A sophisticated new cyberthreat campaign has emerged that combines impersonation of trusted news sources with deceptive security verification prompts to trick users into executing malicious commands on their systems.
According to a Reddit post, the ClickFix attack masquerades as legitimate BBC news content while employing fake Cloudflare verification screens to deliver malware.
How the Attack Works
The attack begins when users experience what appears to be legitimate online advertising or search results. Upon clicking, victims are redirected to a convincing replica of a BBC news website populated with articles stolen from legitimate sources.
However, instead of authentic news content, the fake site serves as a delivery mechanism for a more alarming purpose.
After browsing the fabricated news site, users encounter what appears to be a standard Cloudflare security verification page. These pages are pixel-perfect replicas of genuine Cloudflare Turnstile challenges, complete with authentic-looking logos and Ray ID footers that lend an air of legitimacy.
The fake verification page displays the familiar “Verify you are human” checkbox that users have grown accustomed to seeing across the internet.
However, when users attempt to complete the verification, they receive instructions to perform a series of seemingly routine steps:
- Press Windows + R to open the Run dialog.
- Press Ctrl + V to paste a verification command.
- Press Enter to execute the command.
What users don’t realize is that clicking the verification button has already loaded a malicious PowerShell command into their system’s clipboard.
The command they paste and execute is not a legitimate verification tool, but rather malicious code designed to download and install various types of malware.
The ClickFix technique has experienced explosive growth throughout 2024 and 2025. According to ESET’s Threat Report, ClickFix attacks surged by over 517% in the first half of 2025, making it the second most common attack vector after phishing and accounting for nearly 8% of all blocked attacks.
This social engineering technique exploits users’ natural tendency to quickly solve technical problems, particularly when presented with authoritative-looking prompts from trusted services like Cloudflare.
The attack’s effectiveness stems from its ability to bypass traditional security measures by convincing users to execute malicious code on their own systems voluntarily.
Growing Threat Landscape
Cybersecurity researchers have identified multiple variants of this attack targeting different platforms and services. Beyond fake BBC news sites, attackers have been observed impersonating various trusted entities, including Microsoft, Google Chrome, and even transportation and logistics software specific to certain industries.
The malware delivered through these campaigns is diverse and dangerous. Security firms report ClickFix attacks leading to the deployment of information stealers, ransomware, remote access trojans, cryptominers, and even custom malware from nation-state-aligned threat actors. Popular malware families distributed through these campaigns include Lumma Stealer, DarkGate, AsyncRAT, and NetSupport.
What makes these attacks particularly concerning is their sophisticated evasion capabilities. The malicious PowerShell commands often retrieve Base64-encoded payloads from legitimate-seeming services and include anti-analysis features that terminate execution if they detect virtual machine environments.
This allows them to evade traditional security scanning and achieve zero detection across many antivirus platforms.
The fake Cloudflare pages are professionally crafted to include authentic marketing text copied directly from Cloudflare’s official website, making them extremely difficult to distinguish from legitimate verification screens.
Some variants even display fake progress indicators and success messages to further convince users that they’re completing a legitimate security process.
Recent developments beyond ClickFix methods include Security researcher mr d0x identified a new variant called FileFix that leverages Windows File Explorer instead of the Run dialog, instructing users to paste malicious commands into the file explorer address bar.
This evolution demonstrates how threat actors continue to adapt their techniques to maintain effectiveness as awareness grows.
Mitigations
Organizations and individuals can take several steps to protect against these attacks. Boston College IT and other security experts recommend never executing unsolicited commands from websites, regardless of how legitimate they appear. Key defensive measures include:
- Disabling the Windows Run dialog through Group Policy or registry modifications to prevent execution of malicious commands.
- Training users to recognize fake verification screens and suspicious command prompts.
- Implementing behavioral monitoring to detect unusual PowerShell or command-line activity.
- Maintaining updated security software with behavioral analysis capabilities.
Security professionals emphasize that legitimate services like Cloudflare never require users to interact directly with their operating system or execute terminal commands as part of verification processes. Any website requesting such actions should be immediately considered suspicious and avoided.
The cybersecurity community has responded to the ClickFix threat with enhanced detection capabilities and awareness campaigns. Microsoft has been tracking specific campaigns under threat actor designations like Storm-1865, while security firms like ESET and Proofpoint have developed specialized detection rules for identifying ClickFix attacks.
The rapid evolution and growing sophistication of ClickFix attacks highlight the ongoing challenge of defending against social engineering techniques that exploit human psychology rather than technical vulnerabilities.
As these attacks become more prevalent, continued vigilance and user education remain critical components of cybersecurity defense strategies.
This latest campaign, combining fake BBC news sites with fraudulent Cloudflare verification, represents a concerning escalation in the complexity and deception employed by cybercriminals, underscoring the need for heightened awareness and robust security measures across all levels of internet usage.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
