Ddos 
ClickFix lure impersonating Cloudflare Turnstile used by the IClickFix framework | Image: Sekoia TDR
A massive wave of “watering hole” attacks has turned thousands of legitimate WordPress websites into traps for the unwary. Security researchers at Sekoia TDR have uncovered a widespread campaign utilizing a malicious framework dubbed “IClickFix,” which leverages the deceptive “ClickFix” social engineering tactic to infect thousands of victims daily.
The campaign, which has been active since late 2024, represents a significant escalation in how attackers are using legitimate infrastructure to distribute commodity malware.
The core of the attack is a clever deception designed to bypass browser security by tricking the user into doing the heavy lifting. When a victim visits a compromised site, they are presented with a fake “Cloudflare Turnstile CAPTCHA” challenge.
Instead of solving a puzzle, the user is instructed to copy a “fix” code into their clipboard and run it. As the report explains: “Like the ClearFake threat, IClickFix employs a multi-stage JavaScript loader that presents a fake Cloudflare Turnstile CAPTCHA challenge using the ClickFix social engineering tactic”.
Once the user pastes this command—often a PowerShell script—into their terminal, the game is over. The script reaches out to external servers to download malicious payloads like NetSupport RAT, Emmenhtal Loader, and XFiles Stealer.
The attackers have managed to inject their malicious JavaScript framework into a vast network of vulnerable sites. “Since emerging in late 2024, this cluster has compromised over 3,800 WordPress sites through opportunistic watering hole attacks,” the researchers revealed.
Because these sites are often legitimate businesses or blogs, users are less likely to be suspicious. The malware doesn’t just sit there; it actively tracks and filters victims using a unique HTML tag, ic-tracker-js, which led analysts to coin the name “IClickFix”.
What makes IClickFix particularly dangerous is its constant evolution. Throughout 2025, the operators have aggressively updated their toolkit to stay ahead of defenders.
The report notes that the group introduced “additional JavaScript delivery stages, refining the lure, and compromising more WordPress sites”. They also began using the YOURLS URL shortener as a Traffic Distribution System (TDS) to manage the flow of victims and evade detection.
With thousands of sites doing their dirty work, the operators of IClickFix have built a formidable machine for initial access.
“TDR assess with moderate confidence that the IClickFix framework may be responsible for thousands of infections per day,” the report concludes.
The campaign serves as a stark reminder that even trusted websites can be weaponized. For administrators, the message is clear: patch your WordPress installations, or your site might become the next link in the IClickFix chain.
Related Posts:
- North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
- Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
- Cybercriminals Exploit CAPTCHA to Deliver Malware: Experts Issue Warning
- Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
