ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office.
New research shows the malicious commands behind its fake "prove you're human" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning.
Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at OrangeCon in early June and published the details on June 30.
ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself.
There's usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch.












