Beware of Clickfix: ‘Fix Now’ and ‘Bot Verification’ Lures Deliver and Execute Malware

A sophisticated browser-based malware delivery method, dubbed ClickFix, has emerged as a significant threat to cybersecurity.

Leveraging deceptive prompts like “Fix Now” and “Bot Verification,” ClickFix tricks users into executing malicious commands by exploiting familiar system actions.

This technique bypasses conventional download workflows, relying on clipboard hijacking and user interaction to stage and execute malware.

The ClickFix Technique: A Breakdown

First observed in mid-2024, ClickFix uses deceptive web pages disguised as system alerts or CAPTCHA challenges to manipulate users into running malware.

The infection process typically unfolds in three steps:

1. Clipboard Hijacking: Users are instructed to press Windows + R, opening the Run dialog box, followed by Ctrl + V to paste a preloaded command silently copied via JavaScript.
2. Execution: Pressing Enter executes the payload, often launching mshta.exe or PowerShell to retrieve and run remote scripts.
3. Payload Delivery: Depending on the variant, the malware may include information stealers or fileless PowerShell commands embedded in Base64-encoded scripts.

According to the Report, this method exploits users’ trust in routine system prompts, making it a low-friction attack vector for cybercriminals.

Real-World Examples of ClickFix

Recent investigations uncovered several domains actively employing ClickFix techniques:

• Bitcoin-Themed Domains: Sites like soubtcevent[.]com mimic CAPTCHA verification pages and execute Base64-encoded PowerShell scripts upon user interaction. These scripts deliver malware such as Lumma Stealer and CryptBot via ZIP archives containing malicious executables (verify1.exe, verify2.exe).
• Credential Theft Campaigns: Domains such as timestesol[.]com target Zoho Office Suite credentials by redirecting users to fake login pages after completing a “robot verification” prompt. Hardcoded Telegram bot tokens in the source code suggest stolen credentials are sent directly to attacker-controlled endpoints.
• Compromised Infrastructure: Websites like riverview-pools[.]com copy PowerShell commands to users’ clipboards, delivering fileless payloads from compromised servers. These payloads further retrieve secondary scripts for staging malware execution.

Indicators of Compromise (IOCs)

To aid defenders in identifying ClickFix-related activity, researchers have compiled critical IOCs from observed domains and files:

Domain	IP Address	Country
soubtcevent[.]com	94.181.229[.]250	Russia
securedmicrosoft365[.]com	20.217.17[.]201	Israel
targett[.]top	104.16.198[.]133	United States

Filename	SHA-256 Hash
verify1.exe	dad4ecd247efa876faac2e3f67130951b044043ca21c5db6281ba2b8fce7a089
verify2.exe	69c513f0ddf4416e0d47f778594fd76b96424359c7e9c2e5585ad0abaaf5dbc0

These observables highlight active infrastructure supporting ClickFix campaigns, enabling defenders to block malicious domains and files proactively.

To combat ClickFix-style attacks, organizations should adopt robust defenses:

• Monitor clipboard-based execution involving PowerShell or mshta.exe.
• Deploy endpoint detection tools configured to log unusual script activity and clipboard usage.
• Block access to domains hosting verification-style lures mimicking CAPTCHA challenges or security prompts.
• Encourage multi-factor authentication (MFA) to mitigate credential theft risks.

ClickFix represents a growing trend in browser-based attack vectors that exploit user trust through deceptive prompts.

By understanding its behavioral patterns and leveraging IOCs, defenders can strengthen their detection capabilities against this evolving threat landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!