ClickFix Fake CAPTCHA Attacks Compromise Enterprises with PowerShell Execution

Home » News

Yash

News

3 min. read

Published on February 23, 2026

ClickFix attacks trick users into pasting malicious PowerShell commands via fake CAPTCHA prompts. Victims encounter deceptive Chrome or Word error screens demanding Win+R execution to “fix” issues. Single clicks lead to enterprise-wide Latrodectus and Supper malware infections.

Cert.pl discovered the campaign after a large Polish organization breach. Compromised sites serve JavaScript that copies obfuscated PowerShell to clipboards. Users paste into Run dialog believing they resolve browser errors. Attackers bypass all automated protections.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The infection chain moves fast post-execution. PowerShell downloads droppers establishing network footholds. Secondary payloads enable lateral movement, data exfiltration, and ransomware staging. Robust behavioral monitoring required to stop automation.

Attack Vector Details

Social engineering demands active user participation.

Compromised legitimate websites serve fake CAPTCHAs
Clipboard injection writes PowerShell via document.execCommand(‘copy’)
Win+R dialog instructions demand manual paste/execution
Dropper downloads from remote C2 infrastructure
Automated lateral movement targets enterprise assets

No file downloads trigger browser warnings. User action bypasses all protections.

Primary Malware Payloads

Established families deliver enterprise impact.

Malware	Capabilities	Evasion Techniques
Latrodectus	Data exfiltration, C2	NTDLL unhooking, sandbox detection
Supper	Lateral movement, proxying	Process injection, living-off-land

Latrodectus variant refuses rundll32.exe execution. Checks VM/sandbox fingerprints before activating.

DLL Side-Loading Execution

Classic evasion hides malicious code.

%APPDATA%\Intel\
├── igfxSDK.exe (legitimate)
└── wtsapi32.dll (malicious)

Trusted Intel binary loads rogue DLL automatically. Basic EDR solutions miss side-loading entirely.

Infection Chain Timeline

Rapid automation follows initial compromise.

T+0s: PowerShell execution
T+2s: Dropper download complete
T+15s: DLL side-loading active
T+45s: NTDLL hooks removed
T+90s: Lateral scanning begins

Cert.pl emphasizes behavioral monitoring as only reliable defense.

Enterprise Compromise Impact

Single endpoint rapidly becomes network pivot.

Traffic proxying maps internal infrastructure
Credential harvesting targets domain admin
Ransomware staging identifies encryption targets
Persistence establishment survives reboots
Data exfiltration precedes destructive payloads

Polish organization suffered complete domain compromise from one initial vector.

Technical Indicators

Deploy immediate hunting rules.

PowerShell Patterns:

Win+R dialog + clipboard paste
Obfuscated command execution
Remote payload download
%APPDATA%\Intel creation
igfxSDK.exe + wtsapi32.dll pairing

Network Indicators:

Latrodectus/Supper C2 domains
PowerShell traffic to uncommon IPs
Beaconing from multiple endpoints

Detection Engineering

Purpose-built rules catch ClickFix execution.

YARA Rule (PowerShell):

rule ClickFix_PowerShell_Dropper {
    strings:
        $ps1 = "powershell.exe -w hidden -enc" ascii
        $run = "Win+R" ascii wide
    condition:
        any of them
}

Sysmon Event ID 1 (Process Creation):

Image: powershell.exe
CommandLine: *-enc* | *-w hidden*
ParentImage: explorer.exe

Prevention Framework

Layered controls block attack progression.

Browser Hardening:

Disable JavaScript on untrusted sites
uBlock Origin CAPTCHA blocking lists
NoScript enterprise deployment

Endpoint Controls:

- Constrained PowerShell execution
- Win+R dialog monitoring
- Clipboard content inspection
- %APPDATA%\Intel directory protection

User Training:

Never execute browser “fix” instructions
Report Win+R demands immediately
Verify errors through IT support

Enterprise Response Playbook

Immediate containment stops spread.

1. Isolate affected endpoint
2. Kill igfxSDK.exe + wtsapi32.dll
3. Block Latrodectus C2 IOCs
4. Hunt domain-wide via EDR
5. Reset all domain credentials
6. Reimage from trusted backups

Global Campaign Scope

ClickFix operates across multiple threat actors.

Campaign	Final Payload	Notable Tactic
Polish Enterprise	Latrodectus	DLL side-loading
ClearFake	Lumma Stealer	WordPress compromise
Amatera	Info stealer	Microsoft App-V

Microsoft tracks ClickFix evolution since 2024. Technique replaced fake browser updates entirely.

FAQ

What triggers ClickFix attacks?

Fake CAPTCHA prompts on compromised legitimate websites.

Execution method?

PowerShell copied to clipboard, pasted into Win+R dialog.

Primary malware families?

Latrodectus and Supper with enterprise compromise capabilities.

Evasion technique used?

DLL side-loading via legitimate igfxSDK.exe.

Initial vector bypasses?

User-executed PowerShell evades all browser/download protections.

Recommended immediate action?

Block Win+R PowerShell execution enterprise-wide.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by: