logo

ClickFix: The Gift That Keeps On Giving

ID: fdeed2c6-1b65-458a-804d-2ef77fb3fe93

STIX ID: report--fdeed2c6-1b65-458a-804d-2ef77fb3fe93

Threat Score

70/100

Uploaded: 2026-07-01

Created by: OpenCTI

TLP:GREEN
...
...
### Executive summary This Microsoft Security blog analyzes the ClickFix user-execution technique — a large, active campaign that uses fake CAPTCHA pages and JavaScript clipboard injection to get victims to paste and run obfuscated PowerShell/command payloads; the author reverse-engineered CPaaS backends, enumerated dynamic obfuscation methods and stage-2 LOLBin loaders (e.g., PowerShell, cmd, msiexec), and published example payloads and several IOC domains (e.g., comicstar.lat, babybon.cfd, merkantalolol.asia).