Russia's Elite Hacker Group Sandworm Adopts ClickFix Attack Technique
Original: Now, even Russia's most elite hackers are using Clickfix to infect devices
Why This Matters
State-sponsored adoption of ClickFix signals the technique's growing effectiveness beyond criminal threat actors.
Ukraine's CERT warned on July 16 that Sandworm, an elite GRU-linked hacking unit, has been using ClickFix social-engineering attacks since spring 2026, compromising at least one organization via fake CAPTCHA prompts that trick users into running malicious PowerShell commands.
Ukraine's Computer Emergency Response Team (CERT-UA) has issued an advisory warning that Sandworm, an advanced persistent threat group operating within Russia's GRU military intelligence agency, has adopted the ClickFix attack technique to target sensitive organizations in Ukraine. ClickFix works by displaying a fake CAPTCHA on attacker-controlled websites, instructing visitors to copy and paste a script into their terminal — typically deploying malware or exfiltrating data. Analysts found 10 compromised websites used in the campaign, which began in spring 2026 and has continued into summer. At least one organization suffered a confirmed network compromise. The attack chain begins with a PowerShell command disguised as a CAPTCHA verification step. Once executed, the script installs malicious Visual Basic scripts and other malware. The first-stage payload, called GHETTOVIBE, establishes persistence by placing a VBS file in the Startup directory. A reconnaissance tool named SCOUTCURL then collects system information, installed programs, files, and browser data to assess target value. High-value machines receive follow-on malware including FreakyPoll, a Python-based backdoor; FluidLeech, disguised as antivirus software; and LoadLoop. CERT-UA also identified SMARTAXE, a custom code module used alongside the Cloaking.House traffic-filtering service to dynamically alter webpage content for targeted visitors. Until now, ClickFix has been primarily associated with financially motivated cybercriminals.