Mandiant researchers have detected a new wave of attacks using the ClickFix tactic, where victims are forced to run malicious PowerShell commands via fake CAPTCHA pages. This results in the installation of the CORNFLAKE.V3 backdoor, which allows hackers to launch additional malicious payloads.
The attack begins with SEO-spoofed search results or advertisements that lead to a fake CAPTCHA. The user is instructed to copy the command into Windows Run, after which a script is downloaded to check the virtual environment and run CORNFLAKE.V3. The backdoor is capable of executing files over HTTP (DLL, JS, batch, PowerShell), collecting system data, and maintaining persistence via the registry. Researchers have identified several components delivered through it: an Active Directory reconnaissance utility, a Kerberoasting password-stealing script, and the WINDYTWIST.SEA backdoor for remote access and reverse shell.
ClickFix has been used by cybercriminals since late 2024 and is actively sold as a constructor for 200–1500 on forums. The tactic is based on the fact that the user runs the command himself, so it bypasses antiviruses and protection. Various malware has been recorded spreading via ClickFix: Lumma Stealer, AsyncRAT, Xworm, NetSupport RAT, Latrodectus, Lampion, and others. Microsoft notes that such attacks are combined with phishing and malvertising, and sometimes disguised as Discord or Cloudflare services.
Fake CAPTCHAs and ClickFix remain effective social engineering tools, so users are advised to never copy commands into Run or PowerShell from suspicious sites. Organizations are recommended to disable Run, enable PowerShell logging, and train employees to reduce the risk of infection with CORNFLAKE.V3 and similar backdoors.
