A sophisticated new social engineering attack campaign has emerged that exploits users\u2019 familiarity with routine security checks to deliver malware through deceptive Cloudflare verification pages.<\/p>\n
The ClickFix attack technique represents a concerning evolution in phishing methodology, abandoning traditional file downloads in favor of manipulating users into executing malicious commands directly on their own systems.<\/p>\n
The attack operates by presenting victims with what appears to be a legitimate Cloudflare Turnstile interface, complete with official branding, authentic wording, and dynamically generated Ray IDs that reinforce the illusion of legitimacy.<\/p>\n
When users encounter these fake verification<\/a> pages, they see familiar messages such as \u201cChecking if the site connection is secure \u2013 Verify you are human,\u201d identical to what they would expect from genuine Cloudflare protection mechanisms.<\/p>\n This calculated mimicry exploits verification fatigue, a phenomenon where internet users have become conditioned to quickly click through security prompts without careful examination.<\/p>\n SlashNext researchers identified<\/a> this emerging threat as part of their ongoing threat intelligence operations, noting the attack\u2019s particularly insidious approach to bypassing traditional security measures.<\/p>\n The technique has proven remarkably effective because it leverages user trust in established security providers while requiring no sophisticated exploits or zero-day vulnerabilities.<\/p>\n Instead, the attack relies on convincing users to voluntarily execute malicious code under the guise of completing a routine verification process.<\/p>\n The campaign has been observed delivering various malware families, including information stealers like Lumma and Stealc, as well as remote access trojans such as NetSupport Manager.<\/p>\n The attack\u2019s success stems from its ability to bypass traditional security filters<\/a> by having users execute legitimate system utilities with malicious parameters, rather than downloading suspicious executable files.<\/p>\n This approach effectively circumvents many endpoint protection solutions that focus on scanning downloaded binaries.<\/p>\n The ClickFix attack employs a sophisticated clipboard manipulation technique that occurs entirely within the victim\u2019s browser environment.<\/p>\n When users interact with the fake Cloudflare verification page by clicking the \u201cVerify you are human\u201d checkbox, the malicious webpage\u2019s embedded JavaScript immediately executes a hidden script that creates an invisible text element containing an obfuscated PowerShell command.<\/p>\n This command is automatically copied to the user\u2019s clipboard using standard web APIs, leaving no visible indication of the clipboard compromise.<\/p>\n The attack page subsequently presents users with seemingly legitimate verification steps that instruct them to press specific key combinations: Windows+R to open the Run dialog box, followed by Ctrl+V to paste the clipboard contents, and finally Enter to execute the command.<\/p>\n By this point, the dangerous PowerShell payload is already residing in the user\u2019s clipboard, waiting to be unknowingly executed.<\/p>\n The malicious command is typically structured as a one-liner that retrieves and executes second-stage malware from remote servers, often utilizing Base64 encoding or other obfuscation techniques to avoid detection.<\/p>\n The initial fake Cloudflare page that users encounter at the beginning of the attack sequence.<\/p>\n While this shows the step-by-step instructions that manipulate users into executing the malware payload.<\/p>\n Besides this, this depicts the hidden PowerShell command that gets copied to the user\u2019s clipboard during the verification process.<\/p>\n The entire attack infrastructure is contained within a single, self-contained HTML file that embeds all necessary images, styles, and scripts locally, enabling the fake page<\/a> to load seamlessly on the attacker\u2019s chosen domain without requiring external resources that might trigger security warnings.<\/p>\n Speed up and enrich threat investigations with Threat Intelligence Lookup! ->\u00a050 trial search requests<\/strong><\/a><\/strong><\/p>\n The post New ClickFix Attack Exploits Fake Cloudflare Human Check to Install Malware Silently<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Infection Mechanism and Clipboard Exploitation<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgR5hf_e7ZouQ5DgWJQuFoH8_9sg1fYM_ppp5-1iQdAG4jIAw75l1LszGGrHAIT5326kfGuOI677O2sZrFfmmR78e9qHUS5WPuypM0SyjbJtXVxnCVkV5CUWxoVZNr-mKVBmLP4bnkNeOlmIAnsNlVUkmN4WL19lP2vhtErBXMuo5pXPJo29mfF2eo1DlE\/s16000\/The%2520fake%2520Cloudflare%2520page%2520shown%2520at%2520the%2520start%2520of%2520the%2520attack%2520%28Source%2520-%2520SlashNext%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj6gKiyILoYUtffMkBaNARPeeOUxGf1v1uYe76v2QNlnzGALRzysSYpW14hTblbtqxMpo6K30zQlIF2MJTKRInezjmRe7KOPiTn_UbTxzD8up62VmxuEgzUhCV7V4mxFILv992R_1D-m1Qz7Q0WHzDxq023tgDutcw6Dusfpxq7I4n4oB-MX5c8NtIZsm4\/s16000\/The%2520step-by-step%2520instructions%2520that%2520trick%2520users%2520into%2520executing%2520malware%2520%28Source%2520-%2520SlashNext%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEifXYuIpk6H2_2fCh0tlmJR7BU8PX6gmyfo44tCHmXWteJ5kvWg3jQ4yHLyHwh8UZ1YqEeVXxSw61JoW_lH7P0S0noI2mGCVR47DqQeYZg4UBMYfRRAxB2LEyXOvVgpBkHIlulye-dqx7nUoIEF9PvqzM9y1DaFzYyQx-LNunZQxKvsW7YfQtxNNskFzHw\/s16000\/A%2520hidden%2520PowerShell%2520command%2520copied%2520to%2520the%2520clipboard%2520%28Source%2520-%2520SlashNext%29.webp?ssl=1\")