ClickFix attacks abuse fake verification pages, clipboard injection, and trusted system tools to execute malicious commands while remaining largely invisible to EDR and antivirus. The campaign has been industrialized through MaaS offerings and has delivered payloads such as Lumma Stealer, XWorm, AsyncRAT, NetSupport, SectopRAT, DarkGate, and zuhe.dll against victims including a university Student Association website. #ClickFix #LummaStealer #XWorm #AsyncRAT #NetSupport #SectopRAT #DarkGate #zuhe.dll #ReversingLabs
Keypoints
- ClickFix uses fake CAPTCHA or verification pages to trick users into pasting commands into Run or Terminal.
- The attack silently overwrites the clipboard with a malicious command before the victim interacts with the page.
- Trusted Windows and macOS utilities such as PowerShell, mshta.exe, curl, and rundll32.exe are used to execute payloads.
- EDR and antivirus often miss ClickFix because each step appears legitimate and the payload can run in memory without touching disk.
- Researchers matched more than 4,000 ClickFix samples and identified 123 confirmed lures that evaded every AV engine.
- Observed payloads include Lumma Stealer and multiple RATs such as XWorm, AsyncRAT, NetSupport, SectopRAT, DarkGate, and zuhe.dll.
- Recommended defenses include YARA-based behavioral detection, PowerShell Constrained Language Mode, AMSI, application control, and user education.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File – Victims are tricked into following instructions on fake verification pages and pasting commands, which leads to execution of the attack chain. (‘The page tells them to open the Windows Run dialog … paste a command, and press Enter.’)
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is used as a trusted execution path for malicious payloads and dropper activity. (‘A user launching PowerShell looks identical whether they’re running an IT maintenance script or a Lumma Stealer dropper.’)
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The Run dialog is abused to execute pasted commands as part of the social engineering chain. (‘open the Windows Run dialog (Win + R) … paste a command, and press Enter’)
- [T1218.005 ] System Binary Proxy Execution: Mshta – mshta.exe is cited as one of the trusted LOLBAS utilities used to run malicious code. (‘PowerShell, mshta.exe, curl, rundll32.exe’)
- [T1218.011 ] System Binary Proxy Execution: Rundll32 – rundll32.exe is used as a legitimate signed binary to execute payloads. (‘PowerShell, mshta.exe, curl, rundll32.exe’)
- [T1105 ] Ingress Tool Transfer – Payloads are downloaded into memory from remote infrastructure before execution. (‘ClickFix Payloads download into memory and execute there’)
- [T1027 ] Obfuscated Files or Information – The payload zuhe.dll is described as heavily obfuscated to impede analysis. (‘a Go-based post-exploitation RAT with three stacked obfuscation layers’)
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The payload checks for sandbox environments to avoid analysis. (‘an anti-analysis gate that checked for 14 known sandbox environments’)
- [T1106 ] Native API – The attack uses normal system behavior and legitimate process execution to blend in with expected activity. (‘every individual step in it looks legitimate’)
Indicators of Compromise
- [File names / payload names ] malicious payloads and post-exploitation tools – zuhe.dll, Lumma Stealer, XWorm, and other RAT payloads
- [Software / binaries ] LOLBAS utilities used in the attack chain – PowerShell, mshta.exe, curl, rundll32.exe
- [File detection artifacts ] YARA-based hunting results – 4,000+ ClickFix samples, 123 confirmed ClickFix lures
- [Infrastructure / blockchain targets ] payload retrieval mechanism – Ethereum smart contracts
- [Platform / communication indicators ] backend and C2 transport – Node.js RAT modules, gRPC streams, Tor
- [Browser data types targeted ] stolen victim data – browser credentials, session tokens, cookies, autofill data, browsing history
Read more: https://www.reversinglabs.com/blog/clickfix-attacks-your-trust