ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted ClickFix, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the OCRFix botnet campaign, victims were lured to a typosquatted site impersonating Tesseract OCR (tesseract-ocr[.]com lookalike) via SEO poisoning and reported LLM poisoning (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (98166e51.msi) from opsecdefcloud[.]com, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a BNB TestNet smart contract to obtain C2 details, using EtherHiding (blockchain-hosted instructions) to make takedown and disruption more difficult.
A separate investigation described a Chrome extension supply-chain compromise of QuickLens – Search Screen with Google Lens (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a ClickFix flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on Funnull/Fangneng CDN as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on Dust Specter APT targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers reported OCRFix persistence and possible operator clues
The OCRFix analysis revealed a three-stage payload chain that created a high-privilege scheduled task for persistence and sent host data to a control panel at ldture[.]com. Researchers also noted Cyrillic comments in the panel source code as a weak indicator of possible Russian-speaking operators, while observing that blockchain-based C2 techniques have also been seen in activity linked to North Korean actors.
Cyjax identified the OCRFix botnet campaign
By early March 2026, Cyjax had identified a botnet trojan campaign dubbed OCRFix that used ClickFix phishing and EtherHiding to conceal command-and-control instructions in BNB Smart Chain TestNet smart contracts. The campaign relied on a typosquatting Tesseract OCR site, SEO poisoning, and a YouTube video to drive victims to paste malicious PowerShell commands and install a malicious MSI.
QuickLens campaign used ClickFix lures to steal crypto and credentials
After the malicious QuickLens update, the attackers used a fake Google Update lure to trigger a ClickFix social-engineering flow that pushed victims to run attacker-supplied code. On Windows, this led to a signed malicious executable and PowerShell-delivered payloads targeting cryptocurrency wallets, browser credentials, payment data, Gmail, Facebook Business Manager, and YouTube.
QuickLens Chrome extension was acquired and turned malicious
In February 2026, the previously benign QuickLens Chrome extension was acquired and updated with malicious code through the official Chrome Web Store update mechanism. The compromised update affected more than 7,000 users and enabled browser-based injection, C2 communications, and theft-focused activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
OCRFix Botnet Trojan Leveraging ClickFix Phishing and EtherHiding to Conceal Blockchain-Based Command Infrastructure - Cyber Security News
cybersecuritynews.com
Open sourceQuickLens Chrome Extension Supply Chain Attack: Cryptocurrency Theft and ClickFix Malware Campaign Analysis
rescana.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social Engineering Campaigns Expand Malware and Ransomware Delivery
Researchers reported continued expansion of **ClickFix** as an initial-access technique, with attackers using fake CAPTCHA or verification pages to trick users into executing clipboard-delivered commands on Windows systems. In one campaign, **LeakNet** shifted away from relying on initial access brokers and instead used compromised legitimate websites hosting fake Cloudflare Turnstile checks to broaden victim acquisition and reduce network-based detection. ReliaQuest linked the activity to LeakNet through overlapping infrastructure and consistent TTPs, and noted the group paired ClickFix with a stealthy, memory-resident loader built on the **Deno** JavaScript runtime to support ransomware operations. A separate ClickFix campaign analyzed by Atos used the same user-executed command pattern to map attacker-controlled network drives with `net use`, then download a trojanized but legitimately signed *WorkFlowy* application whose modified `asar` archive executed malicious code in the **Node.js** main process with the logged-in user’s privileges. Other reporting on **Hive0163** also identified ClickFix as one of several initial-access methods used in **Interlock** ransomware intrusions, although that article focused primarily on the group’s likely AI-generated **Slopoly** malware rather than a specific ClickFix incident. Reporting on **Operation Covert Access** in Argentina’s judicial sector was unrelated, describing spear-phishing with fake court documents to deliver **COVERT RAT** via a different intrusion chain.
Mar 22, 2026
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
May 26, 2026