ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple ClickFix campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a fake CAPTCHA prompt led a user to run a malicious snippet via Win+R, resulting in malware execution and suspected DLL side-loading from %APPDATA%\Intel (legitimate igfxSDK.exe/version.dll alongside a suspicious wtsapi32.dll). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., cmd /c curl ... | powershell).
Separately, threat hunting research described a macOS-focused ClickFix operation using typosquatted Homebrew lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using dscl authonly to harvest working credentials before deploying a second-stage infostealer dubbed Cuckoo Stealer, which was reported to establish LaunchAgent persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Hunt.io expands campaign to broader Homebrew-lookalike infrastructure
By pivoting from the initial typosquatted domain, Hunt.io uncovered a larger cluster of Homebrew-impersonation domains on shared infrastructure tied to the same operation. The researchers also published technical details and IOCs covering persistence, C2 encryption, and extensive data theft capabilities of Cuckoo Stealer.
Fake Homebrew ClickFix campaign delivers Cuckoo Stealer on macOS
Researchers identified a macOS ClickFix campaign using typosquatted Homebrew-themed domains such as homabrews[.]org to trick users into running a malicious curl|bash command in Terminal. The attack chain harvested valid user passwords before downloading the Cuckoo Stealer infostealer/RAT.
CERT Polska links Polish intrusion to Latrodectus and Supper malware
Analysis of the compromised Windows host found DLL side-loading from user AppData paths, attributing one payload to Latrodectus v2.3 and two others to the Supper malware family. The report documented persistence, C2 behavior, anti-analysis features, and the infection chain from curl piped to PowerShell.
Large Polish organization infected via Fake CAPTCHA ClickFix lure
A user at a large Polish organization was tricked by a fake CAPTCHA/ClickFix prompt into pasting and executing a malicious command, giving the attacker code execution and leading to broader internal network compromise. Investigators later supported the victim and law enforcement with forensic analysis and remediation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
May 26, 2026
ClickFix Campaigns Deliver Modular RATs, Banking Trojans, and macOS Stealers
Researchers reported multiple **ClickFix** campaigns using fake CAPTCHA or reCAPTCHA prompts to trick users into manually running malicious commands, with payloads tailored by platform and victim profile. On Windows, one campaign delivered a modular NodeJS-based RAT and infostealer through a malicious MSI installer, loading key capabilities only in memory after command-and-control was established and using `gRPC` over Tor for persistent communications. An operational security failure exposed the malware’s backend protocol definitions and admin panel API, revealing a malware-as-a-service operation with multi-operator support, Telegram alerts, automation rules, and cryptocurrency wallet tracking. The malware also fingerprinted victims extensively and established persistence through the Windows Run registry key as **LogicOptimizer**. A separate ClickFix chain attributed with high confidence to **Grandoreiro** targeted users of eight Brazilian banks by luring victims through a fake reCAPTCHA page and launching a malicious PowerShell sequence that sideloaded a Delphi banking trojan with legitimate GoToMeeting and Nero binaries. The malware deployed banking overlays, intercepted **PIX** QR-code payments, added Microsoft Defender exclusions, and stole credentials, device information, signatures, and payment confirmation codes. Netskope also documented a macOS variant that used AppleScript and a persistent fake password dialog to harvest Keychain data, browser cookies, saved credentials, extension storage, and cryptocurrency wallet data; the theft of live session cookies can enable attackers to bypass MFA by hijacking authenticated sessions.
May 1, 2026