ClickFix Lures Evolve to Deploy New In‑Memory Infostealers
🔒 Researchers warn that criminals have scaled ClickFix social-engineering lures to deliver sophisticated, fileless infostealers via compromised WordPress sites. Rapid7 observed a campaign active since December 2025 that leveraged fake Cloudflare CAPTCHA prompts across more than 250 WordPress domains in 12 countries to trick victims into running obfuscated commands. The chain deploys an in-memory loader called DoubleDonut that injects payloads into legitimate Windows processes, and analysts also observed novel .NET and C++ stealers alongside a new Vidar variant. Microsoft noted a separate campaign that pivots from the Run dialog to Windows Terminal for execution.
