“ClickFix” Deception: How Fake Word Online Alerts Are Driving a New Wave of DarkGate Infections

It starts with a familiar frustration: a browser pop-up claiming your “Word Online” extension isn’t installed. A helpful “How to fix” button beckons, promising a quick resolution. But for unsuspecting users, clicking that button is the first step on a path straight into the jaws of DarkGate, a notorious malware strain now spreading through a deviously simple, human-powered hack known as “ClickFix.”

The latest ClickFix campaign represents an alarming twist in cybercrime’s playbook. Instead of exploiting technical vulnerabilities, attackers weaponize troubleshooting habits, leveraging users’ trust in familiar repair routines. Here’s how it unfolds: victims land on a compromised site or malicious ad, where a convincing browser message claims the “Word Online” extension is missing. The pop-up offers a fix, but the real payload is invisible - nested deep within the webpage’s code.

Security analysts dissected the attack and found layers of obfuscated JavaScript and Base64-encoded strings, some even reversed to further frustrate detection. When the “How to fix” button is clicked, the site silently copies a pre-crafted PowerShell command to the user’s clipboard. The script then directs users - under the guise of troubleshooting - to press Windows+R, open the Run dialog, and paste (CTRL+V) the command. It’s a sequence so routine, most people wouldn’t think twice.

But this seemingly innocent action sets off a dangerous chain reaction. The PowerShell command reaches out to a hacked WordPress site (“linktoxic34[.]com”), downloads a file named “dark.hta,” and executes it. This HTA (HTML Application) file acts as a gateway, pulling down further scripts and AutoIt executables. These scripts establish new directories, drop encrypted files, and ultimately unleash the DarkGate payload - a sophisticated malware toolkit capable of remote control, data theft, and additional malware deployment.

The sophistication here is not just technical but psychological. By making the victim the unwitting accomplice - having them manually paste and run the command - the attackers bypass most antivirus and endpoint protections, which typically flag automated or suspicious script activity. Only after infection do telltale signs emerge: sluggish performance, strange toolbars, browser redirects, and mysterious network connections.

Defending against ClickFix-style attacks requires more than just software. Organizations must double down on security awareness, teaching users to distrust unsolicited pop-ups and never to copy commands from unknown sources. IT teams should consider disabling the Windows Run dialog where possible, enforce strict application allowlists, and monitor for unusual PowerShell activity. Above all, vigilance is key - because in this attack, the weakest link isn’t the code, but the click.

As cybercriminals refine their social engineering tactics, the line between user error and technical compromise grows ever thinner. ClickFix’s chilling success is a stark reminder: sometimes, the most dangerous exploits are the ones we help run ourselves.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
• Base64 Encoding: Base64 encoding converts data into a readable text string, making it easier to embed or transfer files and code within text-based systems.
• HTA (HTML Application): HTA files let HTML and scripts run as standalone Windows apps, offering powerful features but also significant cybersecurity risks.
• Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.