Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
ID: 968f26eb-0846-5e9c-b07d-4082df9e5b1a
STIX ID: report--968f26eb-0846-5e9c-b07d-4082df9e5b1a
Feed Name: The Hacker News
Research shows the ClickFix paste-into-terminal social-engineering technique has evolved into an API-driven, on-demand payload service that returns uniquely obfuscated commands per visitor and now uses a Downloads-folder delivery to evade Windows script scanning (AMSI). The report documents scale and active use (ESET and Microsoft telemetry, large campaign counts), lists observed payload servers/domains, notes use by state-backed groups, and recommends defenders focus on process-chain signals (explorer/WindowsTerminal -> powershell/cmd/msiexec), behavioral EDR, application-control, and user education.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
