ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office.
New research shows the malicious commands behind its fake “prove you’re human” pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows’ script scanning.
Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at OrangeCon in early June and published the details on June 30.
ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself.
There’s usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch.
It works well enough that ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft’s 2025 Digital Defense Report put it at 47% of the initial-access cases seen by its Defender Experts team.
The technique now has its own entry in MITRE ATT&CK, T1204.004.
Payloads made to order
The new part is how the payloads are produced. Pals found the pages pulling their commands from backend servers that work like an on-demand service: they take requests, check an access token, log the caller, and return a freshly scrambled command each time.
He asked one server for 100 payloads and got 100 different ones, wrapped in a rotating mix of Base64, AES, TripleDES, Rijndael, and Deflate. Strip the wrapping and, at least for now, they all unpack to the same script, which runs in memory through a PowerShell runspace.
The disguise is disposable; the malware under it is not, though Pals warns the core payload will likely start changing per victim before long. The same platform serves lures in 25 languages and matches the command to the visitor’s operating system, with macOS versions running alongside Windows.
The “as-a-service” label is not just branding. ESET has tracked criminals selling ready-made ClickFix builders to other attackers. Pals found a parallel commercialization one layer deeper, in how each payload is churned out on request.
A quieter way in: the Downloads-folder method
The second finding is a direct answer to defenders who watch the clipboard. Instead of copying a malicious command, the newer pages copy a harmless-looking one.
The page quietly downloads a file to the Downloads folder, and the clipboard gets a short “orchestrator” line that moves that file, unpacks it, and runs the script inside. Because the pasted line is only that orchestrator and not the payload itself, it is built to slide past AMSI, the Windows feature that lets antivirus scan scripts before they run. The bad code sits in the downloaded file,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]


