iClicker Website Hacked with Fake CAPTCHA in ClickFix Attack

Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot” check tricked users into installing malware. Learn who was affected and how to stay safe.

A popular digital classroom used in many universities, called iClicker, was recently targeted by hackers. This tool, owned by Macmillan, helps teachers track attendance and ask students questions in class. Millions of students and thousands of teachers across the US, including the University of Michigan and the University of Florida, use iClicker.

According to the University of Michigan’s Safe Computing Team’s advisory, between April 12th and 16th, 2025, the iClicker website was compromised, showing a fake CAPTCHA to the site’s visitors, and asking them to click “I’m not a robot.”

When a Windows user clicked on this fake check, a hidden PowerShell command was copied to ...