A sophisticated browser-based malware delivery method, dubbed ClickFix, has emerged as a significant threat to cybersecurity.
Leveraging deceptive prompts like “Fix Now” and “Bot Verification,” ClickFix tricks users into executing malicious commands by exploiting familiar system actions.
This technique bypasses conventional download workflows, relying on clipboard hijacking and user interaction to stage and execute malware.
.png
)
The ClickFix Technique: A Breakdown
First observed in mid-2024, ClickFix uses deceptive web pages disguised as system alerts or CAPTCHA challenges to manipulate users into running malware.
The infection process typically unfolds in three steps:
- Clipboard Hijacking: Users are instructed to press Windows + R, opening the Run dialog box, followed by Ctrl + V to paste a preloaded command silently copied via JavaScript.
- Execution: Pressing Enter executes the payload, often launching
mshta.exeor PowerShell to retrieve and run remote scripts. - Payload Delivery: Depending on the variant, the malware may include information stealers or fileless PowerShell commands embedded in Base64-encoded scripts.
According to the Report, this method exploits users’ trust in routine system prompts, making it a low-friction attack vector for cybercriminals.
Real-World Examples of ClickFix
Recent investigations uncovered several domains actively employing ClickFix techniques:
- Bitcoin-Themed Domains: Sites like
soubtcevent[.]commimic CAPTCHA verification pages and execute Base64-encoded PowerShell scripts upon user interaction. These scripts deliver malware such as Lumma Stealer and CryptBot via ZIP archives containing malicious executables (verify1.exe,verify2.exe). - Credential Theft Campaigns: Domains such as
timestesol[.]comtarget Zoho Office Suite credentials by redirecting users to fake login pages after completing a “robot verification” prompt. Hardcoded Telegram bot tokens in the source code suggest stolen credentials are sent directly to attacker-controlled endpoints. - Compromised Infrastructure: Websites like
riverview-pools[.]comcopy PowerShell commands to users’ clipboards, delivering fileless payloads from compromised servers. These payloads further retrieve secondary scripts for staging malware execution.
Indicators of Compromise (IOCs)
To aid defenders in identifying ClickFix-related activity, researchers have compiled critical IOCs from observed domains and files:
| Domain | IP Address | Country |
|---|---|---|
| soubtcevent[.]com | 94.181.229[.]250 | Russia |
| securedmicrosoft365[.]com | 20.217.17[.]201 | Israel |
| targett[.]top | 104.16.198[.]133 | United States |
| Filename | SHA-256 Hash |
|---|---|
| verify1.exe | dad4ecd247efa876faac2e3f67130951b044043ca21c5db6281ba2b8fce7a089 |
| verify2.exe | 69c513f0ddf4416e0d47f778594fd76b96424359c7e9c2e5585ad0abaaf5dbc0 |
These observables highlight active infrastructure supporting ClickFix campaigns, enabling defenders to block malicious domains and files proactively.
To combat ClickFix-style attacks, organizations should adopt robust defenses:
- Monitor clipboard-based execution involving PowerShell or
mshta.exe. - Deploy endpoint detection tools configured to log unusual script activity and clipboard usage.
- Block access to domains hosting verification-style lures mimicking CAPTCHA challenges or security prompts.
- Encourage multi-factor authentication (MFA) to mitigate credential theft risks.
ClickFix represents a growing trend in browser-based attack vectors that exploit user trust through deceptive prompts.
By understanding its behavioral patterns and leveraging IOCs, defenders can strengthen their detection capabilities against this evolving threat landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
