CAPTCHAgeddon – A New ClickFix Attack Uses Phony CAPTCHA to Distribute Malware

A sophisticated new malware campaign, known as “ClickFix,” has emerged, weaponising fake CAPTCHA verification pages to deceive users into executing malicious PowerShell commands. This campaign marks a significant evolution in browser-based attack methodologies, representing a next-generation mutation of traditional fake browser update scams that were prevalent throughout 2024. Victims encounter what appears to be a legitimate CAPTCHA challenge, complete with familiar Google reCAPTCHA or Cloudflare branding. Instead of solving a traditional puzzle, users are misled into verifying their humanity through a series of keyboard shortcuts, ultimately executing hidden malicious code. The deceptive interface copies a PowerShell command to the victim’s clipboard and guides them through seemingly harmless steps, such as pressing Windows+R, Ctrl+V, and Enter to “complete verification.”

What makes ClickFix particularly dangerous is its rapid evolution from simple malvertising to sophisticated, multi-platform operations targeting Windows, macOS, and Linux systems. The campaign has successfully displaced earlier fake browser update schemes by eliminating the need for suspicious file downloads and leveraging trusted infrastructure to appear legitimate. Researchers from Guardio have identified this campaign as part of their ongoing monitoring of browser-based threats, noting the attackers’ refined approach across three critical dimensions: propagation methods, narrative sophistication, and evasion techniques. The campaign has evolved from basic pop-up advertisements on questionable websites to highly targeted phishing emails impersonating legitimate services like Booking.com. The technical sophistication and cross-platform capabilities of ClickFix are particularly concerning, as initial Windows-focused attacks utilised heavily obfuscated PowerShell commands designed to evade detection systems. The campaign’s expansion to macOS is alarming, as it exploits the unfamiliarity many Mac users have with command-line interfaces, instructing victims to execute Base64-encoded bash commands through Terminal.