CAPTCHAgeddon: Fake CAPTCHA Used in New ClickFix Attack to Deploy Malware Payload

ClickFix, which began as a red-team simulation tool in September 2024, has quickly developed into a widespread malware delivery system that outcompetes its predecessors, such as the ClearFake phony browser update fraud.

Initially demonstrated by security researcher John Hammond for educational purposes, this fake CAPTCHA technique tricks users into executing malicious PowerShell commands via clipboard manipulation, bypassing traditional file downloads.

By late 2024, ProofPoint dubbed it ClickFix, highlighting its shift from EtherHiding tactics hiding code in Ethereum smart contracts to more insidious social engineering.

This “CAPTCHAgeddon” variant leverages trusted infrastructure, enabling drive-by infections and spear-phishing, resulting in widespread deployment of infostealers like Lumma, which exfiltrate credentials and data seamlessly.

Evasion Tactics Driving Infections

ClickFix’s propagation has diversified from malvertising on shady networks targeting streaming and software sites to infiltrating compromised WordPress platforms with high SEO rankings, where fake CAPTCHAs overlay legitimate content, triggered by user interactions for natural integration ...