A new wave of ClickFix attacks is becoming more deceptive and dangerous, using video guides, countdown timers and automatic operating system detection to trick users into infecting their own devices. These attacks rely heavily on social engineering, convincing victims to copy and run malicious commands from a fraudulent webpage.
In earlier versions, attackers displayed simple text instructions to mislead users into executing harmful code. Recent campaigns observed by researchers now include embedded videos that demonstrate how to paste and run the code, making the process appear more legitimate. The attack is often disguised as a verification step or a solution to a fake technical issue. The end goal remains the same, which is to install malware that retrieves and runs a payload, usually an information stealer.
Researchers have identified cases where a fake Cloudflare CAPTCHA challenge automatically detected the victim’s operating system and adjusted the commands shown on screen. Through JavaScript, the commands can be hidden and copied directly to the clipboard, increasing the chances that the victim will execute them without checking.
These pages now also feature a one minute countdown timer to pressure users into acting quickly, as well as a counter showing how many people supposedly completed the process in the last hour. These elements are designed to create urgency and make the fraudulent page appear trustworthy.
Although ClickFix has targeted Windows, macOS and Linux before, the new automatic OS detection makes the attack more efficient. These updated webpages are being promoted through malicious ads that appear in search results. Attackers often compromise legitimate websites by exploiting outdated plugins or use SEO tricks to push their fake pages to the top of search rankings.
The payloads depend on the operating system and may include MSHTA on Windows, PowerShell scripts or various built in system tools. Researchers warn that future versions of ClickFix could become even harder to detect by running entirely inside the browser, bypassing many security tools.
As these attacks evolve, experts stress that no legitimate online verification process will ever ask users to run commands in a terminal. Users should avoid executing any copied code unless they fully understand its purpose.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
