A real-world ClickFix intrusion observed from both sandbox and endpoint telemetry, revealing the complete attack path from a compromised WordPress site to a blocked GULoader execution, including a full process creation call stack from the Windows Run dialog to the kernel.
Preamble
In April 2026, we responded to an endpoint
