Cybersecurity researchers have identified a concerning evolution in the ‘ClickFix’ social engineering campaign. Threat actors are now leveraging a novel technique to install malware by storing malicious payloads within a victim’s browser cache, effectively bypassing traditional security measures. This sophisticated approach represents a significant shift in how attackers aim to circumvent detection and gain unauthorized access.
The updated ‘ClickFix’ attack, first advertised on underground forums on February 17, 2026, employs fake error messages on compromised websites to trick users. These prompts often mimic legitimate technical issues with popular software like Google Chrome or Microsoft Word, urging unsuspecting victims to copy and paste a provided command into their PowerShell or Windows Run dialog. Unlike previous iterations of the campaign, this new variant pre-loads the malicious code during the initial page visit, ensuring persistence before any user interaction.
Dark Web Informer analysts, who identified the novel malware strain, reported that the threat actor claims the technique specifically targets browser cache storage to hide the payload before execution. By disguising the malware as a standard cached file, such as a PNG or JPG, the attack avoids generating suspicious web requests that are typically monitored by Endpoint Detection and Response (EDR) systems. This obfuscation makes it significantly harder for security tools to flag the initial infection phase.
The builder and source code for this ‘ClickFix’ payload delivery method are reportedly being offered for $300, with an additional $200 service for custom template rewrites. This low cost of entry raises concerns that the technique could be rapidly adopted by a wider range of cybercriminals looking to deploy ransomware or infostealers.
Cache-Based Persistence and Execution of ClickFix Malware
The core innovation of this updated ‘ClickFix’ campaign lies in its utilization of the browser cache as a staging area for malicious payloads. When a victim visits a compromised landing page, the attacker’s code is fetched and stored locally within the browser’s cache, masquerading as a benign resource like an image file. This process occurs silently, without triggering standard download alerts.
Following this initial stage, when the unsuspecting user pastes the provided command into their terminal, the PowerShell process is instructed to locate and execute the malicious file directly from the browser cache. Because the payload is already resident on the local disk, this execution phase bypasses the need for a fresh network connection. This is a critical distinction, as it allows the malware to circumvent security measures such as firewalls and heuristic analysis tools that focus on monitoring and blocking suspicious outbound download activities.
Security experts recommend that organizations enhance their monitoring of PowerShell processes, particularly those accessing browser cache directories, as a primary method for detecting this type of activity. Additionally, blocking known ‘ClickFix’ domains at the network level can help prevent users from reaching the initial infection points.
The rapid evolution of malware delivery techniques, as demonstrated by this ‘ClickFix’ variant, underscores the ongoing cat-and-mouse game between threat actors and cybersecurity professionals. As defenses adapt, attackers continuously seek new methods to exploit vulnerabilities and evade detection. Users are urged to remain vigilant against social engineering tactics and to ensure their security software is up-to-date. The cybersecurity community will be closely watching for the adoption of this cache-based payload delivery method and the development of new detection and mitigation strategies.