Recently, I came across another ClickFix-style campaign pretending to install a Chrome security update. The campaign was hosted on:
teams-net-calls[.]com
The site impersonates a legitimate Microsoft Teams download page and attempts to trick users into manually executing a malicious PowerShell command under the guise of installing a browser security update.
When accessing the site, the victim initially sees what appears to be a legitimate Microsoft Teams download page. The page itself looks clean and convincing, using Microsoft branding and a fake Teams download interface.
However, the malicious behavior does not trigger immediately. The ClickFix flow is activated only after the user interacts with the page by clicking somewhere on it. After the click, the site displays a fake Chrome update popup claiming that a critical browser security update is required.
Requiring user interaction before displaying the malicious prompt may help the campaign avoid automated sandbox analysis and reduce detection by security crawlers that do not fully interact with page elements.
The popup then walks the user through a series of steps instructing them to manually execute a PowerShell command:
- Press Win + X
- Open PowerShell / Terminal
- Paste the copied command
- Press Enter
This social engineering approach avoids traditional browser download warnings because the victim manually executes the payload themselves.
After following the instructions, the victim ends up executing the following PowerShell command:
At first glance, the script looks somewhat harmless because it downloads a legitimate old Node.js package directly from the official Node.js website:
hxxps://nodejs[.]org/dist/v7.10.1/node-v7.10.1-win-x64.zip
However, the second downloaded archive reveals the actual payload:
hxxps://instantwebupdate[.]com/get_update?i=77669
The script extracts both archives into:
C:\ProgramData\
and silently launches:
using hidden PowerShell execution flags such as:
-ExecutionPolicy Bypass
-WindowStyle Hidden
The JavaScript payload itself is interesting because it uses a large fake “poem” style wordlist to hide embedded files. Instead of storing binaries directly, the malware reconstructs files from mapped words and writes them to disk during execution.
The payload creates the following folder:
C:\ProgramData\Microsoft Edge Updates Helper cgpIJPjs25zk\
and drops several files inside it:
Microsoft Edge Updates Helper.exe
msvcp140.dll
vcruntime140.dll
vcruntime140_1.dll
cgpIJPjs25zk.bat
The dropped executable masquerades as a Microsoft Edge helper component.
The BAT file is then used to establish persistence through the Windows Run registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
using the value:
Microsoft Edge Updates Helper
Interestingly, static analysis of the executable revealed references related to Revo Registry Cleaner / RevoSrp development paths:
D:\Work_REVO\VSRevo\Windows\Projects\Registry Cleaner\
along with strings such as:
System restore point created successfully.
VS REVO GROUP OOD
http://www.revouninstaller.com
The bundled DLLs (msvcp140.dll, vcruntime140.dll, and vcruntime140_1.dll) appear to be legitimate Visual C++ runtime dependencies rather than standalone malicious DLLs. They were likely included to ensure the dropped executable runs properly on victim systems.
At the time of analysis, no obvious C2 URLs were identified inside the EXE itself. Most visible URLs were related to Microsoft or DigiCert certificate infrastructure.
IOCs
Domains / URLs
teams-net-calls[.]com
hxxps://instantwebupdate[.]com/get_update?i=77669
hxxps://nodejs[.]org/dist/v7.10.1/node-v7.10.1-win-x64.zip
Dropped Files
C:\ProgramData\Update.js
C:\ProgramData\chrome.zip
C:\ProgramData\Update.zipC:\ProgramData\Microsoft Edge Updates Helper cgpIJPjs25zk\
Persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value: Microsoft Edge Updates Helper
SHA256
Microsoft Edge Updates Helper.exe
8b94af60bb58bc1629edb3b4f6a86ccff5769bb9b96d8826f06686af2d7fc55fmsvcp140.dll
18cbbc60e8989d90a50dc9373f081cf36d783f38a0aec4cd6e45d4974aa8463dvcruntime140.dll
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833vcruntime140_1.dll
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7
