Sunday, June 1, 2025
Homecyber securityClickFix Captcha - A New Technique Hackers Used to Deliver Infostealers, Ransomware,...

ClickFix Captcha – A New Technique Hackers Used to Deliver Infostealers, Ransomware, & Quakbot Malware

Published on

SIEM as a Service

Follow Us on Google News

Cybercriminals are leveraging fake CAPTCHA verification pages dubbed ClickFix to distribute malware, including infostealers, ransomware, and the notorious Qakbot banking trojan.

This technique manipulates users into executing malicious commands disguised as routine “verify you are human” prompts.

The attack begins with a phishing page redirecting victims to a fake CAPTCHA site (e.g., cfcaptcha[.]com), where they are instructed to press Windows Key + R, paste a clipboard-injected command via CTRL + V, and execute it with Enter.

- Advertisement - Google News

This triggers a PowerShell script that downloads and runs malware payloads, such as Qakbot, from attacker-controlled domains like duolingos[.]com.

Quakbot Malware
PowerShell command

Obfuscation and Evasion Techniques

The malware employs layered obfuscation, including XOR-encrypted hex strings and dynamic URL generation, to evade detection.

For instance, the downloaded ZIP file (flswunwa.zip) from duolingos[.]com was hosted behind Cloudflare, returning 404 errors to frustrate analysis.

Further investigation revealed a PHP-based dropper acting as a proxy to fetch payloads from secondary servers, masking the true attack infrastructure.

According to the Report, despite partial takedowns of related domains, the technique’s reliance on social engineering ensures continued effectiveness.

Quakbot Malware
 ClickFix captcha at cfcaptcha[.]com

MITRE ATT&CK Alignment and Defense Recommendations

ClickFix aligns with multiple MITRE ATT&CK tactics, including Initial Access (Phishing), Execution (PowerShell), and Defense Evasion (Obfuscation).

To mitigate risks, organizations should:

  • Train users to recognize suspicious verification prompts.
  • Block known malicious domains (e.g., cfcaptcha[.]com).
  • Deploy endpoint protection capable of detecting anomalous PowerShell activity.

The resurgence of Qakbot and the adaptability of ClickFix underscore the need for proactive defenses against evolving social engineering threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...