ClickFix Attacks Surge 517% In 2025, Fake CAPTCHAs Spread Malware

HomeNews* ClickFix attacks using fake CAPTCHA verifications have risen by 517% in early 2025, according to ESET.

• The ClickFix technique leads to a range of threats, including info-stealing Malware, Ransomware, and custom nation-state malware.
• Attack volumes are highest in Japan, Peru, Poland, Spain, and Slovakia.
• A new method called FileFix uses Windows File Explorer to trick users into executing malicious code from their clipboard.
• Recent phishing campaigns use multiple methods, including fake .gov domains and SharePoint links, to steal credentials and personal information. Cybersecurity researchers from ESET have reported a substantial increase in cyberattacks using the ClickFix scheme, which uses deceptive CAPTCHA checks to gain initial system access. The attack method, which spreads via fake error messages, tricks victims into copying and running harmful commands, mainly targeting systems in Japan, Peru, Poland, Spain, and Slovakia.

• Advertisement - Recent data shows a 517% increase in ClickFix incidents between late 2024 and early 2025. Attackers use ClickFix tactics to deliver various cyber threats, including infostealers, ransomware, and sophisticated malware. “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” said Jiří Kropáč, Director of Threat Prevention Labs at ESET.

The ClickFix mechanic works by displaying convincing CAPTCHA or error prompts, which ask users to copy scripts into the Windows Run dialog or macOS Terminal. These scripts then execute malicious code on the victim’s device. ESET noted that attackers are now selling tools that allow others to create their own ClickFix-based phishing pages, spreading the method further.

Security researcher mrd0x recently demonstrated a similar attack technique called FileFix. Instead of a CAPTCHA prompt, FileFix asks users to copy and paste a file path into Windows File Explorer. The clipboard contents actually contain a hidden PowerShell command that runs when pasted, giving attackers another method to execute code remotely. The FileFix approach combines Windows’ ability to execute code from the File Explorer address bar with social engineering tactics.

Alongside these developments, security teams have discovered new phishing campaigns that exploit trusted services and platforms. Some use fake .gov domains to lure victims, while others use aging web domains or distribute malicious ZIP files containing shortcut files that activate remote access tools like Remcos RAT.

Attackers have also used SharePoint-themed emails to send users to phishing pages hosted on genuine SharePoint domains, making detection more difficult. Experts note that these phishing links are hard to spot and widely trusted by users, which increases their effectiveness.

Previous Articles:

• FHFA Orders Fannie, Freddie to Consider Crypto as Mortgage Collateral
• Retail Investors Can Now Buy Tokenized Shares of SpaceX via Blockchain
• EU Commission Eases Stablecoin Stance, Calms Bank Run Concerns
• Iranian Hackers Launch AI-Driven Phishing Attacks on Israelis
• Nasdaq Integrates Canton Blockchain for 24/7 Collateral Management

• Advertisement -