Cybersecurity researchers have uncovered a new iteration of the ‘ClickFix’ social engineering campaign, which now employs a sophisticated technique to evade detection by storing malware directly within a victim’s browser cache.
This evolution represents a significant and dangerous shift in how threat actors bypass traditional endpoint security measures.
By leveraging legitimate browser functionality, attackers can deliver malicious payloads without triggering standard download alerts or network-based blocks that typically flag suspicious file transfers.
The attack utilizes the widespread ‘ClickFix’ lure, presenting users with fake error messages displayed on compromised websites.
These prompts masquerade as technical issues with Google Chrome or Microsoft Word, urging unsuspecting victims to copy and paste a ‘fix’ into a PowerShell terminal or Windows Run dialog.
Unlike previous versions that downloaded payloads upon execution, this new variant stealthily pre-loads the malicious code during the initial page visit to ensure persistence.
Dark Web Informer analysts identified this novel malware strain being advertised on underground forums on February 17, 2026.
The threat actor orchestrating this campaign claims the method specifically targets the browser’s cache storage to hide the payload before execution.
By disguising the malware as a standard cached file, such as a PNG or JPG, the attack avoids creating suspicious web requests at the moment of infection, effectively blinding many Endpoint Detection and Response (EDR) systems that monitor real-time download activities.
The advertisement highlights the toolkit’s alarming accessibility, offering the builder, source code, and setup instructions for a price of $300.
An additional service for custom template rewrites is available for $200, allowing attackers to tailor lures to specific targets.
This low barrier to entry raises concerns that the technique could see rapid adoption among threat actors looking to deploy ransomware or infostealers.
Cache-Based Persistence and Execution
The core innovation lies in using the browser cache as a staging ground.
When a victim visits the malicious landing page, the payload is silently fetched as a seemingly benign resource—such as an image—and stored locally in the browser’s cache.
The PowerShell command pasted by the victim locates this cached file and executes it.
Since the file is already present on the disk, the execution phase requires no fresh network connection, bypassing firewalls and heuristics that flag shell-initiated downloads.
Security experts recommend monitoring PowerShell processes accessing cache directories to detect this activity and blocking known ClickFix domains.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
