Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
https://thehackernews.com/2026/07/researcher-analyzes-3000-live-clickfix.html
Publish Date: 2026-07-01 01:32:00
Source Domain: thehackernews.com
ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office.
New research shows the malicious commands behind its fake “prove you’re human” pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows’ script scanning.
Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at OrangeCon in early June and published the details on June 30.
ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself.
There’s usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch.
It works well enough that ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft’s 2025 Digital Defense Report put it at 47% of the initial-access cases seen by its Defender Experts team.
The technique now has its own entry in MITRE ATT&CK, T1204.004.
Payloads made to order
The new part is how the payloads are produced. Pals found the pages pulling their commands from backend servers that work like an on-demand service: they take requests, check an access token, log the caller, and return a freshly scrambled command each time.
He asked one server for 100 payloads and got 100 different ones, wrapped in a rotating mix of Base64, AES, TripleDES, Rijndael, and Deflate. Strip the wrapping and, at least for now, they all unpack to the same script, which runs in memory through a PowerShell runspace.
The disguise is disposable; the malware under it is not, though Pals warns the core payload will likely start changing per victim before…