A sophisticated new social engineering attack campaign has emerged that exploits users’ familiarity with routine security checks to deliver malware through deceptive Cloudflare verification pages.
The ClickFix attack technique represents a concerning evolution in phishing methodology, abandoning traditional file downloads in favor of manipulating users into executing malicious commands directly on their own systems.
The attack operates by presenting victims with what appears to be a legitimate Cloudflare Turnstile interface, complete with official branding, authentic wording, and dynamically generated Ray IDs that reinforce the illusion of legitimacy.
When users encounter these fake verification pages, they see familiar messages such as “Checking if the site connection is secure – Verify you are human,” identical to what they would expect from genuine Cloudflare protection mechanisms.
This calculated mimicry exploits verification fatigue, a phenomenon where internet users have become conditioned to quickly click through security prompts without careful examination.
SlashNext researchers identified this emerging threat as part of their ongoing threat intelligence operations, noting the attack’s particularly insidious approach to bypassing traditional security measures.
The technique has proven remarkably effective because it leverages user trust in established security providers while requiring no sophisticated exploits or zero-day vulnerabilities.
Instead, the attack relies on convincing users to voluntarily execute malicious code under the guise of completing a routine verification process.
The campaign has been observed delivering various malware families, including information stealers like Lumma and Stealc, as well as remote access trojans such as NetSupport Manager.
The attack’s success stems from its ability to bypass traditional security filters by having users execute legitimate system utilities with malicious parameters, rather than downloading suspicious executable files.
This approach effectively circumvents many endpoint protection solutions that focus on scanning downloaded binaries.
Technical Infection Mechanism and Clipboard Exploitation
The ClickFix attack employs a sophisticated clipboard manipulation technique that occurs entirely within the victim’s browser environment.
When users interact with the fake Cloudflare verification page by clicking the “Verify you are human” checkbox, the malicious webpage’s embedded JavaScript immediately executes a hidden script that creates an invisible text element containing an obfuscated PowerShell command.
This command is automatically copied to the user’s clipboard using standard web APIs, leaving no visible indication of the clipboard compromise.
The attack page subsequently presents users with seemingly legitimate verification steps that instruct them to press specific key combinations: Windows+R to open the Run dialog box, followed by Ctrl+V to paste the clipboard contents, and finally Enter to execute the command.
By this point, the dangerous PowerShell payload is already residing in the user’s clipboard, waiting to be unknowingly executed.
The malicious command is typically structured as a one-liner that retrieves and executes second-stage malware from remote servers, often utilizing Base64 encoding or other obfuscation techniques to avoid detection.
The fake Cloudflare page shown at the start of the attack (Source – SlashNext)
The initial fake Cloudflare page that users encounter at the beginning of the attack sequence.
The step-by-step instructions that trick users into executing malware (Source – SlashNext)
While this shows the step-by-step instructions that manipulate users into executing the malware payload.
A hidden PowerShell command copied to the clipboard (Source – SlashNext)
Besides this, this depicts the hidden PowerShell command that gets copied to the user’s clipboard during the verification process.
The entire attack infrastructure is contained within a single, self-contained HTML file that embeds all necessary images, styles, and scripts locally, enabling the fake page to load seamlessly on the attacker’s chosen domain without requiring external resources that might trigger security warnings.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
Source: cybersecuritynews.com
