A recent research by SlashNext says the technique, called ClickFix tricks users into running commands that deploy malware. ClickFix shows a fake version of Cloudflare’s Turnstile CAPTCHA page. It replicates visual layout and technical elements like Ray ID identifier to look authentic.
The phishing site is hosted on a domain that looks like the real one, or an authentic website that has been attacked. When users visit the site, they are tricked into checking a box called “Verify you are human.”
This step looks normal and doesn’t raise any suspicion but after this, the users are asked to run a series of commands such as “Win + R” then “Ctrl + V” and after that “Enter.” These steps look harmless but they use a PowerShell command. Once executed, it can extract malware such as Lumma, NetSupport Manager, and Stealc.
According to security expert Daniel Kelley, “ClickFix is a social engineering attack that tricks users into running malicious commands on their own devices – all under the guise of a routine security check.” ClickFix is dangerous because it uses standard security measures as attack tools.
Experts call this “verification fatigue,” where a user clicks through various prompts without proper investigation. "In the context of a familiar-looking Cloudflare page, a user often assumes these extra steps are normal, especially if they’re in a hurry to reach some content. The instructions to press Win+R and Ctrl+V may raise an eyebrow for tech-savvy people, but an average user – seeing official logos and not understanding the implications – can be socially engineered into treating it as an advanced CAPTCHA," Slash reported in the blog.
This tactic doesn't depend on exploiting software flaws, it exploits trust and user habits.
The phishing page is sent as a single HTML file but includes embedded scripts and hidden code to perform clipboard injections.
It uses genuine Windows utilities and doesn't download executables so that it can escape traditional identification tools. General defenses such as endpoint protection or antivirus software usually aim to detect binaries or suspicious downloads.
In this incident, users were baited into activating the threat themselves. This underscores the need for sophisticated malware protection with zero-hour defense that can detect clipboard injections and malicious CAPTCHA screens in real-time.
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a critical warning about the sharp rise in Play ransomware attacks. The agencies report that this cyber threat has affected hundreds of organizations across the Americas and Europe, including vital service providers and businesses.
The updated alert comes after the FBI identified over 900 confirmed victims in May alone, which is three times more than previously reported. Cybersecurity experts are urging organizations to act quickly to strengthen their defenses and stay informed about how these cybercriminals operate.
How the Play Ransomware Works
Play ransomware attackers use various advanced methods to break into systems. They often start by targeting services that are accessible from outside, like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once they gain access, they move within the network, stealing login details and aiming to control the system entirely.
The FBI notes that the attackers do not immediately demand payment in their ransom notes. Instead, they leave email addresses that victims must contact. These emails usually come from unique addresses linked to German domains. In some cases, the criminals also make threatening phone calls to pressure victims into paying.
Connections to Other Threat Groups
Investigations suggest that the Play ransomware may be connected to several known hacking groups. Some security researchers believe there could be links to Balloonfly, a cybercrime group involved in earlier ransomware attacks. There have also been reports connecting Play to serious security incidents involving Windows systems and Microsoft Exchange servers.
In the past, attackers have taken advantage of security flaws in popular software, including Microsoft’s Windows and Fortinet’s FortiOS. Most of these security gaps have already been fixed through updates, but systems that remain unpatched are still at risk.
Key Steps to Protect Your Organization
The FBI strongly recommends that all organizations take immediate steps to reduce their risk of falling victim to these attacks. Here are the essential safety measures:
1. Create backup copies of important data and store them in secure, separate locations.
2. Use strong, unique passwords that are at least 15 characters long. Do not reuse passwords or rely on password hints.
3. Enable multi-factor authentication to add extra security to all accounts.
4. Limit the use of admin accounts and require special permissions to install new software.
5. Keep all systems and software up to date by applying security patches and updates promptly.
6. Separate networks to limit how far a ransomware attack can spread.
7. Turn off unused system ports and disable clickable links in all incoming emails.
8. Restrict the use of command-line tools that attackers commonly use to spread ransomware.
Staying alert and following these steps can help prevent your organization from becoming the next target. Cybersecurity is an ongoing effort, and keeping up with the latest updates is key to staying protected.
Pig Butchering is a “form of investment fraud in the crypto space where scammers build relationships with targets through social engineering and then lure them to invest crypto in fake opportunities or platforms created by the scammer,” according to The Department of Financial Protection & Innovation.
Pig butchering has squeezed billions of dollars from victims globally. Cambodian-based Huione Group gang stole over $4 billion from August 2021 to January 2025, the New York Post reported.
Individuals should watch out for certain things to avoid getting caught in these extortion schemes. Scammers often target seniors and individuals who are not well aware about cybercrime. The National Council on Aging cautions that such scams begin with receiving messages from scammers pretending to be someone else. Never respond or send money to random people who text you online, even if the story sounds compelling. Scammers rely on earning your trust, a sob story is one easy way for them to trick you.
Another red flag is receiving SMS or social media texts that send you to other platforms like WeChat or Telegram, which have fewer regulations. Scammers also convince users to invest their money, which they claim to return with big profits. In one incident, the scammer even asked the victim to “go to a loan shark” to get the money.
Last year, Meta blocked over 2 million accounts that were promoting crypto investment scams such as pig butchering. Businesses have increased efforts to combat this issue, but the problem still very much exists. A major step is raising awareness via public posts broadcasting safety tips among individuals to prevent them from falling prey to such scams.
Organizations have now started releasing warnings in Instagram DMs and Facebook Messenger warning users about “potentially suspicious interactions or cold outreach from people you don’t know”, which is a good initiative. Banks have started tipping of customers about the dangers of scams when sending money online.