Search...

Warning issued on “ClickFix” attacks distributed through fake verification pages

Warning issued on “ClickFix” attacks distributed through fake verification pages

A recent increase has been observed in the activity of “ClickFix”-type cyber threats, which deceive users into executing malicious commands on their own devices. According to available information, attackers are using fake Google and Cloudflare verification pages to manipulate users and facilitate the delivery of various malware payloads to their devices. These campaigns may result in the theft of user passwords and other personal data, sensitive information, as well as unauthorized remote access to affected computers.

“ClickFix” attacks are based on social engineering techniques and initially appear to be legitimate security checks. During the attack, users are presented with a fake verification page containing messages such as “I am not a robot” or similar prompts. They are then instructed to press the “Win + R” keys, paste a command that has been secretly copied to the clipboard using “Ctrl + V” and press “Enter”. As a result, users unknowingly execute a malicious PowerShell command, enabling malicious loaders to be launched at the next stage on the device.

Observations indicate that such campaigns make use of fake interfaces impersonating Google reCAPTCHA and Cloudflare verification pages, as well as deceptive pages associated with Google Meet, QR code services and other well-known platforms. Through this attack chain, various malware families are reportedly distributed, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport and Rust-based information stealers, malicious loaders and remote administration tools. In some cases, malicious components may establish persistence on the system, attempt to weaken the operation of security software and enable the download of additional malicious files.

To prevent such attacks, users are advised to be attentive when encountering technical instructions displayed on websites. It should be noted that Google, Cloudflare, Microsoft and other legitimate services do not require users to execute commands through PowerShell, Command Prompt, Terminal or similar system tools in order to verify that they are human. Therefore, commands copied from unknown or suspicious websites should not be executed, the legitimacy of verification pages should be checked and security solutions on devices should be regularly updated.

In addition, Opera browser has introduced a new security feature called “Paste Protect” as an additional protection mechanism against “ClickFix”-type attacks. This feature is designed to prevent the execution of potentially malicious commands that are covertly placed in the clipboard at the browser level. This approach is considered an important security measure for reducing the impact of social engineering-based attacks.

© 2011-2026 All rights reserved