Cybersecurity researchers from Lab539 have disclosed a massive and novel browser-based malware campaign dubbed "ClickFix," which saw a sharp increase in activity in mid-2025.
Infection via Deceptive Web Prompts
Emerging in July, the ClickFix threat quickly expanded its reach by registering over 13,000 unique domains. These sites use compromised or low-cost hosting infrastructure, often concealed behind Cloudflare, to launch their attacks using social engineering.
The core infection mechanism is deceptively simple:
- A user visits one of the malicious sites and is first presented with a CAPTCHA challenge.
- The malicious page then leverages the browser’s clipboard API to secretly plant a command into the user's clipboard.
- The user is tricked into pasting this malicious command into their terminal (such as PowerShell or Command Prompt) and executing it on their own device.
This single line of execution then downloads and runs a VBScript payload without requiring any further user interaction. This strategy favors social engineering over complex technical exploits.
The campaign has been observed using variations, including direct executable downloads and obfuscated scripts, indicating that multiple operators are likely using the core ClickFix framework. The ubiquity of this simple, clipboard-based mechanism shows that even minimal technical sophistication can lead to large-scale intrusions when combined with automated infrastructure.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
