🟠 High  |  Source: The Hacker News


ClickFix is a social engineering technique that tricks users into manually executing malware by disguising commands as CAPTCHA-style verification steps. New research analysing 3,000 live payloads reveals the operation has matured significantly, with API-driven infrastructure serving uniquely obfuscated malware variants to each visitor to evade signature-based detection. A newly discovered delivery method has also been identified that is specifically designed to bypass Windows’ built-in script scanning capabilities.

Security Architect’s Take: Prioritise user awareness training around unsolicited browser prompts requesting manual command execution, and enforce application control policies (e.g. AppLocker or Windows Defender Application Control) to block unauthorised script interpreters such as PowerShell and mshta from running in end-user contexts. Review endpoint detection rules to ensure behavioural indicators — not just signatures — are used to catch obfuscated script execution chains.

Original advisory: Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery