Overview
- New fake Cloudflare verification pages detect the visitor’s operating system, auto-copy hidden commands, embed a step-by-step video, display a one-minute countdown and show bogus “users verified” counters.
- Push Security reports promotion through paid search ads and SEO-poisoned pages, plus injected JavaScript on compromised WordPress sites using outdated plugins.
- Instructions now adapt for Windows, macOS and Linux, delivering OS-specific payloads that have included Windows MSHTA, PowerShell scripts and other living-off-the-land binaries.
- Researchers caution that future variants could run entirely in the browser to sidestep endpoint detection and response tools, a possibility they describe as speculative.
- Push Security notes Microsoft’s 2025 Digital Defense report found ClickFix was the most common initial access method last year at 47%, and experts advise closing such pages and never executing copied terminal commands.