Now, even Russia’s most elite hackers are using Clickfix to infect devices

by | Jul 17, 2026 | Technology

News summary produced by Claude AI

Ukraine’s CERT center has reported that Sandworm, an advanced cyber unit within Russia’s GRU military intelligence agency, has begun utilizing Clickfix attacks against sensitive organizations. The technique, which gained prominence among financially motivated cybercriminals in recent years, presents a deceptive interface that appears to be a legitimate security verification method.

The attack works by displaying a fake CAPTCHA prompt on compromised websites that instructs users to copy and paste text into their terminal. Unbeknownst to users, this text contains malicious scripts that execute upon entry. Ukrainian authorities identified at least ten compromised websites being used in this manner and confirmed that one organization suffered a network compromise resulting in infection by FreakyPoll, a custom malware tool associated with Sandworm.

When executed, the scripts typically begin by installing reconnaissance software to evaluate the target device’s importance. High-value targets receive additional backdoor malware for persistent access. The campaign has been ongoing since spring, with malware components including GHETTOVIBE, SCOUTCURL, FluidLeech, and LoadLoop employed in various stages of the attack chain. The attackers have also utilized sophisticated web-based infrastructure, including a service called SMARTAXE, which dynamically generates fake CAPTCHA pages using blockchain technology to mask attacker-controlled domains.

Sandworm has historically relied on alternative infection methods, including distributing booby-trapped software through torrent trackers and conducting extended social engineering conversations over encrypted messaging platforms. The group also deploys Android-focused malware called CowardDuck, designed to exfiltrate potentially sensitive files from mobile devices.

Ukrainian authorities have urged website administrators and hosting providers to remain vigilant for signs of compromise, including unauthorized web shells and browser extensions on their systems.

Article Attribution | Read More at Article Source