iClicker hack targeted students with malware via fake CAPTCHA

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-students-with-malware-via-fake-captcha/

The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.

iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in California.

According to a security alert from the University of Michigan's Safe Computing team, the iClicker site was hacked between April 12 and April 16, 2025, to display a fake CAPTCHA that instructed users to press "I'm not a robot" to verify themselves.

However, when visitors clicked on the verification prompt, a PowerShell script was silently copied into the Windows clipboard in what is known as a "ClickFix" social engineering attack.

The CAPTCHA would then instruct users to open the Windows Run dialog (Win + R), paste the PowerShell script (Ctrl + V) into it, and execute it by pressing Enter to verify themselves.

While the ClickFix attack is no longer running on iClicker's site, a person on Reddit launched the command on Any.Run, revealing the PowerShell payload that gets executed.

"Out of an abundance of caution, we recommend that any faculty or student who encountered and clicked on the false Captcha from April 12- April 16 on our website run security software to ensure their devices remain protected."

Users who accessed iClicker.com while the site was hacked and followed the fake CAPTCHA instructions should immediately change their iClicker password, and if the command was executed, change all passwords stored on their computer to a unique one for every site.

It's important to note that users who accessed iClicker through the mobile app or did not encounter the fake CAPTCHA are not at risk from the attack.

iClicker hack targeted students with malware via fake CAPTCHA

The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.

www.bleepingcomputer.com

 

[Andy Ful]

It uses a simple download cradle:

The first part is an obfuscated remote address of the payload. The "irm" command (Invoke-RestMethod) downloads the payload. The "iex" command (Invoke-Expression) executes the payload. Such cradles are used for a long time in the wild.

 

[ForgottenSeer 114717]

Academic communities are easy targets because those ecosystems are full of "Users that want to use stuff." The networks are a huge mess with so many problems. Professors, in particular, are the worst offenders of security policies.

It uses a simple download cradle:

View attachment 288550

The first part is an obfuscated remote address of the payload. The "irm" command (Invoke-RestMethod) downloads the payload. The "iex" command (Invoke-Expression) executes the payload. Such cradles are used for a long time in the wild.

This kind of stuff will be used by threat actors forever. Easy spray & pray campaigns. The numbers and people always favor the threat actors, who don't have to work much for SUCCESS!