logo

Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

ID: 968f26eb-0846-5e9c-b07d-4082df9e5b1a

STIX ID: report--968f26eb-0846-5e9c-b07d-4082df9e5b1a

Feed Name: The Hacker News

Threat Score
82/100

Date Published: 2026-07-01

Date Updated: 2026-07-01

Author: [email protected] (The Hacker News)

...
...

Research shows the ClickFix paste-into-terminal social-engineering technique has evolved into an API-driven, on-demand payload service that returns uniquely obfuscated commands per visitor and now uses a Downloads-folder delivery to evade Windows script scanning (AMSI). The report documents scale and active use (ESET and Microsoft telemetry, large campaign counts), lists observed payload servers/domains, notes use by state-backed groups, and recommends defenders focus on process-chain signals (explorer/WindowsTerminal -> powershell/cmd/msiexec), behavioral EDR, application-control, and user education.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.