Cybersecurity researchers have uncovered a sophisticated evolution of the ClickFix attack methodology, where threat actors are leveraging cache smuggling techniques to avoid traditional file download detection mechanisms.
This innovative campaign targets enterprise networks by masquerading as a Fortinet VPN compliance checking tool, specifically exploiting the trust organizations place in their remote access infrastructure.
The malicious webpage, hosted on the domain fc-checker[.]dlccdn[.]com, presented itself as a legitimate corporate security utility designed to verify VPN compliance across enterprise environments.
The attack represents a significant departure from conventional ClickFix variants that typically rely on direct file downloads or explicit internet communication.
Instead, attackers have developed a method that pre-emptively stores malicious payloads within the browser’s cache system, effectively bypassing many security controls that monitor file downloads and network communications.
.webp "Hackers Upgraded ClickFix Attack With Cache Smuggling to Secretly Download Malicious Files 2")
Expel analysts noted that this technique demonstrates a concerning advancement in social engineering tactics, particularly as it targets Fortinet VPN clients predominantly used by enterprises for secure remote access.
What makes this campaign particularly dangerous is its ability to appear as though users are executing files already present on their corporate network.
The webpage displays a text box containing what appears to be a standard network file path: “\PublicSupportVPNForticlientCompliance.exe”.
However, beneath this veneer of legitimacy lies a complex PowerShell payload designed to extract and execute malicious code from the browser’s cache without establishing any external network connections.
The Hidden Payload Delivery Mechanism
The technical sophistication of this attack centers around its cache smuggling implementation, which represents a novel approach to payload delivery.
When users interact with the malicious webpage, an obfuscated JavaScript function executes a fetch request to “/5b900a00-71e9-45cf-acc0-d872e1d6cdaa”, which presents itself as a legitimate JPEG image by setting the HTTP Content-Type header to “image/jpeg”.
The browser automatically caches this supposed image file, but examination reveals it contains no JPEG header and instead houses a compressed ZIP archive wrapped between unique delimiter strings “bTgQcBpv” and “mX6o0lBw”.
The PowerShell script hidden within the clipboard payload includes a sophisticated regex pattern that searches Chrome’s cache directory for these specific delimiters: $m=[regex]::Matches($c,'(?<=bTgQcBpv)(.*?)(?=mX6o0lBw)',16).
Once located, the script extracts the data between these markers, writes it to “ComplianceChecker.zip”, extracts the archive, and executes “FortiClientComplianceChecker.exe” completely offline.
This technique effectively circumvents security solutions that monitor file downloads or PowerShell web requests, as no explicit network activity occurs during the malicious execution phase.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
