A sophisticated malware campaign known as “Clickfix” has been identified, targeting users through deceptive browser notifications and pop-ups. Hunt.io researchers, led by senior analyst Maria Chen, discovered this campaign in early March and noted its rapid evolution. Clickfix lures unsuspecting users with “Fix Now” and “Bot Verification” buttons, initiating a multi-stage infection chain deploying persistent malware that steals credentials, logs keystrokes, and enables remote access.
The campaign begins with compromised websites or malicious ads generating convincing error messages or security alerts that mimic legitimate browser warnings, prompting immediate user action. Clicking on these deceptive buttons executes malicious JavaScript, downloading the initial stage of the malware attack. These JavaScript commands lead to seemingly harmless files, such as PDF documents or system utilities, embedded with PowerShell commands. Upon execution, these commands establish persistence and download the main malware components from command and control servers.
A notable feature of Clickfix is its adaptability, tailoring lures based on user behavior and language settings. The malware employs complex obfuscation techniques to evade traditional detection methods and creates multiple redundant persistence mechanisms, posing significant removal challenges. Clickfix maintains a low system footprint to avoid detection while harvesting sensitive information, including stored passwords, cryptocurrency wallets, and financial credentials, along with keylogging functionality.
The infection mechanism involves executing an obfuscated JavaScript function that creates a hidden iframe and runs an encoded PowerShell command to download and execute the main payload. The campaign rotates command and control infrastructure frequently, with over 38 unique domains tracked by Hunt.io in the past month alone. This rapid rotation and fileless execution techniques complicate detection by traditional security tools.
Security experts stress implementing robust browser security policies, staying updated with system patches, and using advanced endpoint protection solutions capable of detecting behavioral anomalies. Vigilance against evolving threats and employing multi-layered security strategies are crucial to safeguarding against sophisticated malware campaigns like Clickfix.
