.webp?w=696&resize=696,0&ssl=1 "ClickFix Captcha")
Cybercriminals are leveraging fake CAPTCHA verification pages dubbed ClickFix to distribute malware, including infostealers, ransomware, and the notorious Qakbot banking trojan.
This technique manipulates users into executing malicious commands disguised as routine “verify you are human” prompts.
The attack begins with a phishing page redirecting victims to a fake CAPTCHA site (e.g., cfcaptcha[.]com), where they are instructed to press Windows Key + R, paste a clipboard-injected command via CTRL + V, and execute it with Enter.
.png
)
This triggers a PowerShell script that downloads and runs malware payloads, such as Qakbot, from attacker-controlled domains like duolingos[.]com.
Obfuscation and Evasion Techniques
The malware employs layered obfuscation, including XOR-encrypted hex strings and dynamic URL generation, to evade detection.
For instance, the downloaded ZIP file (flswunwa.zip) from duolingos[.]com was hosted behind Cloudflare, returning 404 errors to frustrate analysis.
Further investigation revealed a PHP-based dropper acting as a proxy to fetch payloads from secondary servers, masking the true attack infrastructure.
According to the Report, despite partial takedowns of related domains, the technique’s reliance on social engineering ensures continued effectiveness.
MITRE ATT&CK Alignment and Defense Recommendations
ClickFix aligns with multiple MITRE ATT&CK tactics, including Initial Access (Phishing), Execution (PowerShell), and Defense Evasion (Obfuscation).
To mitigate risks, organizations should:
- Train users to recognize suspicious verification prompts.
- Block known malicious domains (e.g., cfcaptcha[.]com).
- Deploy endpoint protection capable of detecting anomalous PowerShell activity.
The resurgence of Qakbot and the adaptability of ClickFix underscore the need for proactive defenses against evolving social engineering threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
.webp?w=1200&resize=1200,0&ssl=1&description=Cybercriminals are leveraging fake CAPTCHA verification pages dubbed ClickFix to distribute malware, including infostealers.){kind=link}