{"id":15959,"date":"2026-03-16T06:38:01","date_gmt":"2026-03-16T06:38:01","guid":{"rendered":"https:\/\/newestek.com\/?p=15959"},"modified":"2026-03-16T06:38:01","modified_gmt":"2026-03-16T06:38:01","slug":"clickfix-techniques-evolve-in-new-infostealer-campaigns","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15959","title":{"rendered":"ClickFix techniques evolve in new infostealer campaigns"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cybercriminals are combining compromised websites with increasingly sophisticated ClickFix social engineering lures to deliver new infostealer malware, with one campaign alone weaponizing more than 250 WordPress sites across 12 countries.<\/p>\n

The campaign leads to stealthy in-memory payloads, while a separate attack detected by Microsoft targets Windows Terminal for payload execution instead of the traditional Run dialog.<\/p>\n

The WordPress campaign has been active since December 2025 and targets visitors with fake Cloudflare CAPTCHA challenges, researchers from security firm Rapid7 revealed in a report<\/a> this week. The compromised WordPress websites span regional news outlets, local business websites, and even a US Senate candidate\u2019s official webpage.<\/p>\n

\u201cThe large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort,\u201d the researcher said.<\/p>\n

Detection evasion<\/h2>\n

The WordPress ClickFix campaign delivers three separate infostealer payloads \u2014 two of them previously unknown \u2014 and uses domain infrastructure that appears to have been set up since July 2025.<\/p>\n

The attackers disguise their injected JavaScript snippet as a performance optimizer that triggers only if the visitor\u2019s browser doesn\u2019t have a WordPress admin cookie. This technique is intended to hide the malicious behavior from website administrators.<\/p>\n

The script fetches a fake Cloudflare CAPTCHA verification challenge from one of 14 attacker-controlled domains, all resolving to a single IP address. The fake CAPTCHA instructs visitors to copy and paste a command in the Windows Run dialog<\/a>.<\/p>\n

The rogue command consists of obfuscated JavaScript and PowerShell code that launches an in-memory shellcode loader dubbed DoubleDonut Loader. The loader injects payloads directly into legitimate Windows processes and uses reflected code loading.\u00a0<\/p>\n

\u201cThe malware chain is executed almost entirely in memory and in the context of inconspicuous Windows processes, making traditional file-based detection ineffective,\u201d Rapid7 wrote.<\/p>\n

The compromised sites didn\u2019t share the same vulnerable WordPress version or plugin, suggesting that the attackers may be exploiting weak credentials or using exploits for multiple vulnerabilities.<\/p>\n

New payloads<\/h2>\n

The DoubleDonut Loader was observed delivering a new variant of Vidar Stealer, a well-known infostealer, that uses a dead drop resolver technique to retrieve its command-and-control configuration and dynamic API resolution.<\/p>\n

In addition to Vidar, two previously undocumented infostealers have been observed, one written in .NET and one in C++. Rapid7 has named these new programs Impure Stealer and VodkaStealer and both use detection evasion techniques, including non-standard data encoding and symmetric encryption for command-and-control communications or sandbox environment detection using system and time-based checks.<\/p>\n

ClickFix is a growing threat<\/h2>\n

In addition to new payloads, attackers are also evolving their ClickFix lures. A separate campaign identified by Microsoft\u2019s Threat Intelligence team<\/a> replaced the common Windows Run dialog (Win+R) with the Windows Terminal app (Win+X) for command execution.<\/p>\n

That campaign delivered the well-known Lumma Stealer and NetSupport RAT. A second payload involved a VBScript chain executed through MSBuild that used a technique known as etherhiding to download credential harvesting code.<\/p>\n

Security firm ESET estimated that ClickFix attacks surged 517% last year, with multiple variations dubbed CrashFix, ConsentFix, and PhantomCaptcha, each with different lures and delivery mechanisms.<\/p>\n

This basic social engineering tactic has proved so effective that even nation-state groups such as North Korea\u2019s Lazarus group, Iran\u2019s MuddyWater, and Russia\u2019s APT28 have adopted it. In January, researchers from Sekoia reported<\/a> that a separate ClickFix framework dubbed IClickFix had been injected into over 3,800 WordPress sites since 2024.<\/p>\n

WordPress site operators should ensure their admin login panels are not publicly exposed, since Rapid7 noted that nearly all sites compromised in the campaign it discovered had accessible admin pages.<\/p>\n

Rapid7 published indicators of compromise and YARA detection rules on its public GitHub repository.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are combining compromised websites with increasingly sophisticated ClickFix social engineering lures to deliver new infostealer malware, with one campaign alone weaponizing more than 250 WordPress sites across 12 countries. The campaign leads to stealthy in-memory payloads, while a separate attack detected by Microsoft targets Windows Terminal for payload execution instead of the traditional Run dialog. The WordPress campaign has been active since December 2025… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15959","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15959"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15959\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}