Threat researchers reported continued evolution and operationalization of ClickFix-style social engineering, where victims are tricked into manually executing attacker-supplied commands via the Windows Run dialog. Huntress described a new variant dubbed CrashFix, attributed to KongTuke, which uses a malicious browser extension to display a fake “browser stopped abnormally” security warning and a bogus “scan” flow; the extension silently places a PowerShell command on the clipboard, disguised as a legitimate repair action, and instructs the user to paste-and-run it, leading to code execution.
Rapid7 Labs separately documented a large-scale campaign in which an unidentified actor compromises legitimate WordPress sites to inject a ClickFix implant that impersonates a Cloudflare human verification (CAPTCHA) challenge. The operation has affected 250+ infected sites across 12+ countries and delivers a multi-stage, mostly in-memory malware chain (obfuscated JavaScript → PowerShell stagers → in-memory loaders/shellcode) aimed at stealing credentials and digital wallets from Windows systems, enabling downstream financial theft and potential follow-on intrusion using harvested credentials.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
The SC Media content notes that CMMC Phase 1 enforcement is set to start on November 10, affecting defense and federal supply-chain compliance and audit requirements. This is presented as an upcoming regulatory milestone rather than an incident response event.
Huntress disclosed a new ClickFix variant it calls 'CrashFix,' associated with the threat actor KongTuke. The attack uses a malicious browser extension that fakes a browser crash warning and tricks users into executing clipboard-delivered PowerShell commands.
On publication of its report, Rapid7 said it had identified more than 250 infected WordPress sites across at least 12 countries, including media outlets, local businesses, and a U.S. Senate candidate's website. The company also tied the activity to payloads including Vidar, Impure Stealer, and VodkaStealer, and released IoCs and YARA rules.
Rapid7 observed the compromised-WordPress campaign in its current form starting in December 2025. The operation used fake Cloudflare CAPTCHA prompts to trick visitors into running PowerShell, leading to in-memory malware delivery and credential and wallet theft.
Rapid7 reported that infrastructure supporting a large WordPress compromise and ClickFix malware operation dates back to July and August 2025. This infrastructure was later tied to a global infostealer campaign.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcerapid7.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.