THE “IClickFix” Trap has turned more than 3,800 WordPress sites into infection points through opportunistic watering hole attacks, according to Sekoia TDR. Since late 2024, the campaign has relied on a deceptive “ClickFix” social engineering tactic, presenting a fake Cloudflare Turnstile CAPTCHA and prompting victims to paste a fix code or PowerShell script into their terminal, after which malicious payloads are downloaded.
The delivered malware, including NetSupport RAT, Emmenhtal Loader, and XFiles Stealer, is routed via a multi-stage JavaScript loader that mirrors the lure used in the campaign. The operators inject a bespoke ic-tracker-js HTML tag to track and filter victims, and they have evolved throughout 2025 with additional JavaScript delivery stages, an expanded lure, and the use of the YOURLS URL shortener as a Traffic Distribution System to evade detection.
Researchers noted that the cluster has compromised thousands of sites and that the framework may be responsible for thousands of infections per day, underscoring the need for patching WordPress installations.