{ "name": "Analyzing a Full ClickFix Attack Chain - Part 1", "slug": "analyzing-a-full-clickfix-attack-chain-part-1", "description": "A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit.", "published": "2026-04-23T12:31:56+00:00", "created_at": "2026-04-23T12:31:56+00:00", "modified_at": "2026-04-27T12:37:07+00:00", "created_at_opencti": "2026-04-23T12:31:56+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-23", "clickfix", "dropper", "fake captcha", "fileless execution", "persistence mechanism", "phishing", "powershell", "social engineering" ], "related_entities": { "observables": [ { "id": "", "name": "https://hailmeinc.com/bkmsiqop.zip" }, { "id": "", "name": "https://hailmeinc.com/bkmsiqop.zip'" }, { "id": "", "name": "https://wiosyrondaty.com" } ], "others": [ { "id": "", "name": "textarea.select" }, { "id": "", "name": "accountpulsecentre.help" }, { "id": "", "name": "wiosyrondaty.com" }, { "id": "", "name": "hailmeinc.com" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69ea2d5cd8732f2d8910fceb", "https://www.stormshield.com/news/analyzing-full-clickfix-attack-chain-part1/" ] }