A clever malware deployment scheme first spotted in targeted attacks last year<\/a> has now gone mainstream. In this scam, dubbed \u201cClickFix<\/strong>,\u201d the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows<\/strong> to download password-stealing malware.<\/p>\n ClickFix attacks mimic the \u201cVerify You are a Human\u201d tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:<\/p>\n This malware attack pretends to be a CAPTCHA intended to separate humans from bots.<\/p>\n<\/div>\n Clicking the \u201cI\u2019m not a robot\u201d button generates a pop-up message asking the user to take three sequential steps to prove their humanity.<\/p>\n Executing this series of keypresses prompts Windows to download password-stealing malware.<\/p>\n<\/div>\n Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter \u201cR,\u201d which opens a Windows \u201cRun\u201d prompt that will execute any specified program that is already installed on the system.<\/p>\n Step 2 asks the user to press the \u201cCTRL\u201d key and the letter \u201cV\u201d at the same time, which pastes malicious code from the site\u2019s virtual clipboard.<\/p>\n Step 3 \u2014 pressing the \u201cEnter\u201d key \u2014 causes Windows to download and launch malicious code through \u201cmshta.exe<\/strong>,\u201d a Windows program designed to run Microsoft HTML application files.<\/p>\n \u201cThis campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,\u201d Microsoft<\/strong> wrote in a blog post<\/a> on Thursday. \u201cDepending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.\u201d<\/p>\n According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com<\/strong>. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities \u2014 all in a bid to convince people to step through one of these ClickFix attacks.<\/span><\/p>\n In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts<\/a>. From there, they sent out phishing messages asking for financial information from people who\u2019d just booked travel through the company\u2019s app.<\/p>\n Earlier this month, the security firm Arctic Wolf<\/strong> warned<\/a> about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.<\/p>\n An alert<\/a> (PDF) released in October 2024 by the U.S. Department of Health and Human Services<\/strong> warned that the ClickFix attack can take many forms, including fake Google Chrome<\/strong> error pages and popups that spoof Facebook<\/strong>.<\/p>\n ClickFix tactic used by malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.<\/p>\n<\/div>\n The ClickFix attack \u2014 and its reliance on mshta.exe \u2014 is reminiscent of phishing techniques employed for years that hid exploits inside Microsoft Office<\/strong> macros<\/strong>. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.<\/p>\n Alas, the email security vendor Proofpoint<\/strong> has documented<\/a> plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the \u201cSolution\u201d or \u201cHow to Fix\u201d button.<\/p>\n HTML files containing ClickFix instructions. Examples for attachments named \u201cReport_\u201d (on the left) and \u201cscan_doc_\u201d (on the right). Image: Proofpoint.<\/p>\n<\/div>\n Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions<\/a> to prevent Windows from executing the \u201crun\u201d command when users hit the Windows key and the \u201cR\u201d key simultaneously.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/09\/verifyhuman.png?resize=783%2C397&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/verifsteps.png?resize=624%2C339&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/hhs-clickfix.png?resize=1172%2C745&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/proofpoint-clickfix.png?resize=749%2C278&ssl=1\")
<\/a><\/p>\n