ClickFix Campaign Evolves, Adding Homoglyphs For Evasion and QakBot Distribution

The ClickFix (also tracked as ClearFix) malware campaign continues to adapt, incorporating new delivery techniques and expanding its malware portfolio due to the campaign’s effectiveness. Initially observed in October 2023 and gaining traction in August 2024, ClickFix is centered around deceptive CAPTCHA pages (some impersonating prominent brands like Cloudflare) and fake browser warnings that prompt users to run malicious code via the Windows Run dialog. An interesting aspect of the campaign is its framing of malicious activity as a legitimate fix—presenting users with a supposed solution to a fabricated issue, which encourages them to initiate the attack themselves. New intel from Dark Atlas and Any.Run warns of the campaign’s use of homoglyphs to evade detection and the delivery of QakBot, adding to an already dangerous campaign known for distributing information-stealing malware like Lumma Stealer.

Infrastructure supporting the campaign, to serve obfuscated or encrypted files that are decoded and executed on the victim’s system. Victims are often instructed to press “Win + R” and paste clipboard-injected PowerShell or Mshta commands that retrieve encoded scripts from attacker-controlled infrastructure. These scripts typically display fake success messages while covertly downloading and extracting payloads such as QakBot or other malware. Dark Atlas reports that PHP proxy scripts hosted on compromised servers are used to mask the true source of the malware, complicating analysis. Samples are now also using homoglyphs—visually identical characters from non-Latin alphabets—and invisible Unicode characters like zero-width spaces to evade detection. According to Any.Run, strings like “not a robot” are being visually replicated using Greek and Cyrillic characters, making string-based detection unreliable.

Sekoia has also linked the North Korean APT group Lazarus to the use of ClickFix, specifically in targeted campaigns against cryptocurrency developers. The breadth of this campaign demonstrates a persistent threat with evolving capabilities and distribution methods. Its success is evident through its effectiveness, the volume of observed samples, and the extent of linked infrastructure.