{ "id": "e05d1445-5741-4ba6-94c2-605afe5d17c4", "created_at": "2026-04-06T00:13:52.688803Z", "updated_at": "2026-04-10T03:33:20.620845Z", "deleted_at": null, "sha1_hash": "ae07680d7144038bdcc0804232d09a289d643659", "title": "ClickFix Malware \u0026 Social Engineering Threat Grows | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3015106, "plain_text": "ClickFix Malware \u0026 Social Engineering Threat Grows | Proofpoint US\r\nBy Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team\r\nPublished: 2024-11-14 · Archived: 2026-04-02 12:16:07 UTC\r\nWhat happened \r\nProofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures\r\nare getting even more clever. \r\nInitially observed earlier this year in campaigns from initial access broker TA571 and a fake update website compromise\r\nthreat cluster known as ClearFake, the ClickFix technique that attempts to lure unsuspecting users to copy and run\r\nPowerShell to download malware is now much more popular across the threat landscape.  \r\nThe ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying,\r\npasting, and running malicious content on their own computer. \r\nExample of early ClickFix technique used by ClearFake.  \r\nProofpoint has observed threat actors impersonating various software and services using the ClickFix technique as part of\r\ntheir social engineering, including common enterprise software such as Microsoft Word and Google Chrome, as well as\r\nsoftware specifically observed in target environments such as transportation and logistics. \r\nThe ClickFix technique is used by multiple different threat actors and can originate via compromised websites, documents,\r\nHTML attachments, malicious URLs, etc. In most cases, when directed to the malicious URL or file, users are shown a\r\ndialog box that suggests an error occurred when trying to open a document or webpage. This dialog box includes\r\ninstructions that appear to describe how to “fix” the problem, but will either: automatically copy and paste a malicious script\r\ninto the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell; or\r\nprovide a user with instructions on how to manually open PowerShell and copy and paste the provided command. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 1 of 13\n\nProofpoint has observed ClickFix campaigns leading to malware including AsyncRAT, Danabot, DarkGate, Lumma Stealer,\r\nNetSupport, and more.  \r\nClickFix campaigns observed March through October 2024.  \r\nNotably, threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to\r\nvalidate the user with a \"Verify You Are Human\" (CAPTCHA) check.  Much of the activity is based on an open source\r\ntoolkit named reCAPTCHA Phish available on GitHub for “educational purposes.” The tool was released in mid-September\r\nby a security researcher, and Proofpoint began observing it in email threat data just days later. The purpose of the repository\r\nwas to demonstrate a similar technique used by threat actors since August 2024 on websites related to video streaming.\r\nUkraine CERT recently published details on a suspected Russian espionage actor using the fake CAPTCHA ClickFix\r\ntechnique in campaigns targeting government entities in Ukraine. \r\nRecent examples \r\nGitHub “Security Vulnerability” notifications  \r\nOn 18 September 2024, Proofpoint researchers identified a campaign using GitHub notifications to deliver malware. The\r\nmessages were notifications for GitHub activity. The threat actor either commented on or created an issue in a GitHub\r\nrepository. If the repository owner, issue owner, or other relevant collaborators had email notifications enabled, they\r\nreceived an email notification containing the content of the comment or issue from GitHub. This campaign was publicly\r\nreported by security journalist Brian Krebs.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 2 of 13\n\nEmail from GitHub. \r\nThe notification impersonated a security warning from GitHub and included a link to a fake GitHub website. The fake\r\nwebsite used the reCAPTCHA Phish and ClickFix social engineering technique to trick users into executing a PowerShell\r\ncommand on their computer.   \r\nClickFix style “verification steps” to execute PowerShell. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 3 of 13\n\nThe landing page contained a fake reCAPTCHA message at the end of the copied command so the target would not see the\r\nactual malicious command in the run-box when the malicious command was pasted. If the user performed the requested\r\nsteps, PowerShell code was executed to download an executable that led to the installation of Lumma Stealer. The activity\r\nimpacted at least 300 organizations globally, according to Proofpoint visibility. \r\nSwiss targeted ClickFix delivers malware \r\nProofpoint has observed actors using the reCAPTCHA ClickFix technique in multiple languages targeting organizations\r\nglobally. In September 2024, researchers identified a German language campaign targeting Swiss organizations using\r\nClickFix with the fake CAPTCHA. The messages impersonated the Swiss e-commerce marketplace Ricardo and contained\r\nURLs. When clicked, the users were directed to a landing page using the reCAPTCHA phish tool. The page instructed the\r\nuser to click to copy and paste to resolve an issue. However, this actually ran JavaScript that downloaded a ZIP file from a\r\nDropbox URL. Then, copyToClipboard was executed which invoked PowerShell to unzip and launch the BAT file\r\nembedded in the ZIP. At the time of analysis, researchers were unable to identify the dropped malware, but based on C2\r\ntraffic assessed the payload was likely AsyncRAT or PureLog Stealer.  \r\nScreenshot of fake Ricardo site containing “ClickFix” instructions. \r\nFake software updates deliver NetSupport RAT  \r\nOn 5 September 2024, researchers identified a NetSupport campaign that used “benign” email messages to instruct users to\r\ncopy and paste PowerShell into their terminal. The emails did not contain any malicious links or attachments, simply\r\ninstructions.  \r\nThe emails masqueraded as security updates, for example: \r\n        From: Security Agent \u003cresizenreyl6@web[.]de\u003e \r\n        Subject: Important Software Update: Action Required. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 4 of 13\n\nThese messages contained instructions to manually run an encoded PowerShell command to update the allegedly insecure\r\nsoftware. (The supposedly unsafe software was never named – just “software”.) \r\nCopy and paste PowerShell lure.  \r\nIf the PowerShell command was executed, it executed a remote PowerShell script. This second PowerShell script\r\ndownloaded 7zip and a password-protected 7z file. It then used 7zip to extract the 7z file with the password\r\n\"fJgGDNG_yudnt4YBJtYJfnJ\" and ran NetSupport. \r\nWhile it’s more common to see the ClickFix technique used with automatic copy and paste functions, the instructions\r\nrequiring more manual work on the part of the user are also common. However, it is likely the variant requiring more\r\nmanual work on the part of the user is less effective, as users may be more hesitant about manually copying and running\r\nencoded PowerShell.  \r\nHTML attachments to Brute Ratel C4 and Latrodectus \r\nOn 20 September 2024, Proofpoint researchers identified a campaign delivering Brute Ratel C4 and Latrodectus. Messages\r\ncame from various senders and subjects referencing business themes including budget, finance, invoice, documents,\r\nshipping, etc. and contained HTML attachments. Filenames started with “Report_” or “scan_doc_” subsequently followed\r\nby randomized numeric characters. When opened, the HTML attachment displayed a dialogue box with instructions that\r\nvaried slightly depending on the filename. But both contained a button for users to click – either “Solution” or How to fix”.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 5 of 13\n\nHTML files containing ClickFix instructions. Examples for attachments named “Report_” (on the left) and “scan_doc_”\r\n(on the right).  \r\nWhen clicked, base64 encoded PowerShell was copied, and the user was presented with another dialogue box that instructed\r\nthe user to open Run, paste, and execute the command. The PowerShell command was used to download a DLL which\r\nstarted Brute Ratel. Brute Ratel was observed leading to Latrodectus.   \r\nInstructions to get a user to paste and run PowerShell.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 6 of 13\n\nThe attack chain used in this campaign and the resulting dialog box was notably different than previously observed variants.\r\nThe sample observed in this campaign attempted to evade analysts by reversing strings in the HTML body of the webpage.  \r\nWhile this attack chain and resulting payload delivery overlapped with previously observed TA571 and TA578 campaigns,\r\nProofpoint researchers do not attribute this activity with high confidence to a known threat actor.  \r\nChatGPT malvertising delivers XWorm \r\nIn mid-October 2024, researchers observed malvertising using ChatGPT themed lures to deliver XWorm via the ClickFix\r\ntechnique. The malicious website was observed being distributed via Outbrain chumboxes on a large tech site with the text\r\n“Unlock the Power of ChatGPT”. It contained an attacker-owned domain “promtcraft[.]online” claiming to be an LLM\r\nprompt generator PromtCraft. The advertisement was likely running on multiple media outlets given Outbrain’s ad\r\ndistribution. \r\nWhen clicked, the linked domain displayed a customized version of the open source reCAPTCHA phish tool, which had a\r\nlure encouraging visitors to join a ChatGPT community, with the ClickFix clipboard payload. \r\nChatGPT impersonation used in ClickFix payload delivery.  \r\nIf the clipboard payload was executed, MSHTA was executed to run the HTA script in a HTML file obfuscated with\r\nProtWare HTML Guardian Personal Edition, causing MSHTA to call two different remote PowerShell scripts. The first\r\nscript will use RegAsm to run XWorm encoded in a Base64 variable, which will run the HVNC plugin to allow full access\r\nto the computer. The second script used RegAsm to run an executable encoded in a Base64 variable. This executable was\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 7 of 13\n\ncreated with SharpHide which was used to create a hidden registry key to run the first XWorm PowerShell script at each\r\nboot. \r\nNotably, in addition to a different visual template than the original reCAPTCHA phish, the JavaScript on the malicious site\r\ncontained Russian comments, likely generated by an LLM explaining the code.  \r\nSuspected LLM generated JavaScript to display the reCAPTCHA phish.   \r\nSuspected UAC-0050 targets Ukraine \r\nOn 31 October 2024, Proofpoint researchers identified a Ukrainian language campaign purporting to be emails sharing\r\ndocuments or requested information with the recipient. Emails targeted organizations in Ukraine.  \r\nMessages contained compressed HTML attachments which, if executed, presented a web page with a lure using the\r\nreCAPTCHA phish ClickFix technique. If the user copied and pasted the PowerShell script as instructed, it executed a\r\nsecond PowerShell script which used Bits transfer to download and run a malicious payload, suspected to be Lucky\r\nVolunteer. Lucky Volunteer is a rarely observed information stealing payload previously identified in a March 2023 TA579\r\ncampaign in which AresLoader dropped Lucky Volunteer.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 8 of 13\n\nUkrainian language lure purporting to be related to alleged information requested. \r\nNotably, this activity used an English-language reCAPTCHA phish ClickFix landing page, despite the email content and\r\nattachment names written in Ukrainian. Proofpoint assesses the campaign overlaps with activity attributed to UAC-0050.   \r\nAttribution  \r\nThe ClickFix technique was first prominently observed in Proofpoint data used by TA571 and ClearFake, however it is now\r\nused by several unattributed threat clusters, including a sophisticated cybercrime activity set that specifically targets\r\ntransportation and logistics firms with customized ClickFix lures.  \r\nProofpoint previously referred to a cluster of web inject activity using this technique as \"ClickFix.\" However, after\r\nwidespread use of the technique observed in Proofpoint data and third-party reporting, Proofpoint refers to the technique as\r\nClickFix, and the activity is not all attributed to the original cluster of activity. This activity was distinctly separate from the\r\nClearFake threat cluster, although some activity did overlap. It is possible the activity is all attributable to ClearFake, which\r\nProofpoint has not observed since August 2024.  \r\nMost observed ClickFix campaigns are not attributed to a known threat actor or group. The campaigns observed in\r\nProofpoint data mostly appear to have financially motivated objectives.  \r\nWhy it matters  \r\nThe ClickFix technique is growing in popularity and is being used by many financially motivated threat actors, as well as\r\nreportedly by suspected espionage-focused groups. Given the widespread adoption, it is likely this technique is very\r\neffective.  \r\nWhat’s insidious about this technique is the adversaries are preying on people’s innate desire to be helpful and independent.\r\nBy providing what appears to be both a problem and a solution, people feel empowered to “fix” the issue themselves\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 9 of 13\n\nwithout needing to alert their IT team or anyone else, and it bypasses security protections by having the person infect\r\nthemselves.  \r\nBut this innovation in social engineering is a direct result of people getting better at protecting themselves online. Macros\r\nare less likely to work, invoice lures are suspicious, unsolicited links or attachments with clearly malicious content will get\r\nblocked by security mechanisms. So, hackers have to get creative, and focus their efforts more on hacking people’s brains,\r\nemotions, and behaviors via crafty social engineering so they can keep installing malware.  \r\nAs users get smarter and remain vigilant about the ways adversaries are trying to gain initial access, hackers respond by\r\ntrying a lot of different techniques to see what works best. Organizations should train users on this technique specifically to\r\nprevent exploitation.  \r\nExample Indicators of compromise \r\nIndicator  Description \r\nFirst\r\nObserved \r\nhxxps://github-scanner[.]com/l6E.exe \r\nLumma\r\nStealer\r\nPayload\r\nURL  \r\n18\r\nSeptember\r\n2024 \r\nd9ab6cfa60cc75785e31ca9b5a31dae1c33022bdb90cb382ef3ca823c627590d \r\nLumma\r\nStealer\r\nSHA256 \r\n18\r\nSeptember\r\n2024 \r\nd737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207 \r\nLumma\r\nStealer\r\nSHA256 \r\n18\r\nSeptember\r\n2024 \r\neemmbryequo[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nreggwardssdqw[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nrelaxatinownio[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 10 of 13\n\ntesecuuweqo[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\ntendencctywop[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nlicenseodqwmqn[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nkeennylrwmqlw[.]shop \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nhxxps://steamcommunity[.]com/profiles/76561199724331900 \r\nLumma\r\nStealer C2 \r\n18\r\nSeptember\r\n2024 \r\nhxxps://ricardo[.]aljiri[.]es/ricardo/captchaV4DE/ \r\nPayload\r\nURL \r\n25\r\nSeptember\r\n2024 \r\nhxxps://www[.]dropbox[.]com/scl/fi/z4vwx6uot2bwugh34fbvz/Captcha_V4ID882994ft[.]zip?\r\nrlkey=nuh8s42xr9mz2kzkonzwyseaa\u0026st=vk2qu0te\u0026dl=1 \r\nPayload\r\nURL \r\n25\r\nSeptember\r\n2024 \r\n185[.]91[.]69[.]119 \r\nSuspected\r\nAsyncRAT\r\nC2 \r\n25\r\nSeptember\r\n2024 \r\n5d5b4f259ef3b3d20f6ef1a63def6dee9326efe2b7b7b7e474008aa978f1f19b \r\nSuspected\r\nAsyncRAT\r\nSHA256 \r\n25\r\nSeptember\r\n2024 \r\ne726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5  Suspected\r\nAsyncRAT\r\n25\r\nSeptember\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 11 of 13\n\nSHA256  2024 \r\nGreshunka[.]com \r\nBruteRatel\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\nTiguanin[.]com \r\nBruteRatel\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\nBazarunet[.]com \r\nBruteRatel\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\n92[.]118[.]112[.]130 \r\nBruteRatel\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\n193[.]124[.]185[.]116 \r\nBruteRatel\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\n193[.]124[.]185[.]117 \r\nBruteRatel\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\nhxxp://188[.]119[.]113[.]152/x64_stealth[.]dll \r\nPowerShell\r\nPayload \r\n20\r\nSeptember\r\n2024 \r\nrilomenifis[.]com \r\nLatrodectus\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\nisomicrotich[.]com \r\nLatrodectus\r\nC2 \r\n20\r\nSeptember\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 12 of 13\n\npromptcraft[.]online \r\nMalicious\r\nDomain \r\n19\r\nOctober\r\n2024 \r\nhxxp://185[.]147[.]124[.]40/Capcha[.]html \r\nClickFix\r\nClipboard\r\nPayload \r\n19\r\nOctober\r\n2024 \r\n185[.]147[.]124[.]40:4404  XWorm C2 \r\n19\r\nOctober\r\n2024 \r\nhxxp://31[.]214[.]157[.]49/A6DxMijz_hdKR2Jol_PIMar1Q8[.]txt \r\nURL to\r\nSuspected\r\nLucky\r\nVolunteer \r\n31\r\nOctober\r\n2024 \r\nhxxp://31[.]214[.]157[.]49/chrome[.]zip \r\nURL to\r\nSuspected\r\nLucky\r\nVolunteer \r\n31\r\nOctober\r\n2024 \r\nhxxp://178[.]215[.]224[.]252/v10/ukyh[.]php \r\nSuspected\r\nLucky\r\nVolunteer\r\nC2 \r\n31\r\nOctober\r\n2024 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "report_names": [ "security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "threat_actors": [ { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "a2e59183-d83f-47aa-adf9-97925d8e6452", "created_at": "2023-12-08T02:00:05.762162Z", "updated_at": "2026-04-10T02:00:03.496538Z", "deleted_at": null, "main_name": "UAC-0050", "aliases": [], "source_name": "MISPGALAXY:UAC-0050", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa", "created_at": "2023-01-06T13:46:39.373008Z", "updated_at": "2026-04-10T02:00:03.305899Z", "deleted_at": null, "main_name": "TA579", "aliases": [], "source_name": "MISPGALAXY:TA579", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434432, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae07680d7144038bdcc0804232d09a289d643659.pdf", "text": "https://archive.orkl.eu/ae07680d7144038bdcc0804232d09a289d643659.txt", "img": "https://archive.orkl.eu/ae07680d7144038bdcc0804232d09a289d643659.jpg" } }