BrowserWare ClickFix: Inside a Blockchain-Resilient ClickFix-as-a-Service Platform With Polyglot Payloads and AES-GCM Encrypted C2
Published: 2026-03-08 Tags: threat-intelligence, clickfix, maas, blockchain-c2, polygon, social-engineering, polyglot-malware TLP: WHITE (IOCs sanitized for public sharing)
TL;DR
A commercially operated ClickFix-as-a-Service platform dubbed BrowserWare is using Polygon smart contracts to store its C2 panel URL on-chain, making traditional domain takedowns ineffective. The campaign serves seven distinct social engineering lure modes through a rental model, encrypts all C2 traffic with AES-256-GCM and RC4, and hides a PE stager inside its Chrome logo image as a JPEG+PE polyglot. Expired rental configurations leaked in plaintext confirm the MaaS business model, CIS country exclusion points to a Russian-speaking operator, and the infrastructure traces back to the same DGTLS-MNT bulletproof hosting cluster we have documented in prior investigations.
1. Discovery and Source Intel
On February 26, 2026, security researcher @solostalking flagged IP 77.91.65.56 serving fake Chrome "Fix Display Issues" pages. What initially appeared to be a single ClickFix deployment turned out to be a full multi-tenant platform with blockchain-backed infrastructure, encrypted API communications, and a polyglot PE stager embedded in the page's branding assets.
The C2 panel at buck-cdns-server.sbs was live, payloads were being served, and the Polygon smart contract was actively resolving -- this campaign is currently operational.
2. The Kill Chain: From Compromised Domain to Payload Execution
Phase 1 -- Lure Delivery
Victims land on the ClickFix page through three vectors:
- Compromised legitimate domains --
npimedia.com(a GoDaddy-registered media site from 2002, now hijacked through a WordPress compromise chain: Turkish gambling spam, then ClickFix redirect) and a cluster of chimney service domains on shared OVH hosting at57.128.95.87 - Dedicated campaign domain --
fontfix-chrome.com, registered February 18 through Tucows, fronted by Cloudflare - Direct IP access --
77.91.65.56on DGTLS-MNT bulletproof hosting
The landing page impersonates a Chrome "Page Troubleshooter" with professional Google-branded styling. Nothing about it screams malicious at first glance.
Phase 2 -- Blockchain C2 Resolution
This is where it gets interesting. The page contains 12,580 bytes of XOR-obfuscated JavaScript (key: 0xC9 / decimal 201). Once deobfuscated, the script:
- Calls the Polygon smart contract at
0xd2572Aa454e6250E54C483ca89eEfe02d22e5937 - Invokes function selector
0xb68d1809(getData) which returns the current C2 panel URL - Falls back through 15 hardcoded Polygon RPC endpoints if any fail
The contract owner (0xcaf2c54e400437da717cf215181b170f65187abf, 68.33 MATIC balance, 798 transactions) can update the C2 URL at any time by calling setData (0xb249cd2d). Every deployed lure page -- across all compromised sites and campaign domains -- immediately resolves to the new panel. No DNS changes, no domain re-registration. Takedown-resistant by design.
Contract: 0xd2572Aa454e6250E54C483ca89eEfe02d22e5937
Chain: Polygon (MATIC)
Owner: 0xcaf2c54e400437da717cf215181b170f65187abf
Function selectors:
0xb68d1809 getData() β returns string (current C2 URL)
0xb249cd2d setData(s) β updates C2 URL (owner only)
0xf851a440 owner() β returns owner address
Phase 3 -- Encrypted Config Fetch
With the C2 URL in hand, the JavaScript fetches its runtime configuration from buck-cdns-server.sbs/api/index.php?a=cfg. The request-response cycle uses layered encryption:
Request encryption (RC4):
key_material = base_key || random_nonce[8]
ciphertext = RC4(key_material, query_string)
payload = base64url(nonce || ciphertext)
Response encryption (AES-256-GCM):
derived_key = SHA256(base_key || "cfg|gcm1")
plaintext = AES-GCM-Decrypt(derived_key, IV=packed[0:12], ciphertext=packed[12:])
The base key is hardcoded in the obfuscated JS:
c6debe3b62faf837b4daf28376361015cb157ca7b1f8fc8c92fa459fedcc833d
If GCM decryption fails, the script falls back to RC4 decryption on a q2 response field. Defense in depth -- for the attacker.
The decrypted configuration for the active rental:
{
"panelBaseUrl": "https://buck-cdns-server.sbs/",
"showDelay": 10,
"mode": "browser",
"enabled": true,
"blockBots": true,
"rentalExpired": false,
"os": "unknown",
"browser": "Unknown"
}
Phase 4 -- Mode Script Loading
BrowserWare supports seven lure modes, each loaded as a separate script from the C2:
| Script | Mode | Lure Type |
|---|---|---|
v1.js | browser | Fake browser update |
v2.js | font | Missing font installation |
v3.js | recaptcha | Fake CAPTCHA verification |
v4.js | bsod | Fake Blue Screen of Death |
v5.js | silent | No visible UI |
v6.js | cloudflare | Fake Cloudflare challenge |
v7.js | cf_update | Fake Cloudflare update |
The active deployment uses browser mode. Expired rentals on other domains show clickfix as the mode -- this may be an earlier or alternate mode identifier.
API endpoints observed:
/api/index.php?a=cfg # Configuration fetch
/api/index.php?a=evt # Event telemetry
/api/index.php?a=init # Session initialization
/api/index.php?a=dl # Payload download
/api/index.php?a=js&mode={mode_name} # Mode script loader
/api/icons/chrome.ico # Favicon
Phase 5 -- Social Engineering Execution
In browser mode, the victim sees a professional-looking Chrome troubleshooting interface that instructs them to:
- Copy a file path:
\\Chrome\Fonts\FontClientsCompile\ - Open File Explorer (Win+E)
- Paste the path into the address bar (Ctrl+L, Ctrl+V, Enter)
This navigates to a malicious network share or triggers payload execution. Classic ClickFix -- the victim is the execution engine.
Phase 6 -- Polyglot Stager (logo.jpg)
The Chrome logo displayed on the lure page is not just an image. It is a JPEG+PE polyglot -- a valid JPEG that also contains a valid Windows PE executable.
| Property | Value |
|---|---|
| PE SHA-256 | 6054b8a3906ba0939dbd2f910289f78e58e96b86489bf0a1574a97c51a4a0774 |
| Full JPEG SHA-256 | 54de8462597fa1a96250c13a1a01d74a135e8753d413f9d7e956a3070f58290c |
| Architecture | AMD64 (x86-64) |
| Subsystem | Windows GUI |
| Compiler | GCC 15.1.0/15.2.0 (MinGW-w64) |
| Compile time | 2026-02-19 19:10:53 UTC |
| PE size | 39,687 bytes |
The stager's behavior:
- Creates a hidden window (
MainWindowClass) with timer-based execution - Implements a custom HTTP/1.1 client using raw sockets -- no
WinHTTPorWinInetimports, evading API-level monitoring - Downloads second-stage payloads disguised as images:
/logoo.png,/bgo.jpg,/headero.jpg,/spriteo.png(all currently 404'd -- rotated out) - Uses
CryptAcquireContextA/CryptGenRandomfor crypto operations - Dynamic API resolution via
GetProcAddress+LoadLibraryA
The import table is deliberately minimal. By resolving APIs at runtime and using raw sockets instead of standard HTTP libraries, the stager avoids both static analysis signatures and API hooking by EDR.
3. The MaaS Rental Model: Proof in Plaintext
The most revealing evidence of BrowserWare's commercial operation came from expired rentals. The domain 2fa-cp.click -- sharing the same C2 IP (94.154.35.227) as the active panel -- leaked its configuration without encryption:
{
"panelBaseUrl": "https://2fa-cp.click/",
"allowedOs": ["windows"],
"blockedCountries": ["BY","KZ","AM","AZ","KG","MD","TJ","TM","UZ","RU","UA"],
"showDelay": 1000,
"mode": "clickfix",
"enabled": false,
"blockBots": true,
"rentalExpired": true
}
Three data points confirm the MaaS model:
rentalExpired: true-- the subscription lapsed and the platform disabled the deployment- Multiple expired domains on the same C2 IP --
2fa-cp.clickandsdn-cloudflare-js.clickare both expired customer deployments;buck-cdns-server.sbsis the active customer - Per-customer configuration -- the expired rental uses
clickfixmode with a 1000ms delay, while the active customer usesbrowsermode with a 10ms delay
CIS Country Exclusion
The blocked countries list is a signature of a Russian-speaking operator:
| Code | Country |
|---|---|
| BY | Belarus |
| KZ | Kazakhstan |
| AM | Armenia |
| AZ | Azerbaijan |
| KG | Kyrgyzstan |
| MD | Moldova |
| TJ | Tajikistan |
| TM | Turkmenistan |
| UZ | Uzbekistan |
| RU | Russia |
| UA | Ukraine |
This is the Commonwealth of Independent States (CIS) exclusion list. It is a well-established norm in Russian-speaking cybercriminal communities: do not target domestic populations, and law enforcement is less likely to investigate. This exclusion is baked into the platform itself, not configured per-customer -- the operator enforces it globally.
4. Infrastructure Deep Dive
77.91.65.56 -- DGTLS-MNT Bulletproof Hosting
| Field | Value |
|---|---|
| Netname | IP-RENT-FI (77.91.65.0/24) |
| ASN | AS205775 (NEON CORE NETWORK LLC) / AS42861 (Foton Telecom CJSC, Moscow) |
| Org | Partner Hosting LTD, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ |
| Parent | GE-FAST-20070425, Sergey Miroshkin, Ambrolauri, Georgia |
| Abuse | abuse@altawk.com (ALTAWK -- known bulletproof hosting) |
| MNT | lir-ge-fast-1-MNT |
| Block created | 2026-02-06 (3 weeks before campaign launch) |
| RDP hostname | VM-18f3a415-cd64-4597-8ca9-aac58d8ee468 |
| RDP cert created | 2026-02-17 |
This is the same DGTLS-MNT / ALTAWK bulletproof ecosystem we have documented in prior investigations:
- NetSupport RAT (193.111.117.17, AS200823, WAICORE / MHost LLC)
- Ukraine LNK C2 (195.10.205.65, ALTAWK abuse contact)
Common fingerprints across all three: VM-{GUID} hostnames from DGTLS VM provisioning, exposed RDP, and Partner Hosting LTD shell company registration at 71-75 Shelton Street -- a known London virtual office address used by bulletproof providers.
94.154.35.227 -- Ukrainian ISP Front
| Field | Value |
|---|---|
| Netname | SKAYVIN-BROADBAND-UA |
| Description | "Residential and business customer access network" |
| Also stated | "This network is not used for hosting" |
| Org | IE Dyachenko Valentina Ivanovna, Kharkiv region, Balakleya |
| Abuse | abusep@kharkiv.com |
| Prior malware | XMRig (Nov 2025), directfilesjo (Sep 2025) |
Despite explicitly claiming the network is "not used for hosting," it runs nginx, SSH, and serves the C2 API panel. Four domains resolve here: buck-cdns-server.sbs, 2fa-cp.click, sdn-cloudflare-js.click, and 2fa-cp.cfd.
Registrar Pattern
| Domain | Registrar |
|---|---|
| buck-cdns-server.sbs | Dynadot |
| 2fa-cp.click | Dynadot |
| sdn-cloudflare-js.click | Dynadot |
| 2fa-cp.cfd | NiceNIC (HK) |
| fontfix-chrome.com | Tucows |
4 of 5 campaign domains use Dynadot LLC -- consistent with the registrar preference observed in the NetSupport RAT investigation (5/7 C2 domains). The Dynadot preference among Russian-speaking threat actors is a recurring pattern in our tracking data.
5. Domain Registration and Campaign Timeline
| Date | Event |
|---|---|
| 2002-07-01 | npimedia.com registered (legitimate media company, later compromised) |
| 2025-04-15 | ruskinchimneyanddryersolutions.com registered via Spaceship Inc |
| 2026-02-06 | 77.91.65.0/24 block created at RIPE (DGTLS-MNT) |
| 2026-02-08 | 2fa-cp.cfd registered (NiceNIC) -- earliest campaign domain |
| 2026-02-09 | 2fa-cp.click + sdn-cloudflare-js.click registered (Dynadot) |
| 2026-02-17 | RDP certificate generated on VM-18f3a415... |
| 2026-02-18 | fontfix-chrome.com registered (Tucows) |
| 2026-02-19 | PE stager compiled (MinGW-w64) |
| 2026-02-20 | buck-cdns-server.sbs registered (Dynadot) -- active C2 panel |
| 2026-02-21 | index.html last modified on 77.91.65.56 |
| 2026-02-26 | First URLScan submission; @solostalking reports the campaign |
The timeline tells a clear story: IP allocation on Feb 6, domain registration cluster Feb 8-9 (early customers), infrastructure stood up Feb 17-19, active customer domain registered Feb 20, campaign goes live Feb 21, detected Feb 26. Total time from IP allocation to operational deployment: 15 days.
6. Compromised Domain Cluster: The Chimney Company Pattern
An unusual SAN certificate cluster on 57.128.95.87 (OVH / symbolhost.com) ties together eight domains -- all following the same naming convention of {location}chimneyanddryerservices.com:
ruskinchimneyanddryersolutions.com
alphachimneyanddryerventestero.com
safetytarponchimneyanddryervent.com
benjaminchimneyanddryerservices.com
opvillageschimneyanddryervent.com
greenacreschimneyanddryerservices.com
miamidadechimneyanddryerservices.com
rpllocustchimneyeanddryerservices.com
These are likely either purpose-registered redirect domains or compromised sites on shared hosting. Their inclusion in the redirect chain provides additional delivery vectors that appear legitimate to URL filtering systems.
7. MITRE ATT&CK Mapping
| Tactic | ID | Technique | Campaign Usage |
|---|---|---|---|
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | fontfix-chrome.com, buck-cdns-server.sbs, expired rental domains |
| Resource Development | T1584.001 | Compromise Infrastructure: Domains | npimedia.com, chimney service domain cluster |
| Resource Development | T1583.003 | Acquire Infrastructure: VPS | DGTLS-MNT bulletproof hosting allocation |
| Resource Development | T1587.001 | Develop Capabilities: Malware | MinGW-compiled polyglot stager |
| Initial Access | T1189 | Drive-by Compromise | Fake browser update lure pages |
| Execution | T1204.002 | User Execution: Malicious File | Victim pastes path into Explorer |
| Defense Evasion | T1027.009 | Obfuscated Files: Embedded Payloads | JPEG+PE polyglot stager in logo.jpg |
| Defense Evasion | T1027 | Obfuscated Files or Information | XOR + Base64 JavaScript obfuscation |
| Defense Evasion | T1573.001 | Encrypted Channel: Symmetric Cryptography | AES-256-GCM + RC4 C2 comms |
| Command and Control | T1071.001 | Application Layer Protocol: Web | HTTP API to /api/index.php endpoints |
| Command and Control | T1102.002 | Web Service: Bidirectional Communication | Polygon blockchain for C2 URL resolution |
| Command and Control | T1568.002 | Dynamic Resolution: Domain Generation | Smart contract setData updates C2 domain |
8. Indicators of Compromise
Network Indicators
# Lure / Landing Infrastructure
77.91.65.56
fontfix-chrome.com β 172.67.212.111
# C2 Panel (API)
buck-cdns-server.sbs β 94.154.35.227 # Active
2fa-cp.click β 94.154.35.227 # Expired rental
sdn-cloudflare-js.click β 94.154.35.227 # Expired rental
2fa-cp.cfd β 94.154.35.227 / 185.246.223.219 # Expired rental
# Compromised redirect domains
npimedia.com
ruskinchimneyanddryersolutions.com β 57.128.95.87
alphachimneyanddryerventestero.com β 57.128.95.87
safetytarponchimneyanddryervent.com β 57.128.95.87
benjaminchimneyanddryerservices.com β 57.128.95.87
opvillageschimneyanddryervent.com β 57.128.95.87
greenacreschimneyanddryerservices.com β 57.128.95.87
miamidadechimneyanddryerservices.com β 57.128.95.87
rpllocustchimneyeanddryerservices.com β 57.128.95.87
URI Patterns
/api/index.php?a=cfg
/api/index.php?a=evt
/api/index.php?a=init
/api/index.php?a=dl
/api/index.php?a=js&mode={browser|font|recaptcha|bsod|silent|cloudflare|cf_update}
/api/icons/chrome.ico
/logo.jpg
/logoo.png
/bgo.jpg
/headero.jpg
/spriteo.png
File Indicators
# JPEG+PE Polyglot Stager
SHA-256 (PE only): 6054b8a3906ba0939dbd2f910289f78e58e96b86489bf0a1574a97c51a4a0774
SHA-256 (full JPEG): 54de8462597fa1a96250c13a1a01d74a135e8753d413f9d7e956a3070f58290c
MD5 (PE only): 5a7e7b4f83ac057bb7a366d88bce3601
Blockchain Indicators
Chain: Polygon (MATIC)
Contract: 0xd2572Aa454e6250E54C483ca89eEfe02d22e5937
Owner wallet: 0xcaf2c54e400437da717cf215181b170f65187abf
Wallet balance: 68.33 MATIC
TX count: 798
getData selector: 0xb68d1809
setData selector: 0xb249cd2d
owner selector: 0xf851a440
Cryptographic Indicators
API base key: c6debe3b62faf837b4daf28376361015cb157ca7b1f8fc8c92fa459fedcc833d
GCM key label: cfg|gcm1
JS XOR key: 201 (0xC9)
JS init guard: window.__BW_SCRIPT_INITIALIZED__
localStorage keys: site_repair_state, bw-downloaded
Mode handler: __BW_MODE_RUN__
TLS Certificates
# buck-cdns-server.sbs
Issuer: Let's Encrypt R13
Serial: 06:74:57:1a:a5:0e:79:4c:5b:61:d4:5a:8f:78:06:77:ef:ff
Valid: 2026-02-20 to 2026-05-21
# 77.91.65.56 RDP
CN: VM-18f3a415-cd64-4597-8ca9-aac58d8ee468
Valid: 2026-02-17 to 2026-08-19
9. Assessment
BrowserWare represents the maturation of ClickFix from a one-off social engineering trick into a fully productized, commercially operated distribution platform. The architecture choices are deliberate and well-considered:
- Blockchain C2 resolution eliminates the single point of failure that traditional domain-based C2 creates. Takedown requests to registrars and hosting providers do not affect the smart contract on Polygon.
- Layered encryption (RC4 requests, AES-GCM responses, XOR-obfuscated loader JS) ensures that passive network monitoring and SSL inspection cannot trivially extract configurations or payloads.
- Polyglot payloads bypass content-type-based filtering. The stager passes as a valid JPEG image to any system that only checks file headers.
- The rental model with per-customer configuration, multiple lure modes, and automatic expiration mirrors legitimate SaaS billing. The operator maintains the platform; customers bring their own traffic.
The 798 transactions on the owner wallet and multiple expired rental domains suggest this is not a new operation -- it has been running long enough to cycle through customers. The CIS country exclusion baked into the platform confirms a Russian-speaking operator following established norms of the Russian-language cybercriminal ecosystem.
For defenders: blocking IOCs is necessary but insufficient. The Polygon contract should be monitored for setData calls -- each one signals a new C2 panel URL that will immediately propagate to all deployed lure pages. The /24 block 77.91.65.0/24 should be monitored for new deployments, and the owner wallet tracked for fund flows that could aid attribution.
Investigation by breakglass.intelligence | Source intel credit: @solostalking