{“lastseen”:”2025-11-07T16:43:45″,”description”:”Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer.\\n\\n**ClickFix** is the name researchers have since given to this type of campaign\u2014one that uses the clipboard and fake CAPTCHA sites to trick users into running malicious commands themselves.\\n\\nLater, we found that the cybercriminals behind it seemed to be running some A\/B tests to figure out which infection method worked best: ClickFix, or the more traditional file download that disguises malware as a useful application.\\n\\nThe criminals probably decided to go with ClickFix, because they soon came up with a campaign that targeted Mac users to spread the infamous Atomic Stealer.\\n\\nNow, as reported by researchers from Push Security, the attackers behind ClickFix have tried to make the campaign more \\”user-friendly.\\” The latest fake CAPTCHA pages include embedded video tutorials showing exactly how to run the malicious code.\\n\\nImage courtesy of Push Security\\n\\nThe site automatically detects the visitor\u2019s operating system and provides matching instructions, copying the right code for that OS straight to the clipboard\u2014making typos less likely and infection more certain. \\n\\nA countdown timer adds urgency, pressuring users to complete the \u201cchallenge\u201d within a minute. When people rush instead of thinking things through, social engineering wins.\\n\\nUnsurprisingly, most of these pages spread through SEO-poisoned Google search results, although they also circulate via email, social media, and in-app ads too.\\n\\n## How to stay safe\\n\\nWith ClickFix running rampant\u2014and it doesn’t look like it\u2019s going away anytime soon\u2014it\u2019s important to be aware, careful, and protected.\\n\\n * **Slow down.** Don\u2019t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.\\n * **Avoid running commands or scripts from untrusted sources.** Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action\u2019s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.\\n * **Limit the use of copy-paste for commands.** Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.\\n * **Secure your devices.** Use an up-to-date real-time anti-malware solution with a web protection component.\\n * **Educate yourself on evolving attack techniques.** Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!\\n\\n\\n\\n**Pro tip:** Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-11-07T15:01:33″,”modified”:”2025-11-07T15:01:33″,”type”:”malwarebytes”,”title”:”Fake CAPTCHA sites now have tutorial videos to help victims install malware”,”source”:””,”references”:””,”id”:”MALWAREBYTES:A53861CC1A06765318DF380E11329995″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/11\/fake-captcha-sites-now-have-tutorial-videos-to-help-victims-install-malware”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-07T16:43:45″,”description”:”Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-25184","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n