The ClickFix malware campaign takes advantage of CAPTCHAs to facilitate cross-platform infection spread.

A combination of propagation methods, narrative sophistication, and evasion techniques enabled the social engineering tactic known as ClickFix to take off over the past year, according to new findings from Guardio Labs. Like a real-world virus variant, this new ClickFix strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year. Security researcher Shaked Chen stated in a report shared with The Hacker News that ClickFix achieved this by removing the need for file downloads, employing smarter social engineering tactics, and spreading through trusted infrastructure. The result was a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures.

ClickFix is a social engineering tactic where prospective targets are deceived into infecting their own machines under the guise of fixing a non-existent issue or a CAPTCHA verification. It was first detected in the wild in early 2024. In these attacks, infection vectors as diverse as phishing emails, drive-by downloads, malvertising, and search engine optimisation poisoning are employed to direct users to fake pages displaying error messages. These messages aim to guide victims through a series of steps that cause a covertly copied malicious command to be executed when pasted into the Windows Run dialog box or the Terminal app on Apple macOS. The nefarious command triggers a multi-stage sequence that results in the deployment of various types of malware, such as stealers, remote access trojans, and loaders, underscoring the flexibility of the threat.

The tactic has become so effective and potent that it has led to what Guardio calls a CAPTCHAgeddon, with both cybercriminal and nation-state actors wielding it in dozens of campaigns in a short span of time. ClickFix is a more stealthy mutation of ClearFake, which involves leveraging compromised WordPress sites to serve fake browser update pop-ups that deliver stealer malware. ClearFake subsequently incorporated advanced evasion tactics like EtherHiding to conceal the next-stage payload using Binance’s Smart Chain contracts. Guardio noted that the evolution of ClickFix and its success resulted from constant refinement in propagation vectors, diversification of lures and messaging, and various methods to stay ahead of the detection curve, ultimately supplanting ClearFake.

Early prompts were generic, but they quickly became more persuasive, adding urgency or suspicion cues. Chen explained that these tweaks increased compliance rates by exploiting basic psychological pressure. Notable adaptations in the attack approach include the abuse of Google Scripts to host fake CAPTCHA flows, thereby leveraging the trust associated with Google’s domain, as well as embedding the payload within legitimate-looking file sources.