Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses bogus CAPTCHA pages to trick users into executing attacker-supplied commands on Windows. In the ClearFake campaign analyzed by Expel, victims land on a compromised site and are instructed to press Win + R, then paste and run a clipboard-seeded command—an approach commonly referred to as ClickFix—which results in malicious PowerShell execution. The campaign emphasizes living-off-the-land tradecraft and evasion, including proxy execution by abusing the trusted Windows script C:\Windows\System32\SyncAppvPublishingServer.vbs to launch PowerShell in hidden mode and reduce the chance of AV detection.
Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified 9,494 breached websites hosting counterfeit verification pages, with ~70% appearing nearly identical. The most common infection mechanisms involved clipboard manipulation leading to VBScript and PowerShell execution (with significant counts of each observed), alongside other delivery paths such as MSIEXEC-based installation of malicious Windows Installer packages. Researchers also observed use of the Matrix push command-and-control framework to support fileless deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose ClickFix variant abusing App-V and Google Calendar
Researchers reported a new ClickFix-style campaign that abuses the signed Microsoft App-V script SyncAppvPublishingServer.vbs instead of launching PowerShell directly. The attack used a public Google Calendar ICS file as a dead-drop resolver, then staged in-memory payloads that ultimately launched Amatera Stealer.
Expel details ClearFake's ClickFix and proxy-execution techniques
Expel researchers disclosed that ClearFake uses fake CAPTCHA prompts to trick users into pasting malicious PowerShell commands from the clipboard into the Windows Run dialog. They also described the campaign's use of the legitimate SyncAppvPublishingServer.vbs script for hidden proxy execution and estimated nearly 150,000 infections since August 2025.
Censys identifies thousands of breached sites hosting fake CAPTCHA lures
Censys analysis found 9,494 compromised websites serving bogus CAPTCHA pages used for malware distribution. Researchers observed several delivery chains, including clipboard-injected PowerShell and VBScript, MSIEXEC-based installers, and Matrix Push for fileless deployment.
Darktrace detects and blocks ClearFake activity on a customer device
On November 18, 2025, Darktrace observed likely ClearFake activity on a single device, including mshta.exe execution, Smart Chain-related requests, and attempts to retrieve payloads from suspicious infrastructure. Darktrace said its Autonomous Response blocked the outbound connections and likely prevented delivery of an information stealer.
ClearFake infections begin scaling via blockchain-backed delivery
Based on smart-contract transaction history, Expel assessed that the ClearFake campaign had been infecting systems since August 2025. The operation used EtherHiding on the Binance Smart Chain and other resilient hosting methods to support large-scale malware delivery.
ClearFake campaign first identified using fake browser updates
ClearFake was first identified in mid-2023 as a malicious campaign using injected JavaScript on compromised websites, often WordPress sites, to trick users with fake browser update and CAPTCHA-style lures. Victims were commonly driven to these sites through SEO poisoning.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
[no-title]
darktrace.com
Open sourceClickFix Malware Attacks Targeting Microsoft Windows: Fake CAPTCHAs, Signed Scripts, and Trusted Web Service Exploitation
rescana.com
Open sourceClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services
thehackernews.com
Open sourceThe CAPTCHA Trap: ClearFake Malware Tricks Users Into Hacking Themselves
securityonline.info
Open sourceBogus CAPTCHA pages leveraged for malware distribution | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake CAPTCHA/ClickFix Social Engineering Used to Deliver Malware and Steal Sessions
Threat actors are increasingly using **fake CAPTCHA / verification pages** as a scalable social-engineering lure to deliver malware and steal credentials by abusing users’ trust in routine web security checks. Research highlighted a large, fragmented ecosystem of lookalike fake CAPTCHA pages hosted across **~9,494 compromised sites and malicious properties**, where roughly **70%** of observed pages share near-identical visuals while delivering **dozens of distinct payload variants** via different execution models, including clipboard-driven instructions that lead victims to run **PowerShell** or **VBScript** downloaders. Separately, a **ClickFix** campaign targeting Facebook users—especially content creators and businesses seeking verification—uses fake “verification” portals to trick victims into manually extracting and submitting browser session tokens (notably `c_user` and `xs`) via developer tools, enabling account takeover without exploiting software vulnerabilities. In parallel, the **ClearFake** campaign (a malicious JavaScript framework injected into hacked websites) has adopted ClickFix-style fake CAPTCHA lures and added more evasive “living off the land” behavior, including **proxy execution** to run PowerShell through trusted Windows features and shifting distribution to a **popular CDN**, reducing the effectiveness of defenses that rely primarily on blocking known-bad domains/IPs.
Mar 21, 2026
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
May 26, 2026
Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of **social-engineering-driven malware delivery** is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using **fake Cloudflare-style CAPTCHA pages** on compromised websites to convince Windows users to manually execute malicious **PowerShell** commands, resulting in **StealC** deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over **RC4-encrypted HTTP** to a C2 server. Intego also identified an evolved **ClickFix** technique on macOS (“**Matryoshka**”) that leverages **typosquatting** to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., *Trezor Suite*, *Ledger Live*), including repeated fake password prompts as a fallback. Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described **Noodlophile** evolving from fake AI video platform ads to **fake job postings** and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including **DLL sideloading**, while continuing to use **Telegram bots** for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
Mar 21, 2026