Meet IClickFix: a widespread framework using the ClickFix tactic

216.73.217.22

Meet IClickFix: a widespread framework using the ClickFix tactic

· Published 30/01/2026 08:20 · Modified 30/01/2026 08:51

Essential information

Published: 30/01/2026 08:20
Modified: 30/01/2026 08:51
Tags: 2026-01-30 captcha clickfix emmenhtal loader javascript netsupport rat social engineering watering hole wordpress xfiles stealer
Related entities: 34 observables, 7 techniques (mitre), 3 malware, 76 others

Description

IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.