ClickFix

ClickFix is a social-engineering-driven malware delivery technique and associated infection chain in which victims are shown fake verification prompts, commonly impersonating Cloudflare CAPTCHA or "Checking if you are human" pages, and are tricked into manually executing attacker-supplied commands. The technique is primarily documented against Windows users via WIN+R, PowerShell, or malicious MSI/EXE execution, but multiple reports also describe macOS-focused variants using Terminal/bash commands and infostealer delivery. ClickFix has been observed on compromised legitimate websites, phishing domains, typosquatted job and travel sites, GitHub- and Adobe-themed lures, malicious ads, and poisoned CMS content including large-scale Ghost CMS and WordPress compromises.

Across the provided reporting, ClickFix is used as an initial access or malware delivery mechanism rather than a single payload family. Documented downstream payloads and tooling include CastleLoader, Python-based RATs, Lumma Stealer, Vidar, Impure Stealer, VodkaStealer, PySoxy, PureRAT, RedLine, ACRStealer/Efimer-like stealers, Electron-based data stealers, and macOS infostealers. Observed execution chains frequently abuse LOLBins and native tools such as powershell.exe, cmd.exe, finger.exe, curl.exe, tar.exe, rundll32.exe, wscript.exe, explorer.exe, and python.exe/pythonw.exe; some campaigns use Donut-based in-memory loaders, DLL sideloading, portable Python runtimes, Deno-based implants, or blockchain-hosted JavaScript/configuration via EtherHiding on BNB Smart Chain or Polygon.

Behavior described in the content includes clipboard hijacking or scripted copy-to-clipboard of malicious commands, staged payload retrieval from attacker infrastructure, in-memory execution, host fingerprinting, persistence via scheduled tasks and Registry Run keys, PowerShell-based relaunch logic, WebSocket or HTTPS C2, modular task execution, interactive shell access, proxying via PySoxy, screenshot capture, credential and cookie theft, browser and wallet theft, Keychain theft on macOS, and anti-analysis or cloaking logic to evade researchers and bots. Some campaigns used fake Cloudflare verification overlays localized into many languages, geofencing, Telegram-backed telemetry, and cloaking/traffic-distribution systems such as Adspect.

The content links ClickFix activity to multiple intrusion sets and operators, but attribution is campaign-specific and often unconfirmed. Reported associations include Booking.com-themed phishing, compromised hotel ecosystems, a Deno-based platform operated by an actor using the alias "Smokest," possible resemblance to UNC1069 tradecraft, and use by ransomware operators such as Interlock for initial access. Large-scale website poisoning campaigns exploiting Ghost CMS CVE-2026-26980 and widespread WordPress compromises were specifically reported as delivering ClickFix lures. Reported infrastructure and indicators vary by campaign and include domains such as dakatawebstick[.]com, strapness[.]com, overlateise[.]com, solimayticontexta[.]com, sabrineme[.]com, clo4shara[.]xyz, get-1o8.pages[.]dev, zipsage.pages[.]dev, hedgeweeks[.]online, and IPs including 94.26.90[.]100, 185.205.211[.]217, 206.206.103[.]106, 206.206.103[.]120, 167.99.158[.]97, 94.154.35[.]115, 109.107.161[.]194, and 217.138.194.181.

High-confidence infection vectors in the content include fake CAPTCHA/human-verification pages, compromised CMS articles with injected JavaScript loaders, malicious browser extension updates, phishing pages impersonating LinkedIn, Indeed, Booking.com, Zoom/Google Meet, Adobe activation guides, and GitHub-themed macOS lures. Targeting spans enterprise and consumer users globally, with affected sectors including higher education, AI, software, blockchain, cybersecurity, fintech, media, SaaS, hospitality, and cryptocurrency/Web3.