← Back to blog

ClickFix Malware Now Uses API Infrastructure for Polymorphic Payload Delivery

Security researchers have uncovered an API-driven backend powering ClickFix campaigns, enabling attackers to distribute polymorphic malware variants at scale. The discovery also reveals new evasion techniques designed to bypass Windows script scanning defenses.

TL;DR

  • ClickFix social engineering attacks now leverage centralized API servers to distribute customized malware payloads to each victim
  • Analysis of 3,000 live payloads reveals the malware delivery infrastructure operates as a service, increasing campaign efficiency
  • New delivery methods discovered that evade Windows script execution policies, expanding the attack surface
  • Polymorphic payload generation allows attackers to bypass signature-based detection while maintaining command consistency

ClickFix has evolved from a simple social engineering trick into a sophisticated, infrastructure-backed malware delivery operation. Researchers analyzing 3,000 active payloads have documented how attackers now use centralized API servers to orchestrate campaigns, generating unique malware variants for each target while maintaining consistent command-and-control functionality.

The research reveals that ClickFix's fake "prove you're human" verification pages are no longer isolated attacks. Instead, they connect to backend systems that intelligently distribute polymorphic malware, allowing attackers to evade detection while scaling their operations. Additionally, new delivery mechanisms have been identified that specifically target and circumvent Windows script scanning protections, expanding the threat's reach across enterprise environments.

API-Driven Malware Distribution at Scale

  • ClickFix campaigns now utilize centralized API infrastructure to manage payload delivery and customization
  • Each victim receives a polymorphic variant of the same malware, complicating signature-based detection
  • The backend-as-a-service model enables attackers to efficiently scale operations across multiple campaigns
  • Analysis of 3,000 live payloads demonstrates the maturity and operational sophistication of the infrastructure

Windows Evasion Techniques and Detection Bypass

  • New delivery methods discovered that bypass Windows script execution policies and scanning mechanisms
  • Polymorphic payload generation allows malware to avoid signature-based detection while maintaining functionality
  • Attackers are actively adapting to defensive measures, indicating ongoing development of the ClickFix ecosystem
  • Organizations relying solely on script-level protections face increased risk from these evasion techniques

Implications for Application Security Teams

  • ClickFix represents a convergence of social engineering and infrastructure-backed malware delivery, requiring multi-layered defenses
  • Security teams should monitor for polymorphic payload indicators and API-driven attack patterns in network traffic
  • User awareness training must address the evolving sophistication of fake verification prompts and social engineering tactics
  • Endpoint detection and response (EDR) solutions should be tuned to identify script execution evasion attempts

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

ClickFix Malware Now Uses API Infrastructure for Polymorphic Payload Delivery — Agent Breach Blog | Agent Breach