eye.security About the Product Partner Portal Customer Portal
Incident Response
← Return to overview

ClickFix Block: protect against fake CAPTCHA attacks | Eye Security

Oct 6, 2025
Bas van den Berg
By: Bas van den Berg

Rise of the “ClickFix” Social Engineering Attack

In recent months, we here at Eye Security and other cybersecurity researchers have observed a rise in a browser-based social engineering technique called the fake CAPTCHA attack or ClickFix. This clipboard manipulation attack tricks users into pasting and executing arbitrary commands on their systems, often resulting in credential theft via the installation of infostealers or remote access trojans (RAT).

What is the ClickFix / Fake CAPTCHA attack?

ClickFix typically disguises itself as a fake CAPTCHA challenge. CAPTCHAs are commonly used by websites to distinguish between human users and automated bots. Well-known examples include Google reCAPTCHA and Cloudflare’s “I am human” verification. Fake CAPTCHA reuse these themes in social engineering attacks, delivered to the end user in a browser via SEO poisioning, malvertising or plain old spearphishing.

In a fake CAPTCHA, the attacker presents a fake CAPTCHA that instructs the user to:

  • Press Windows + R to open the Run dialog
  • Press Ctrl + V to paste clipboard contents
  • Press Enter to execute the command

What makes this attack particularly insidious is the clipboard manipulation. Before the user pastes anything, the fake CAPTCHA silently injects a malicious command into the clipboard. This command is often obfuscated with a diversion. This diversion is a harmless-looking string that masks the true content of the payload, such as ✓ "I am a human - Cloudflare RayID: 9802b213d92d0eaa".

How fake CAPTCHA attacks exploit browser clipboard functions

When the user pastes and executes the command, they unknowingly launch malware that can compromise their system, steal credentials, or provide remote access to the attacker. This attack exploits a combination of:

  • User trust in CAPTCHA interfaces, which change tasks all the time
  • Lack of visibility into clipboard contents
  • Users wanting to complete the CAPTCHA task as quickly as possible
Example of a Fake CAPTCHA trying to entice users to run arbitrary commands. In this example, the Fake CAPTCHA tries to mimic CloudFlare’s captchas.

The fake CAPTCHA website can modify the clipboard contents using JavaScript. JavaScript runs in the browser and has native functions that can copy to (and from) the clipboard. Although there are many subtle variations of the ClickFix or Fake CAPTCHA technique, we almost always see the browser and native JavaScript functions being used to manipulate clipboard contents.

How Eye Security developed ClickFix Block to stop these attacks early

This makes clipboard manipulation an attractive point in the ClickFix execution chain to disrupt. If nothing malicious is copied to the clipboard in the first place, the attack is effectively neutralised. While we strongly believe in defense-in-depth and the need for state-of-the-art Endpoint Detection & Response software, it wouldn’t hurt to be able to frustrate the attack at this early stage already.

So we set out to do just that! We quickly whipped up a small TamperMonkey script that hooks the native JavaScript function responsible for copying to the clipboard. In the modified function, we look for indicators of ClickFix activity, such as the presence of terms such as mshta or powershell. If there is a match, the function returns without ever copying anything to the clipboard. We spun up a copy of John Hammond’s open source recaptcha-phish project, visited the page, followed the lure’s instructions… and the TamperMonkey script worked! Nothing was copied to the clipboard and we were presented with a warning instead.

It’s important to note that our technique only hooks JavaScript’s native clipboard functions. This does not affect normal copy, cut or paste commands issued by the user using the keyboard (e.g. Ctrl+C and Ctrl+V) or context menus (e.g. right click and then selecting copy).

// @name         ClickFixDestroyer
// @namespace    http://tampermonkey.net/
// @version      2025-09-16
// @description  try to take over the world!
// @author       You
// @match        *://*/*
// @grant        none
// ==/UserScript==

(function() {
    'use strict';

    let oldExecCommand = document.execCommand.bind(document);
    document.execCommand = function(commandId) {
    if (!(commandId === "copy") && !(commandId === "cut")) {
        return oldExecCommand(commandId);
      }

      const focusedElement = document.activeElement;
      const textToCopy = focusedElement.value;
      if (textToCopy.match(/mshta|captcha|human/i)) {
        alert("ClickFix detected");
        return;
      }

      return oldExecCommand(commandId);
    }
})();

From Proof of Concept to Browser Extension

Encouraged by this result, we packaged the code into a Chrome extension and added several extra features. Almost immediately, we attacked our own creation and discovered ways the protection could be bypassed. As a result, we hardened the extension further to make it more resilient. After our internal release, this happened once more; people were really enthusiastic and made or suggested improvements to the extension, such as the localization and the warning modal. Furthermore, another bypass was found by one of our seasoned developers; this was quickly squashed.

We started our extension journey with a script that needs to be injected first thing, which is at document_start. It also needs to be able to access global functions and variables, so we inject into the “MAIN” world. This has the side-effect that the content script is no longer able to access the Chrome runtime functions. This meant that we had to workaround the inability to grab variables from the storage, such as the alllowlist. Here’s part of the manifest.json that does this, with our comments added:

...snip...
  "content_scripts": [
    {
      "world": "MAIN",            <--- access to global functions requires MAIN
      "matches": [
        "https://*/*",            <--- inject in all webpages
        "http://*/*"
      ],
      "js": [
        "inject.js"
      ],
      "run_at": "document_start", <--- inject as fast as possible
      "all_frames": true          <--- also into iframes
...snip...

The file “inject.js” contains code to grab the function execCommand and hook it. Everything is wrapped in an anonymous function (similar to what TamperMonkey scripts do) so the page itself does not have access to oldExecCommand, which could be used to bypass this extension. Shown below is just the early prototype; we have since expanded on it greatly and added more functions to hook.


// wrap everything in an anonymous function
(function () {
  let oldExecCommand;
  try {
    // grab the old function reference so we can call it later
    oldExecCommand = document.execCommand.bind(document);
  } catch (e) {
    console.log("error: ", e);
  }
  try {
    // override global function with hook
    document.execCommand = function (commandId) {
      // only consider commands that influence the clipboard contents
      if (!(commandId === "copy") && !(commandId === "cut")) {
        return oldExecCommand(commandId);
      }
      const focusedElement = document.activeElement;
      const textToCopy = focusedElement.value;
      // if we detect any kind of ClickFix-like keyword, do not copy 
      // to the clipboard, simply return
      if (testForClickFix(textToCopy)) {
        return;
      }
      // no bad stuff, so execute the saved function reference
      // this makes the hook transparent in cases where nothing is detected
      return oldExecCommand(commandId);
    }
  } catch (e) {
    console.log("error: ", e);
  }

  function testForClickFix(text) {
    // example keywords that have been observed in the wild
    const badStuff = new RegExp("powershell|mshta|not a robot|captcha|i am a human", "i");
    // simple regex check
    const result = text.replaceAll("'", "").replaceAll('"', '').match(badStuff)
    // JavaScript tried to copy a potentially harmful command to the clipboard. Alert the user.
    if (result) {
      window.alert("Warning: Potential ClickFix / Fake CAPTCHA attack detected!");
      console.log("ClickFix Block prevented the following to be copied to the clipboard because it contained suspicious keywords: ", text);
    }
    return result;
  }
})();

In order to access the settings variables, we had to inject those via a background worker, as inject.js no longer has access to chrome.storage. This is done by injecting a second script into each page, that sends a message to the background worker. This message then triggers the worker to inject the variables into MAIN using chrome.scripting.executeScript. Needless to say, we learned a great deal from this piece of research.

We emphasise that this is a proof of concept, and we fully expect threat actors to eventually become aware of this countermeasure and attempt to circumvent it. To that, we say: if attackers are forced to do more work, then we’ve already succeeded in raising the bar.

The extension also includes an optional “block always” mode, which is disabled by default. When enabled, this mode completely disables JavaScript’s native copy-to-clipboard functions. With block all mode enabled, even if an attacker manages to bypass the filters, nothing will be copied to the clipboard, effectively stopping the attack before it starts. Again, normal copy and paste commands are completely unaffected.

Example of a fake CAPTCHA
ClickFix Block extension for Chrome in action against an instance of recaptcha-phish

Introducing our browser extension: ClickFix Block

We have released the Chrome plugin, which also works for Edge, as a way to give back to the cybersecurity community. The plugin is free of charge and available to everyone. We hope this small addition may serve next to EDRs as as an effective means to thwart fake CAPTCHA campaigns, thereby supporting our mission here at Eye Security: Keep Europe Safe. Happy ClickFix blocking!

Installation guide for ClickFix Block (Chrome/Edge)

  • Make sure you’re using the Chrome browser (or Edge) on your desktop or laptop.
  • Visit https://chromewebstore.google.com/detail/clickfix-block/kicmpbbbloliabpbfkfcmflbmlcakeck
  • On the extension page, click the blue Add to Chrome (on Edge: click Get) button.
  • A pop-up will appear asking for confirmation. Click Add Extension to complete the installation.
  • Once installed, you’ll see the extension icon appear in the top-right corner of your browser, next to the address bar. If it is still hidden, click the puzzle piece icon next to the address bar and pin the extension so it is always visible.

By clicking on the extension icon, you can:

  • Enable or disable ClickFix Block globally
  • Enable or disable Block All mode (which simply blocks all Javascript copy-to-clipboard functionality without even trying to match against the keyword blocklist).
  • Add current domain to allowlist, effectively disabling ClickFix Block for that domain. Note that this doesn’t allowlist the whole domain, so any subdomains need to be added manually

After selecting an option, the page is automatically refreshed to update the settings.

Disclaimer

This extension injects code into every webpage you visit in order to monitor and intercept potentially malicious clipboard operations. This is similar to how other trusted tools like password managers operate, which also inject into each page. Please note:

  • The extension uses pattern matching (e.g. cmd, msiexec, powershell, pwsh, iex, mshta, not a robot, captcha, human) to detect suspicious clipboard activity stemming from native JavaScript functions.
  • In rare cases, this may interfere with legitimate websites or tools that use similar terms in their copy-to-clipboard functionality. Consider allowlisting trusted domains if you experience this.
  • A “block always” mode is available, which disables all JavaScript-based clipboard copying. This may break expected behavior on some websites.
  • Normal clipboard use via keyboard shortcuts (Ctrl+C, Ctrl+V) is not affected.
  • This extension is provided “as is”, without warranty of any kind, express or implied. Use it at your own risk. Eye Security is not responsible nor liable for any damage, data loss, or disruption caused by the use or misuse of this extension.

FAQ

Q: Does this mean I cannot use copy and paste anymore?
A: No, the extension only hooks JavaScript copy-to-clipboard functions, normal copy to clipboard behaviour is unaffected.

Q: Is this extension continuously monitoring my clipboard?
A: No, it does not. It only hooks the native JS functions. It does not and will not check the clipboard continuously; if the user decides to copy something malicious with Ctrl+C, this extension will not act on it.

Q: Why only Chrome? Why not FireFox?
A: Chrome extensions are compatible with Edge, so targeting these browsers first ensures that the extension reaches a large part of the browser population. A FireFox extension may follow at a later stage.

About Eye Security

We are a European cybersecurity company focused on 24/7 threat monitoring, incident response, and cyber insurance. Our research team performs proactive scans and threat operations across the region to defend our customers and their supply chains.

This research was conducted by the Eye Security Threat Research Team, dedicated to detecting and disrupting emerging attack techniques across Europe. Read more about our recent work.

Learn more about Eye Security at https://eye.security/ and follow us on LinkedIn to help us spread the word.

Related articles.