Investigating a New Click-Fix Variant
14.03.2026
13050
New ClickFix variant maps WebDAV drive to run trojanized WorkFlowy app, enabling stealth C2 beacon and payload delivery.
🚨 NEW CLICK-FIX VARIANT DROPS STEALTHY WEBDAV PAYLOAD
Hold up — threat hunters just spotted a fresh Click-Fix variant that’s mapping WebDAV drives to execute a trojanized WorkFlowy app. This isn’t your grandpa’s malware — it’s deploying stealth C2 beacons and dropping payloads like it’s 2026.
The attack chain starts with a malicious link — classic phishing vibes. Once clicked, it maps a WebDAV drive and runs a compromised WorkFlowy app. From there, it establishes a command-and-control (C2) beacon and delivers the final payload. This variant is all about stealth and persistence, making it a serious threat for enterprise environments.
- • Uses WebDAV drive mapping for execution
- • Trojanizes the WorkFlowy app
- • Establishes stealth C2 communication
- • Delivers final payload post-infection
Security teams are flagging this as part of a broader supply-chain attack targeting productivity tools. The malware leverages legitimate apps to bypass detection — because why reinvent the wheel when you can just hijack it?
This variant shows how attackers are evolving beyond traditional methods — using trusted apps and protocols to fly under the radar.
Key takeaways: monitor WebDAV activity, scrutinize app behaviors, and keep threat intel updated. This isn’t just another malware drop — it’s a sophisticated campaign blending phishing, supply-chain compromise, and stealth C2. Stay sharp, patch often, and maybe don’t click that sus link.
#C2 beacons#supply chain attacks#backdoors#malware#phishing
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
