Fake CAPTCHA Scam: How ClickFix Tricks You Into Malware

Table of Contents
You land on a site you've visited a dozen times before. A verification box pops up — nothing unusual, you've clicked hundreds of these. Except this one doesn't ask you to identify traffic lights or type distorted letters. It tells you to press Windows + R, paste something, and hit Enter. Do that, and you've just handed a stranger remote access to your machine — with your own hands, following your own keystrokes.
That's the fake CAPTCHA scam, and in security research it goes by a sharper name: ClickFix. I've been tracking this technique since it started showing up in client incident reviews, and what makes it worth a dedicated post isn't just how common it's become — it's how fundamentally it breaks the mental model most people use to judge whether a website is safe. There's no dodgy attachment. No obviously broken link. Just a familiar box, a helpful "Fix It" button, and a victim doing all the technical work themselves.
What Is the Fake CAPTCHA Scam (And Why Researchers Call It ClickFix)
A real CAPTCHA never leaves your browser. You click tiles, drag a slider, or check a box — the entire interaction happens on the page. ClickFix abuses the fact that everyone recognizes that ritual and clicks through it on autopilot.
The technique first showed up in campaigns in late 2024, and it escalated fast enough that MITRE formally added it to the ATT&CK framework in March 2025 as technique T1204.004 — User Execution: Malicious Copy and Paste. That's a meaningful milestone. MITRE doesn't create a dedicated sub-technique for a fad; it does so when a pattern becomes common enough that defenders need a shared name for it. By mid-2026, industry telemetry from vendors like ESET was showing campaign volume up several hundred percent year over year, and the U.S. Federal Trade Commission issued a direct consumer alert about it in June 2026 — a sign this had moved well past the enterprise-only threat category and into everyday inboxes and search results.
What most write-ups miss is that ClickFix isn't really a malware story. It's a psychology story that happens to end in malware. The attacker never has to write an exploit for your browser or your OS. They only have to write a convincing enough error message.
How the Attack Actually Works, Step by Step
Every ClickFix variant I've reviewed follows roughly the same three-stage chain, whether the payload is an infostealer, a RAT, or something else entirely.
Stage one — deception. You land on a page — sometimes malicious, sometimes a legitimate site that's been compromised — and see an overlay dressed up as Cloudflare Turnstile or Google reCAPTCHA. Instead of a real challenge, it displays a message claiming verification "failed" and offers a button labeled something like "Fix It" or "How to Fix."
Stage two — clipboard hijacking. Clicking that button triggers hidden JavaScript that silently writes a command to your clipboard. You didn't copy anything on purpose. The page did it for you the moment you clicked.
Stage three — execution. The page then walks you through "verification steps" — open the Run dialog with Win+R, or open Terminal on macOS, paste with Ctrl+V, press Enter. What actually runs is a living-off-the-land binary already built into your OS — PowerShell, mshta, or curl — pulling down and executing the real payload from attacker infrastructure.
That last stage is the entire trick. In practice, this is why antivirus tools so often miss it: nothing arrived as a suspicious file download, and no exploit fired. A legitimate system tool did exactly what it's designed to do, launched by the account owner. Security tooling built to flag unauthorized access has a much harder time flagging authorized action that the user was manipulated into taking.
Pro Tip: If you're ever unsure whether something on your clipboard is a real code or a hidden command, never paste it into the Run dialog or a terminal to "check." Paste it into a plain text editor like Notepad or TextEdit first. It won't execute there, and you can read exactly what you were about to run.
Where You'll Actually Encounter This
Early ClickFix campaigns leaned on malvertising and SEO-poisoned search results, but the delivery methods have broadened considerably. I've seen it referenced in fake job application portals that ask "applicants" to run a verification step before submitting a resume, cracked-software and streaming sites, malicious browser extensions, and compromised WordPress sites where the overlay is injected directly into otherwise legitimate pages. Phishing emails carrying the same lure as an attachment or embedded link are still very much active too.
The threat is also evolving on the payload side. Security researchers reported a newly documented modular malware framework in early July 2026 — distributed through a multi-stage phishing chain — that bundles credential theft, lateral movement, and ransomware execution into a single ClickFix-style delivery pipeline. That's the trajectory here: what started as a low-effort way to drop a single infostealer is increasingly being adopted as an initial-access method for far more damaging, multi-stage intrusions.
The New Twist: It Doesn't Even Need Malware Anymore
Here's the part most guides on this topic still haven't caught up to. Researchers recently documented a ClickFix variant that skips malware installation entirely and goes straight for your phone bill. Instead of pushing you toward PowerShell, the fake verification steps quietly fire off a batch of SMS messages from your device to a preloaded list of international numbers in countries known for high call-termination fees. This is a known fraud category called International Revenue Share Fraud, and the attacker earns a cut of those termination fees through an affiliate network — no infection required, just a chain of premium messages you never intended to send. Some of these pages even hijack your browser's back button to bounce you straight back to the scam if you try to leave mid-flow.
I'd call this a mild contrarian point worth sitting with: treating ClickFix purely as a "malware delivery mechanism" is already outdated framing. It's becoming a general-purpose social-engineering chassis that attackers bolt different monetization schemes onto — malware today, billing fraud tomorrow, credential phishing next month.
Five Red Flags That Expose a Fake CAPTCHA
Once you know what to look for, these pages are genuinely easy to spot, and the rule set is short enough to actually remember:
A real verification step never asks you to leave your browser, open the Run dialog, launch a terminal, or press a system-level keyboard shortcut. It never gives you a "verification code" that runs to hundreds of characters — real tokens are short. It shouldn't suddenly appear as a full-page challenge on a site you've used regularly that never showed one before, which usually signals the site itself has been compromised. Watch for buttons phrased as "Fix It," "How to Fix," or "Copy this command to continue" rather than a standard checkbox. And if a page won't let you navigate away cleanly — rewriting your browser history or reloading itself when you hit back — that's a page actively trying to trap you, not verify you.
One rule covers nearly all of it: if a "verification" step ever asks you to do something outside the browser tab, it isn't a CAPTCHA. Close it.
What to Do If You Already Pasted the Command
If you've already gone through the steps, don't spend time second-guessing whether it "really" ran — treat it as executed and act.
Disconnect the device from the network first, whether that means turning off Wi-Fi or unplugging the ethernet cable. This limits any active exfiltration or remote-access session before you do anything else. From a separate, clean device, change passwords for anything sensitive — email, banking, cloud storage — and turn on multi-factor authentication anywhere it isn't already active; it blocks the overwhelming majority of account-takeover attempts even if a password was already captured. Run a full scan with a reputable anti-malware tool, and don't assume a clean result means you're safe, since some of these payloads are built specifically to evade signature-based detection. If a RAT or persistent backdoor is confirmed rather than just an infostealer, a clean OS reinstall is the only outcome I'd genuinely trust — attackers who've had interactive access can leave persistence mechanisms that a scan alone won't fully catch. Keep an eye on bank and card statements for a few billing cycles afterward, particularly if you're checking for the SMS-fraud variant, which will show up as unexpected international messaging charges rather than a security alert.
Building Long-Term Immunity to ClickFix-Style Attacks
The single most effective defense here isn't a tool, it's a reflex: no legitimate website, vendor, or verification system will ever ask you to paste something into a system window. Not your bank, not Microsoft, not Adobe, not a job portal. That sentence is worth internalizing precisely because the entire attack depends on you not pausing long enough to question it.
Beyond that reflex, a few habits meaningfully cut your exposure. Ad and script blockers reduce your contact with the malvertising networks that seed a lot of these campaigns in the first place. Keeping your OS and browser patched closes off some of the secondary exploitation paths attackers chain onto after initial access. If you manage devices for a small team, restricting who can run PowerShell scripts unsigned, and enabling Constrained Language Mode where feasible, removes a lot of the built-in tooling this technique depends on. And if you ever want a second opinion on a link or domain before you interact with it, running it through a reputation-checking tool costs a few seconds and can catch what a quick glance won't.
Key Takeaways
The fake CAPTCHA scam succeeds by borrowing your trust in a ritual you've performed thousands of times, then handing you the technical steps to compromise yourself. It bypasses antivirus because you, not an exploit, are the one who runs the command. It shows up far beyond shady corners of the internet — on compromised legitimate sites, fake job listings, and cracked software downloads — and it's no longer just a malware delivery method; billing-fraud variants now skip infection entirely. The defense doesn't require expert-level technical skill. It requires one non-negotiable rule: verification never leaves your browser tab.
Frequently Asked Questions
What is the fake CAPTCHA scam actually called?
Security researchers call it ClickFix, formally cataloged by MITRE ATT&CK as technique T1204.004 (User Execution: Malicious Copy and Paste). "Fake CAPTCHA scam" and "ClickFix" refer to the same attack; the first is the consumer-facing name, the second is the technical one.
Can antivirus software detect a ClickFix infection?
Not reliably at the point of execution. Because the victim runs a legitimate system tool like PowerShell themselves, there's no malicious file download or exploit for signature-based tools to flag. Some payloads are caught afterward, but prevention depends on recognizing the scam before pasting anything.
Does the fake CAPTCHA scam work on Mac or mobile phones?
The classic malware version targets desktop operating systems since it needs a command line, so Windows, macOS, and Linux are all affected but phones are largely excluded. Mobile users aren't fully safe, though — some variants push credential phishing or, more recently, premium SMS fraud instead.
What should I do if I already pasted the command?
Disconnect from the internet immediately, then change your important passwords from a separate clean device and enable multi-factor authentication. Run a full anti-malware scan, and if a remote access tool is confirmed rather than just an infostealer, a full OS reinstall is the safest path forward.
Is it dangerous to just click the fake CAPTCHA box itself?
Simply clicking or viewing the fake verification page does not infect you on its own, even though it may silently copy a command to your clipboard. The infection only happens if you go on to paste that command into the Run dialog or a terminal and press Enter. Clear your clipboard and close the tab.

Passionate OSINT investigator and cybersecurity professional with over 3 years of experience. Expertise in web penetration testing, background checks, fraud detection, and uncovering digital fingerprints. Providing verified truth in the digital shadows.
Need a
ProfessionalInvestigation?
If this case sounds familiar, I can help. Get a confidential consultation today.

