Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

Sekoia.io TDR uncovered and analyzed IClickFix, a multi-stage JavaScript framework active since late 2024 that injects an ic-tracker-js tag into compromised WordPress sites (over 3,800 observed) to display a fake Cloudflare Turnstile ClickFix lure; victims are tricked into pasting a clipboard command that runs a PowerShell dropper, resulting in the deployment of NetSupport RAT (and historically Emmenhtal Loader/XFiles Stealer). The report includes technical analysis of the injection and redirection chain (YOURLS-based TDS), infection stages, full IoCs (domains, IPs, file hashes), and YARA rules to detect the campaign.