ACCORDING to Stefan Dasic, Malwarebytes details a new ClickFix campaign that adapts its opening steps for a different outcome, this time luring victims with a convincing fake website promoting a $TEMU airdrop. The site prompts users to click an I’m not a robot checkbox, which opens a verification modal that guides the user through pressing Win+R, pasting a command, and hitting Enter, with a video showing each step as a help-desk style tutorial.
Once executed, the loader collects basic host information and returns a payload containing a unique machine identifier, enabling per‑victim variations to evade traditional file-signature detection. The backdoor runs Python code in memory via a windowless pythonw[.]exe, allowing attackers to change behaviour without leaving persistent on-disk files.
Campaigns employing this approach can steal browser credentials, session cookies, and keystrokes, and can notify attackers via Telegram when a new victim checks in, with indicators of compromise including the domain temucoin[.]lat.