⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

net use (WebDAV)

The net use command can map remote WebDAV shares as local drives. In March 2026, Atos researchers discovered a ClickFix variant that instructs victims to paste a net use command into the Run dialog. The command maps a remote WebDAV share, executes a batch file from that share, and then removes the mapping. This technique completely avoids PowerShell, MSHTA, and WScript, making it harder to detect. The batch file downloads a ZIP archive containing a trojanized Electron app (modified .asar files) functioning as a C2 beacon. This variant was NOT detected by automated security controls and was only found through manual RunMRU Registry Key analysis.

windows cli CLI

WebDAV ClickFix via net use

Try Example
CLI

A system update is required. Please follow the steps below to apply the fix.

  1. Press Win-R on your keyboard

  2. Press Ctrl-V to paste the update command

  3. Press Enter to apply

References:

Mitigations:

  • Monitor for net use commands mapping WebDAV shares from the Run dialog

  • Alert on RunMRU Registry Key entries containing net use with remote paths

  • Block outbound WebDAV (port 80/443) to untrusted IP addresses

  • Monitor for .cmd/.bat file execution from mapped network drives

  • Inspect .asar files in Electron applications for tampering

Contributor: Michael Haag (2026-03-14)