Full LOLBAS Coverage, Remote Rule Delivery, and Iframe-Based ClickFix Evasion Detection
ClickArmor v1.2.7 ships 185 LOLBAS detection rules pushed via a new remote rule engine, closes a detection gap in Cloudflare-impersonation ClickFix attacks delivered through dynamically injected iframes, and introduces a live overlay upgrade mechanism that replaces generic evasion messages with actual intercepted payloads.
Remote Rule Delivery
ClickArmor now fetches detection rule updates from a private backend, while keeping all scanning and detection 100% local on the user's device. Rule definitions — regex patterns, scores, and labels — are pulled periodically and cached in browser storage. The detection engine interprets them locally. No clipboard data, page content, or browsing history ever leaves the browser.
The motivation is speed. Chrome Web Store reviews take 1–3 days. When a new ClickFix variant drops, that latency is unacceptable. With remote rule delivery, new detection patterns reach every user within hours of authoring — without requiring an extension update.
Rules come down. Data never goes up. The extension fetches rule definitions (data, not code) from a Cloudflare Worker endpoint every 4 hours. Rules can only add score — they never reduce or override built-in detections. If the fetch fails, the extension runs on built-in rules only. The remote rules system is purely additive.
Full LOLBAS Coverage
ClickFix attacks aren't limited to powershell -enc anymore. Attackers are increasingly weaponizing living-off-the-land binaries — Microsoft-signed executables already present on every Windows system — because they inherently bypass application whitelisting controls including Windows Defender Application Control (WDAC) policies.
v1.2.7 adds detection rules covering every binary, script, and library in the LOLBAS project — the community-maintained catalog of LOLBins at lolbas-project.github.io. These rules are delivered via the remote rules engine, meaning they ship to all users instantly without a store update.
Two-Tier Detection
Each LOLBin has two tiers of rules. A low-score presence rule (25–30 points) flags the binary name appearing in clipboard text. A high-score weaponized pattern rule (70–95 points) detects the binary combined with its known abuse pattern — specific flags, remote URLs, pipe chains, or file paths that indicate active exploitation.
// Presence detection — the binary name alone
"re": "\\bmavinject(\\.exe)?\\b", "score": 30
// Weaponized detection — the binary + its known abuse pattern
"re": "mavinject(\\.exe)?[\\s\\S]*?/INJECTRUNNING", "score": 90
A clipboard containing just mavinject.exe gets flagged at 30. A clipboard containing mavinject.exe 1234 /INJECTRUNNING /DLL:evil.dll immediately scores 90 and triggers a block.
Notable Additions
Among the ~150 LOLBins now covered — beyond bitsadmin, certutil, mshta, and regsvr32 which were already detected in built-in rules — the new remote rules add detection for CMSTP.exe INF scriptlet execution, Mavinject.exe DLL injection, MSDT.exe protocol handler exploitation, Odbcconf.exe DLL registration, Forfiles.exe indirect command execution, Comsvcs.dll LSASS memory dumps via rundll32, Diskshadow.exe NTDS extraction, Pcalua.exe program compatibility abuse, WSL.exe Linux command bridging, Procdump.exe and Sqldumper.exe LSASS dumps, and all CL_*.ps1 system script proxy execution scripts.
Cloudflare Impersonation via Dynamic Iframes
During testing against active ClickFix infrastructure, we identified a pattern that was evading ClickArmor's detection — a compromised WordPress site (indhrona.com) serving a fake Cloudflare verification page through a dynamically injected iframe. The technique is notable because the ClickFix payload is entirely contained within the iframe, leaving the parent page body clean.
The Attack Flow
ocherhydro.click) at z-index 2147483647. Rate-limited to 3 impressions via cookies. Fingerprints the visitor and phones home with browser data./wp-content/plugins/CF/captcha.html or ?cfcw_captcha_page=1). The iframe requests clipboard-write permission.postMessage('cf-captcha-verified') to the parent.cf_clearance cookie and removes the overlay. Real Cloudflare sets this cookie server-side — client-side creation is a detection signal.Detection: Remote cfImpersonation Rules
The fix targets the parent page's inline script patterns — the infrastructure code that creates the attack iframe — rather than trying to scan inside the iframe itself. 15 new remote rules for the cfImpersonation detection layer match against the parent page's innerHTML, catching:
// Dynamic iframe requesting clipboard-write permission
setAttribute('allow', 'clipboard-write')
// Fake Cloudflare verification postMessage callback
postMessage('cf-captcha-verified')
// Client-side cf_clearance cookie (real CF sets server-side)
document.cookie = 'cf_clearance=...'
// WP malware kit paths
/wp-content/plugins/CF/captcha.html
cfcw_captcha_page=1
// Fullscreen overlay at max z-index with clipboard-write iframe
z-index: 2147483647 + width: 100% + height: 100%
// Malware kit rate-limiting and tracking cookies
content_shown_count
content_user_id
On the test domain, the combined cfImpersonation score reaches 100/100 — well above the 50-point threshold required to trigger the block overlay via auto-escalation.
Auto-Escalate cfImpersonation Gate
ClickArmor v1.2.5 introduced auto-escalation — when the page analyzer detects evasion-layer attacks (srcdoc iframes, base64 document.write, clipboard staging behind CSP), the block overlay fires preemptively without waiting for the clipboard hook. This is necessary because these evasion techniques specifically prevent hooks from intercepting the payload.
The original gate required either srcdocScore ≥ 50, b64Score ≥ 50, clipStagingScore ≥ 50, or a combination of cfScore ≥ 30 AND b64Score ≥ 30. Cloudflare impersonation alone — even at 100/100 — could not independently trigger the overlay unless base64 script injection was also present.
v1.2.7 adds cfScore ≥ 50 as a standalone trigger. High-confidence Cloudflare impersonation now fires the block overlay on its own. This is safe because reaching 50 requires multiple signals firing simultaneously — fake cf_clearance cookies, clipboard-write iframe permissions, fake verification postMessage handlers, and structural impersonation markers — which legitimate Cloudflare-protected sites will never produce.
Live Overlay Upgrade
A side effect of auto-escalation was that the block overlay displayed a generic message — "(clipboard payload hidden via evasion — hooks could not intercept)" — even in cases where the clipboard hook did fire successfully, just slightly after the page analysis.
The auto-escalate overlay set CG.overlayShown = true, and when the clipboard hook caught the real payload moments later, the showOverlay function returned immediately because the overlay was already showing. The actual malicious command — the most valuable information for the user — was silently discarded.
v1.2.7 adds an upgradeOverlay mechanism. When the clipboard hook catches a payload after an auto-escalate overlay is already visible, it hot-swaps the generic preview with the real intercepted command, updates the matched pattern chips, and refreshes the confidence score — all inside the existing shadow DOM overlay without destroying and rebuilding it. If the hook never fires (cross-origin iframe, CSP block), the generic message stays. The user always sees the best available information.
Additional Hardening
match_about_blank Coverage
Content scripts now inject into about:blank iframes via the match_about_blank: true manifest flag. Some ClickFix kits use about:blank iframes as intermediary frames to stage clipboard writes. This closes a gap in hook injection coverage with zero impact on legitimate sites.
SEO Poisoning + Gambling Spam Detection
The analyzed threat domain contained extensive hidden spam links (gambling, betting, casino sites) positioned off-screen at left: -99000px. This is a common pattern on compromised WordPress installations — the site is simultaneously serving SEO poisoning for affiliate revenue and ClickFix attacks for malware delivery. The presence of off-screen spam links in combination with ClickFix infrastructure is a useful compound signal for threat classification.