[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3YXm6PG_kCwaOnvPQc5SND7Cj4TVNriKCgteKcTpDFM":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"edd357c0-8486-41e0-af6d-c62b51fb7df5","Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery","researcher-analyzes-3-000-live-clickfix-payloads-exposing-api-driven-malware-del-96018a","ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake \"prove you're human\" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning.","New research reveals ClickFix malware has adopted an API-driven backend, serving dynamically disguised payloads to users. This evolution includes a new delivery method that bypasses Windows script scanning by downloading the malicious file to the Downloads folder and using a simple clipboard command to execute it, evading traditional antivirus and AMSI.","ClickFix malware delivery evolves with API-driven servers and stealthier Windows script execution.","Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery Swati KhandelwalJul 01, 2026Threat Intelligence \u002F Social Engineering ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake \"prove you're human\" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning. Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at OrangeCon in early June and published the details on June 30. ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself. There's usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch. It works well enough that ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft's 2025 Digital Defense Report put it at 47% of the initial-access cases seen by its Defender Experts team. The technique now has its own entry in MITRE ATT&CK, T1204.004. Payloads made to order The new part is how the payloads are produced. Pals found the pages pulling their commands from backend servers that work like an on-demand service: they take requests, check an access token, log the caller, and return a freshly scrambled command each time. He asked one server for 100 payloads and got 100 different ones, wrapped in a rotating mix of Base64, AES, TripleDES, Rijndael, and Deflate. Strip the wrapping and, at least for now, they all unpack to the same script, which runs in memory through a PowerShell runspace. The disguise is disposable; the malware under it is not, though Pals warns the core payload will likely start changing per victim before long. The same platform serves lures in 25 languages and matches the command to the visitor's operating system, with macOS versions running alongside Windows. The \"as-a-service\" label is not just branding. ESET has tracked criminals selling ready-made ClickFix builders to other attackers. Pals found a parallel commercialization one layer deeper, in how each payload is churned out on request. A quieter way in: the Downloads-folder method The second finding is a direct answer to defenders who watch the clipboard. Instead of copying a malicious command, the newer pages copy a harmless-looking one. The page quietly downloads a file to the Downloads folder, and the clipboard gets a short \"orchestrator\" line that moves that file, unpacks it, and runs the script inside. Because the pasted line is only that orchestrator and not the payload itself, it is built to slide past AMSI, the Windows feature that lets antivirus scan scripts before they run. The bad code sits in the downloaded file, off to the side. The observed clipboard line looked like this: powershell -C \"$t=$env:TMP;Move-Item \\\"$HOME\\Downloads\\tmp.zip\\\" \\\"$t\\7947.zip\\\";tar -xf \\\"$t\\7947.zip\\\" -C \\\"$t\\\";conhost --headless powershell -ExecutionPolicy Bypass -File \\\"$t\\tmp.ps1\\\" # \\\"* I am not a robot reCAPTCHA Verification ID:7947 *\\\"\" Execution has drifted toward stealth as well. The original 2024 lure told people to press Windows+R and paste into the Run box. A newer version, common through 2025 and into 2026, points them to Windows+X and the Windows Terminal instead. Terminal use looks more ordinary, and unlike the Run box, it leaves no trace in the RunMRU registry key that investigators normally check. ClickFix stopped being a criminals-only tool a while ago. Proofpoint tied state-backed groups from Russia, Iran, and North Korea, including APT28, MuddyWater, and Kimsuky, to campaigns that dropped ClickFix into their existing infection chains, and North Korean crews built a fake-job \"ClickFake Interview\" version to hit cryptocurrency workers. The trick has spawned named relatives such as FileFix and DownloadFix that lean on other trusted Windows tools. The scale is not theoretical either: security firm Expel found one ClearFake wave that likely infected as many as 147,521 systems since late August 2025. What defenders should watch The defensive lesson has not changed. The details have. The dependable signals are process chains, not clipboard text: explorer.exe or WindowsTerminal.exe launching powershell.exe, cmd.exe, or msiexec.exe and reaching out to the network right after. Those were the most common launchers in Pals' data, with PowerShell and cmd tied at about 39% each and msiexec close behind at 34%. Behavioral EDR, application-control rules that limit which programs can call script interpreters, and plain user guidance (\"never paste a command you were told to run into the Run box or a terminal\") all still hold. The Downloads-folder method adds one more thing to hunt: an innocent-looking one-liner that touches the Downloads folder and then spawns a hidden PowerShell. Pals also listed three payload servers seen during the research: comicstar[.]lat babybon[.]cfd merkantalolol[.]asia A connection to one of these does not prove infection. It means a command was most likely placed in someone's clipboard. Pals' verdict on the technique is blunt: \"ClickFix is here to stay.\" The pattern across his research is that ClickFix shifts the moment defenders catch up, and the move from one-off scripts to on-demand payload servers is what keeps that adaptation cheap to repeat. The next thing worth watching is whether the malware itself, not just its wrapper, starts changing from one victim to the next. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  ClickFix, Malware, MITRE ATT&CK, Obfuscation, powershell, Social Engineering, Threat Intelligence ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fresearcher-analyzes-3000-live-clickfix.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjXEaR4unJmt3rBY1LzI0Gq_veoF7Qzi-yPQNUcoR2oNV802lQ4MZAviyeq7bBh73PLAyp1quTozDq0ki_zm_9qsJIIfAUTaG8jFTv5dpxvuDUPJZA2BU4Zo11wIVyysWeMROXv8z2XOZoPOoJPVqMEJEhCI_OE1mM5wnSCFHJ1sgjl5411fZ4srklq5Fbs\u002Fs1600\u002Fclickfix-payloads.jpg","2026-07-01T05:32:12+00:00","2026-07-01T06:00:19.794809+00:00",8,[18,21,23,25,28],{"name":19,"type":20},"APT28","threat_actor",{"name":22,"type":20},"MuddyWater",{"name":24,"type":20},"Kimsuky",{"name":26,"type":27},"Windows","product",{"name":29,"type":30},"PowerShell","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":31,"icon":33,"name":34,"slug":35},null,"Malware","malware",[37,42,44],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50],{"type":51,"value":52,"context":53},"mitre_attack","T1204.004","ClickFix technique entry in MITRE ATT&CK"]