Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

ClickFix Investigation Exposes API-Driven Malware Across 3,000 Live Payloads

Research on 3,000 ClickFix payloads reveals API-driven malware delivery, stealthier execution methods, and rapidly evolving attack tactics.


 

A growing number of ClickFix campaigns are advancing from simple social engineering operations into highly orchestrated malware delivery operations supported by dynamic infrastructure. A recent study analyzing nearly 3,000 ClickFix payloads reveals that attackers are utilizing API-based delivery systems that allow them to generate uniquely disguised malicious commands for each victim while serving the same underlying malware to all victims. 

Bert-Jan Pals conducted the analysis, which uncovered previously unknown techniques for evading Windows script inspections, thus demonstrating the deliberate efforts of threat actors to increase detection resistance and operational scalability through evasion of Windows script inspection. These findings show how what once appeared to be a straightforward clipboard-based deception has evolved into a resilient, adaptive ecosystem in which infection success is maximized despite conventional security controls being compromised. It is concerning that the findings come as ClickFix continues to gain traction as one of the most widespread social engineering exploits. 

First identified in March 2024, ClickFix has since become one of the most widely abused social engineering exploits in the cybercrime landscape. As opposed to exploiting software vulnerabilities, ClickFix exploits user trust by presenting fake browser errors, anti-bot CAPTCHA challenges, security warnings, or access restrictions that appear legitimate and gain the user's trust. 

Once the victims have completed the seemingly routine verification procedure, the attacker-supplied code is executed manually by the victim. According to Microsoft's Cyber Signals report for 2025, 47 percent of observed first-time access incidents were attributed to ClickFix-based activity, demonstrating the prevalence of deception-driven attack chains among malware operators. 

An attack sequence that transforms ordinary web pages into malware launch points is at the center of these campaigns, and it appears to be deceptively simple. It is common for attackers to compromise legitimate websites or create convincing phishing pages and substitute counterfeit CAPTCHA screens for verification prompts that require visitors to perform a series of manual tasks, including executing a command copied to the clipboard. These commands typically launch PowerShell, which retrieves and executes remote payloads, thereby enabling the deployment of information stealers and other malicious applications. 

On Windows systems, researchers observed ClickFix delivering multiple malware families, including Deepload, during the observed campaigns. Researchers have documented the use of the same technique beyond the Windows ecosystem, with the Atomic Stealer (AMOS) malware being distributed to macOS users for the first time. The technique targets browser credentials, session cookies, cryptocurrency wallets, and Apple Keychain data, illustrating its increasing cross-platform scope. 

ClickFix's popularity is largely attributed to its ability to bypass many of the security mechanisms commonly utilized by organizations. ESET's telemetry shows that ClickFix activity increased 517 percent between late 2024 and the first half of 2025 in response to this model, and Microsoft's Digital Defense Report indicates that the technique accounted for 47 percent of initial access incidents investigated by its Defender Experts team in 2025. A dedicated entry under technique T1204.004 has also been made under the MITER ATT&CK framework, recognising ClickFix as a unique form of user-assisted malicious execution, based on its increasing operational significance. 

According to Pals' investigation, the most significant evolution today is not contained on the phishing page itself but rather on backend APIs that generate payloads on demand instead of embedding static commands. Backend validation, logs, and returns a unique obfuscated command to every execution while delivering the same malware for each execution. In one test, a single server generated 100 distinct payloads over 100 requests by cycling through the following layered encoding and encryption techniques: Base64, AES, TripleDES, Rijndael, Deflate. In the absence of these protective layers, the payloads currently resolve to the same runspace script in PowerShell, but Pals cautions that the next step in the development of the technique may be per-victim payload customization. 

Using the platform, visitors can receive lures in 25 languages and are automatically tailored with payloads depending on whether they are using Windows or macOS. Further evidence of ClickFix's commercialization is provided by the findings, which extend beyond builder kits to API-driven payload generation. Additionally, Pals spotted a significant shift in execution tactics designed to minimize the effectiveness of clipboard-focused detections as well as API-driven payload generation. The newer ClickFix variants do not place the entire malicious command into the victim's clipboard, but instead download an archive into the Windows Downloads directory first and then copy only the lightweight PowerShell "orchestrator" command. 

The command is executed silently and moves the archive to a temporary location, extracts its contents, and launches the embedded PowerShell script when executed. It has also been made more discreet to execute the payload since it is separated from the clipboard command, which reduces the exposure to the Antimalware Scan Interface (AMSI). In earlier ClickFix campaigns, victims were instructed to paste commands into the Run dialog by pressing Windows+R, but in more recent operations observed throughout 2025 and into 2026, users were directed to Windows Terminal via Windows+X. 

Furthermore, the method does not create RunMRU registry artifacts commonly required for forensic investigations, which makes it appear more routine. ClickFix campaigns have undergone a significant change since moving away from static commands to API-generated payloads. In addition to maintaining the same underlying malware, attackers may also generate uniquely obfuscated commands on demand, thereby complicating signature-based detection without increasing operational complexity, thereby making campaigns more scalable and more difficult to identify through conventional security measures. The ClickFix platform has also been used by state-sponsored threat groups.

According to Proofpoint threat intelligence, a number of state-sponsored organizations incorporated ClickFix into existing intrusion workflows, including Russian APT28, Iranian MuddyWater, and North Korean Kimsuky. As part of the campaign, North Korean operators have also designed fraudulent recruitment schemes, known as ClickFake Interviews, targeting cryptocurrency professionals. Security firm Expel reported that 147,521 systems may have been compromised by a single ClearFake campaign since late August 2025, with the operational scale equally significant. 

A more valuable method of defending against malware than clipboard inspection alone is behavioral monitoring. Pals determined the most reliable indicators to be process chains originating from explorer.exe or WindowsTerminal.exe, which immediately spawned powershell.exe, cmd.exe, or msiexec.exe, followed by outbound network activity. PowerShell and cmd.exe accounted for approximately 39 percent of all observed launch methods across the analyzed dataset, followed by msiexec.exe at approximately 34 percent. 

Behavioral EDR, application control policies, and continued user awareness remain among the most effective defensive techniques. Another hunting opportunity is presented by the Downloads-folder technique, which utilizes seemingly benign one-line commands that access the Downloads directory prior to initiating concealed PowerShell execution. 

According to Pals, three active payload distribution servers were identified during the investigation - comicstar[.]lat, babybon[.]cfd, and merkantalolol[.]asia. Communication with these domains does not by itself indicate a successful compromise, but rather indicates that ClickFix commands have been delivered to a user's clipboard. Based on API-driven payload infrastructure, ClickFix is believed to have evolved into a flexible attack framework. 

A major development in cybercrime, he warns, will likely be the transition from individual payload wrappers to malware which is tailored to each target's specific needs. This evolution of ClickFix illustrates the broader shift in cybercrime towards highly adaptable, service-driven attack ecosystems that emphasize flexibility, scale, and evasion. Due to the dynamic nature of payload delivery, organizations cannot solely rely on static indicators or traditional prevention measures to protect themselves. 

The critical aspect of disrupting attacks designed to blend into legitimate activities remains the continuous monitoring of user-driven execution chains, the strengthening of application controls, and the maintenance of security awareness. The resilience of organizations will depend on the ability to detect behaviors instead of keeping up with ever-changing payloads in an environment where threat actors are constantly fine-tuning successful techniques.
Share it:
Next
This is the most recent post.
Previous
Older Post

AMSI Evasion

API-Driven Malware

ClickFix

Cyber Threats

Initial Access

malware

malware delivery

PowerShell Attacks

Threat Intelligence