: FINANCIAL
MITRE Techniques: 28 | Detections: 9 | CWEs: CWE-451, CWE-345, CWE-494, CWE-116, CWE-829
Browser cache was never meant to be a malware staging ground. ClickFix turned it into one.
A new evolution of the ClickFix social engineering chain eliminates the network detection window entirely by staging malware payloads in the browser cache before execution. Advertised on underground forums for $300 on February 16, 2026, the toolkit disguises executable payloads as cached image resources (PNG/JPG), then uses social engineering lures to trick victims into pasting PowerShell commands that extract and execute the cached payloads locally — bypassing EDR, firewalls, and download monitoring. What follows is a full breakdown of the cache smuggling mechanism, the ClickFix lineage from ClearFake through the current MaaS offering, and production-ready detection queries targeting each stage of the kill chain.
CyberMaxx/BlackSwan research on browser cache smuggling — documenting the download cradle technique that abuses browser image caching for payload staging.
Executive Summary
- What: ClickFix variant stores malware payloads as browser-cached "image" resources, then uses paste-this-fix social engineering to trigger local PowerShell extraction and execution — no network download at execution time
- Who: Unknown MaaS toolkit seller on underground forums; $300 for builder, source code, and setup; $200 for custom template rewrites; rapid adoption expected across the ClickFix ecosystem
- Impact: Delivers NetSupport RAT, Latrodectus, Lumma Stealer, Havoc C2, ransomware loaders, and cryptominers; bypasses EDR network hooks, download alerts, and Content-Type filtering at the execution stage
- Status: Active since February 2026 as MaaS; ClickFix technique lineage traces to ClearFake (2023) and TA571 campaigns (2024)
- Detection: 9 production-ready detections available on Threadlinqs Intelligence
Technical Analysis
Cache Me If You Can
Cache as attack surface. Nobody saw it coming.
Traditional ClickFix campaigns required victims to paste PowerShell commands that downloaded malware over the network — a detectable event for EDR, proxy logs, and firewall rules. The cache smuggling variant removes this detection surface entirely by pre-staging payloads in the browser's local cache directory during the initial page visit. The stage-2 drops from cache, not from the network.
Phase 1 — Passive Delivery. When a victim visits a compromised or attacker-controlled website, the page loads malicious payloads disguised as image resources through standard fetch() API calls. The server responds with Content-Type: image/jpeg headers while the response body contains executable code, compressed archives, or Exif-embedded payloads. Browser caching directives (Cache-Control: max-age=86400) ensure the payload persists locally.
Phase 2 — Social Engineering. The page displays a fake error dialog — Chrome update required, Microsoft Word rendering error, CAPTCHA verification, or Fortinet VPN compliance check. The lure instructs the victim to "fix" the issue by copying a command and pasting it into the Windows Run dialog (Win+R), PowerShell, or the Windows Explorer address bar.
Phase 3 — Local Execution. The pasted command invokes PowerShell to read from local browser cache directories, extract the payload using regex markers (bTgQcBpv, mX6o0lBw, or 13371337), optionally decrypt and decompress the content, then execute it. No callback. No download. The implant is already on disk, and EDR never sees a network fetch at execution time.
The FileFix Variant
A parallel variant called FileFix pads commands with 139 or more leading whitespace characters before the malicious PowerShell string. When pasted into the Windows Explorer address bar, the whitespace hides the actual command from view, making it appear the user navigated to a folder path. Execution occurs through conhost.exe --headless, further obscuring the process chain.
Exif Smuggling
An advanced variant embeds payloads within image Exif metadata fields, using null-byte concealment to pass Content-Type validation. The PowerShell extraction phase reads specific Exif tags from the cached image file rather than scanning for inline regex markers.
Why EDR Misses This
Most endpoint agents hook network API calls — WinINet, WinHTTP, socket-level — to flag suspicious downloads. Cache smuggling sidesteps all of it. The browser handles the HTTP fetch (trusted process, trusted destination), and the payload lands in cache through normal browsing behavior. When PowerShell later reads from a local file path, there is no network event to trigger. EDR is blind here.
When we tested this against browser cache forensics tools, the cached payloads were indistinguishable from legitimate image resources at the file-system level. Only the Content-Type mismatch at the proxy layer and the PowerShell-to-cache-directory access pattern gave it away. Side note: the regex markers (bTgQcBpv, 13371337) are the operator's weakest link — they are trivially signaturable, but only if you know to look inside cache directories.
Attack Chain
- Resource Development — Attacker builds ClickFix toolkit: payload generator, lure templates (Fortinet VPN, Chrome update, Word error), and hosting infrastructure (
T1587.001,T1608.001,T1583.001) - Initial Access — Victim visits compromised site or attacker-controlled domain; malicious payload cached as image resource via drive-by download (
T1189,T1566.002) - Execution — Victim pastes command into Run dialog, Explorer address bar, or PowerShell; script reads browser cache, extracts payload via regex markers, and executes (
T1204.001,T1059.001,T1059.003) - Defense Evasion — Payload masquerades as cached image (Content-Type mismatch); FileFix variant uses 139+ whitespace padding; HijackLoader uses DLL sideloading from temp directories (
T1036.005,T1027.009,T1553.005) - Persistence — Registry Run keys created pointing to temp directories with names like
ChromeUpdate; service installation viaT1569.002(T1547.001) - Credential Access — Lumma Stealer and infostealers access browser credential databases (
Login Data,Cookies,Web Data) and crypto wallet directories (T1555.003,T1539) - Collection and Exfiltration — Clipboard hijacking replaces crypto wallet addresses; data exfiltrated via Telegram Bot API, Microsoft Graph API, or Latrodectus
/gate.phpcallbacks (T1115,T1567,T1071.001)
Cyber Security News reporting on threat actors advertising the new ClickFix browser cache payload delivery method on underground forums.
Threat Actor Profile
The ClickFix cache smuggling toolkit is sold by an unidentified MaaS operator on underground forums. The seller advertised the builder with full source code and setup instructions for $300, with custom template rewrites available for $200 per template. The listing appeared on February 16-17, 2026, and was documented by Dark Web Informer.
The broader ClickFix ecosystem has been adopted by multiple threat groups since 2023. TA571, tracked by Proofpoint, distributed over 100,000 clipboard-paste phishing emails in early 2024. ClearFake integrated ClickFix with Keitaro traffic distribution systems and Binance Smart Chain hosting (EtherHiding). The Phantom Meet campaign, attributed to SNE/Scamquerteo by Sekoia, used fake Google Meet pages. Fortiguard documented variants deploying Havoc C2 through SharePoint with Graph API abuse. The $300 price point and source code availability signal a commodity-phase transition where any financially motivated operator can deploy cache smuggling at scale. Based on our tracking of 112 threats on the platform, this is the fastest we have seen a technique go from proof-of-concept to MaaS listing — under three months from first observation to underground sale.
Detection
Three queries. Three detection surfaces. Full kill chain coverage.
Threadlinqs Intelligence provides 9 production-ready detection rules for this threat targeting each phase of the kill chain.
Splunk SPL
This query hunts for the primary ClickFix exploitation chain: explorer.exe spawning PowerShell, with enrichment for cache directory access and known regex extraction markers.
SPLindex=sysmon sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
| where (parent_process_name="explorer.exe" AND (process_name="powershell.exe" OR process_name="cmd.exe"))
OR (parent_process_name="conhost.exe" AND match(process_command_line, "--headless"))
| eval cache_access=if(match(lower(process_command_line), "cache_data|cache2|inetcache"), 1, 0)
| eval regex_markers=if(match(process_command_line, "bTgQcBpv|mX6o0lBw|13371337"), 1, 0)
| eval encoded_cmd=if(match(process_command_line, "-[Ee]ncoded[Cc]ommand"), 1, 0)
| eval whitespace_pad=if(match(process_command_line, "^\s{50,}"), 1, 0)
| eval risk_score=cache_access40 + regex_markers50 + encoded_cmd20 + whitespace_pad30
| where risk_score >= 40 OR cache_access=1
| stats count, values(process_command_line) as commands, values(risk_score) as scores by src_host, user, parent_process_name
| sort -count
This query catches both the standard ClickFix chain (explorer spawning PowerShell) and the FileFix variant (whitespace-padded commands via conhost), with risk scoring for cache directory access and known extraction markers.
Microsoft KQL
Browser credential store access by non-browser processes signals the post-exploitation infostealer phase. This KQL union covers it:KQLlet browser_processes = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "brave.exe"]);
let credential_dbs = dynamic(["Login Data", "Cookies", "Web Data", "key4.db", "logins.json"]);
let cache_dirs = dynamic(["Cache_Data", "cache2", "INetCache"]);
union
(
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (credential_dbs)
| where InitiatingProcessFileName !in (browser_processes)
| extend AlertType = "credential_theft"
),
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any (cache_dirs)
| extend AlertType = "cache_smuggling_execution"
),
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine matches regex @"^\s{50,}"
| extend AlertType = "filefix_whitespace"
)
| project Timestamp, DeviceName, AlertType, FileName, InitiatingProcessFileName, ProcessCommandLine
| sort by Timestamp desc
This union query covers three detection surfaces: infostealer credential theft (non-browser processes accessing credential databases), cache smuggling execution (explorer spawning PowerShell with cache directory references), and the FileFix whitespace padding variant.
Sigma
Catching cache smuggling at the proxy layer — Content-Type mismatches where image responses contain executable content flag the passive cache loading phase:SIGMAtitle: ClickFix Content-Type Mismatch — Image Response with Executable Content
id: 4b2e8f71-c9a3-4d67-b512-7e9f3a1c8d45
status: experimental
description: Detects Content-Type image responses containing ZIP, PE, or DLL magic bytes indicating browser cache smuggling payload delivery
references:
- https://intel.threadlinqs.com/#TL-2026-0127
- https://cybersecuritynews.com/threat-actors-advertising-new-clickfix-payload/
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.defense_evasion
- attack.t1036.005
- attack.initial_access
- attack.t1189
logsource:
category: proxy
product: any
detection:
selection_content_type:
response_content_type|startswith: 'image/'
filter_mismatch:
response_body|re: '(PK\x03\x04|MZ\x90\x00|\x7fELF)'
selection_domains:
dest_domain|contains:
- 'dlccdn.com'
- 'fc-checker'
- 'checker.dlccdn'
selection_size:
response_size|gt: 102400
condition: (selection_content_type and filter_mismatch) or selection_domains or (selection_content_type and selection_size)
falsepositives:
- Legitimate large image files (photography sites, CDNs)
- WebP or AVIF images exceeding 100KB
level: high
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
Proofpoint Threat Research — 'From Clipboard to Compromise: A PowerShell Self-Pwn' — documenting the ClickFix social engineering paradigm evolution.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| Domain | fc-checker.dlccdn.com | ClickFix Fortinet compliance checker lure |
| Domain | checker.dlccdn.com | ClickFix infrastructure domain |
| URL Pattern | /gate.php | Latrodectus C2 callback endpoint |
| API Abuse | Microsoft Graph API (SharePoint) | Havoc C2 communication channel |
| API Abuse | Telegram Bot API | Stealer exfiltration channel |
File Indicators
| Type | Indicator | Context |
|---|---|---|
| Regex Marker | bTgQcBpv | Cache extraction delimiter |
| Regex Marker | mX6o0lBw | Cache extraction delimiter |
| Regex Marker | 13371337 | Cache extraction delimiter |
| File Path | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\ | Chrome cache smuggling target |
| File Path | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cache\Cache_Data\ | Edge cache smuggling target |
| File Path | %LOCALAPPDATA%\Mozilla\Firefox\Profiles\\cache2\ | Firefox cache smuggling target |
| File Path | %LOCALAPPDATA%\FortiClient\compliance | Fortinet lure temp staging path |
| Process | client32.exe from %TEMP% or %APPDATA% | NetSupport RAT non-standard path |
| DLL | HTCTL32.DLL from temp directories | NetSupport sideloading indicator |
| Registry | HKCU\...\Run pointing to %TEMP%\ChromeUpdate | Persistence key |
Behavioral Indicators
- PowerShell or
cmd.exeaccessing browser cache directories with regex-based content extraction explorer.exespawningpowershell.exewith-EncodedCommandparameter- Commands containing 50 or more leading whitespace characters (FileFix variant)
conhost.exe --headlessexecution from non-standard parent processes- WMI
MSAcpi_ThermalZoneTemperaturequeries from scripting engines (sandbox evasion) - Rapid
SetClipboardDataAPI calls replacing cryptocurrency wallet addresses - Unsigned DLLs loading from
%TEMP%directories (HijackLoader sideloading)
Timeline
| Date | Event |
|---|---|
| 2023-10-16 | Guard.io publishes EtherHiding research — Binance Smart Chain contract hosting as malware distribution |
| 2024-03-01 | Proofpoint documents TA571 clipboard-paste social engineering across 100K+ phishing emails |
| 2024-04-01 | ClearFake adopts ClickFix technique with Keitaro TDS and BSC hosting |
| 2024-06-01 | ReliaQuest publishes first ClickFix-style execution documentation |
| 2024-06-18 | Proofpoint publishes full "Clipboard to Compromise" report on PowerShell self-pwn chains |
| 2024-10-17 | Sekoia documents "ClickFix Phantom Meet" campaign attributed to SNE/Scamquerteo |
| 2025-02-27 | Fortiguard reports ClickFix deploying Havoc C2 via Microsoft SharePoint and Graph API abuse |
| 2025-10-01 | Fortinet-themed ClickFix cache smuggling variant first observed |
| 2025-12-01 | Exif smuggling variant proof-of-concept developed with null-byte concealment |
| 2026-02-16 | Underground toolkit advertised: $300 builder with source code, $200 custom templates |
| 2026-02-17 | Cyber Security News and Blackswan Cybersecurity publish technical analyses |
| 2026-02-21 | Threadlinqs Intelligence publishes TL-2026-0127 with full MITRE ATT&CK mapping |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Context |
|---|---|---|---|
| Initial Access | Drive-by Compromise | T1189 | Compromised sites loading cached payloads |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Lure pages with fake error dialogs |
| Execution | User Execution: Malicious Link | T1204.001 | Victim pastes command from lure page |
| Execution | PowerShell | T1059.001 | Cache extraction and payload execution |
| Execution | Windows Command Shell | T1059.003 | FileFix Explorer address bar execution |
| Defense Evasion | Obfuscated Files or Information | T1027 | Base64-encoded commands, whitespace padding |
| Defense Evasion | Embedded Payloads | T1027.009 | Executable content in image container |
| Defense Evasion | Match Legitimate Name or Location | T1036.005 | Payloads masquerading as cached images |
| Defense Evasion | Deobfuscate/Decode Files | T1140 | PowerShell regex extraction and decryption |
| Defense Evasion | Mark-of-the-Web Bypass | T1553.005 | Cached content bypasses MotW |
| Persistence | Registry Run Keys | T1547.001 | ChromeUpdate keys in temp directories |
| Credential Access | Credentials from Web Browsers | T1555.003 | Lumma Stealer accessing Login Data, Cookies |
| Credential Access | Steal Web Session Cookie | T1539 | Browser cookie database theft |
| Collection | Clipboard Data | T1115 | Crypto wallet address replacement |
| Exfiltration | Exfiltration Over Web Service | T1567 | Telegram Bot API, Graph API exfiltration |
| Command and Control | Web Protocols | T1071.001 | Latrodectus gate.php, Havoc SharePoint C2 |
| Discovery | Virtualization/Sandbox Evasion | T1497 | WMI temperature sensor, MAC OUI checks |
Full MITRE ATT&CK mapping with 28 techniques: View coverage on Threadlinqs
TL-2026-0127 on Threadlinqs Intelligence — ClickFix browser cache smuggling MaaS toolkit storing malware payloads in browser cache to bypass EDR and firewalls.
Recommendations
- Train users immediately — conduct targeted awareness training on paste-this-fix social engineering; users should never paste commands from websites into PowerShell, Run dialog, or Explorer address bar
- Deploy behavioral EDR rules — monitor for PowerShell or script interpreters accessing browser cache directories (
Cache_Data,cache2,INetCache); alert onexplorer.exespawningpowershell.exe - Enforce PowerShell constraints — implement Constrained Language Mode via GPO; deploy AppLocker or WDAC policies restricting PowerShell to signed scripts for standard users
- Block at the proxy — implement Content-Type validation blocking image responses containing ZIP, PE, or DLL magic bytes; sinkhole known ClickFix domains (
fc-checker.dlccdn.com,checker.dlccdn.com) - Monitor persistence indicators — hunt for Registry Run keys pointing to temp directories,
client32.exe(NetSupport) in non-standard paths, and unsigned DLLs loading from%TEMP%
References
- Cyber Security News: Threat Actors Advertising New ClickFix Payload — Cybersecurity News, February 2026
- Blackswan Cybersecurity: Browser Image Cache Smuggling — CyberMaxx, 2025
- Proofpoint: Clipboard to Compromise — PowerShell Self-Pwn — Proofpoint, June 2024
- Proofpoint: ClickFix Social Engineering Technique Floods Threat Landscape — Proofpoint, 2025
- Sekoia: ClickFix Tactic — The Phantom Meet — Sekoia, October 2024
- Guard.io: EtherHiding — Web3 Smart Contract Malware Distribution — Guard.io, October 2023
- HHS: ClickFix Attacks Sector Alert — HHS, 2025
- GBHackers: New ClickFix Malware Payload Targets Browser Cache — GBHackers, February 2026
- MITRE ATT&CK: T1059.001 — PowerShell — MITRE
- MITRE ATT&CK: T1204.001 — User Execution: Malicious Link — MITRE
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0127.*