- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
This blog was written by: Almas Raza, Tuan Vu
As enterprise work increasingly moves into the browser, adversaries are turning trusted browser interactions into new paths for malware delivery.
Palo Alto Networks researchers identified a ClickFix campaign that shows how a routine browser action can start a malware infection. Instead of exploiting a software vulnerability, the attack tricks users into pasting what appears to be an SSL certificate path, while the clipboard contains a hidden command that downloads a multi-stage payload and installs a remote access trojan disguised as image files. This campaign reflects a broader rise in ClickFix activity, with researchers observing more than 84,000 sites serving these attacks with a variety of tactics over the past three months. This example shows how attackers are adapting ClickFix to the browser, using trusted web interactions to deliver malware without a traditional exploit.
This blog explains how the attack worked, why browser-based ClickFix threats are difficult to detect with traditional controls, and why visibility into live browser activity and user interaction is important for stopping these threats.
Note: This finding was originally shared through Palo Alto Networks Unit 42 Timely Threat Intelligence, which provides additional research context.
|
Area |
Details |
|
Threat Type |
ClickFix clipboard injection delivering a multi-stage RAT |
|
Delivery Method |
Fake Lirunex-themed trading/API site using domain impersonation and server-side cloaking |
|
User Action |
User is tricked into pasting what appears to be an SSL certificate path |
|
Attack Goal |
Install a persistent RAT for credential theft, remote shell, screen streaming, keylogging, file management, and SSH tunneling |
|
Key Risk |
A trusted browser paste action can lead to malware execution without a traditional software exploit |
|
Notable Indicator |
RAT payloads disguised as image files: mev.png, USO.ico, USO.png |
|
Detection Opportunity |
Runtime browser behavior during user interaction, clipboard/paste behavior, malicious payload detection, URL detection, DNS detection |
Step 1: User Encounters the Threat
The attack begins when a user visits a fake Lirunex-themed trading/API site. The lookalike domain is designed to resemble the legitimate Lirunex platform and appear connected to a real fintech or API workflow.
The site also uses server-side cloaking. Non-targeted visitors see a harmless-looking page, while targeted users are shown the ClickFix lure page that initiates the attack.
Step 2: The Threat Gains Trust
The lure page asks the user to select an SSL certificate path through a file dialog box, making the request appear like part of a normal setup or authentication process.
Behind the scenes, the site has already placed a malicious command in the clipboard. To hide it, the attacker adds blank space followed by the decoy certificate name lirunex_Api_EU3.pem. As a result, the visible portion looks like a certificate path, while the malicious command stays hidden out of view.
Step 3: The Browser Becomes the Attack Surface
When the user pastes what they believe is the certificate path, the hidden clipboard command is pasted instead. The command runs silently using conhost.exe --headless, turning a routine browser interaction into the first stage of a remote access compromise.
Step 4: Malicious Behavior Is Triggered
The silently executed command reaches out to attacker-controlled infrastructure and begins downloading malware in stages. To avoid detection, the malware files are disguised with image file names and extensions, making them appear to be ordinary photos or icons rather than malicious programs.
Step 5: Impact on the User or Organization
Once installed, the attacker gains broad access to the victim’s machine. This includes the ability to steal saved browser credentials, watch the screen in real time, log keystrokes, browse and manage files remotely, and maintain persistent access even after reboot. The malware is also designed to evade common security tools, making it harder to detect and remove after installation.
For organizations, the risk is broader than one deceptive web page. Enterprise work now happens across browsers, SaaS applications, web portals, and cloud services. A ClickFix lure can abuse that trusted browser workflow to move from a web interaction to credential theft, remote access, screen monitoring, and persistent attacker control.
This attack revealed several layers of deception behind the ClickFix lure.
First, the lure domain was designed to look like a legitimate business or API workflow. The attacker used a lookalike Lirunex-themed domain, lirunex[.]tech, along with an API-style subdomain to make the page appear connected to a fintech or trading platform.
Second, the clipboard content was crafted to look harmless. The malicious command was hidden with blank space, followed by the decoy certificate name lirunex_Api_EU3.pem, so the visible portion looked like a normal SSL certificate path.
Third, the payload chain continued the disguise. Python executables were named after common image formats, including mev.png, USO.ico, and USO.png, making the files appear less suspicious even though they were part of a remote access trojan delivery chain.
Palo Alto Networks researchers also observed the same clipboard injection technique on additional financially themed sites, including aromi-fr[.]shop, aromi-fr[.]com, and api-eu3.convmasters[.]com.
ClickFix attacks can be difficult to detect because the malicious behavior depends on the user taking an action inside the browser. At first glance, the activity may look routine: a user visits a business-looking API page, follows setup instructions, and pastes what appears to be an SSL certificate path.
The challenge is that the visible browser interaction does not show the full risk. In this campaign, the paste content looked like a certificate file name, while the clipboard actually contained a hidden command designed to run silently in the background. The site also used server-side cloaking, showing harmless-looking content to some visitors while showing the ClickFix lure to targeted users.
This makes the attack harder for static scanners and network-layer controls alone to detect. The page may not reveal the malicious behavior until after it loads, the user interacts with it, and the clipboard/paste flow is triggered. By then, what looks like a normal user action can become command execution and malware delivery.
This is why live browser visibility matters. Correlating page behavior, clipboard activity, user interaction, URL intelligence, and payload delivery can help identify ClickFix attacks earlier, before a trusted browser workflow becomes a compromise.
Palo Alto Networks helps protect customers from this ClickFix campaign through Prisma Browser Advanced Web Protection. Because the attack starts in the browser and depends on live user interaction, protection needs visibility into the page behavior, clipboard activity, and browser flow that trigger the threat.
Prisma Browser uses real-time live page scanning and browser-layer visibility to help detect deceptive page flows, clipboard/paste abuse, and runtime behavior associated with ClickFix-style attacks. This helps stop threats that may be difficult to identify with network-layer controls alone, especially when the malicious behavior only appears after the page loads and the user interacts with it.
This protection is also strengthened by Palo Alto Networks cloud-delivered security services and threat intelligence, which identified the lure domain, related clipboard-injection sites, payload delivery infrastructure, command-and-control infrastructure, and disguised RAT files used in this campaign.
This campaign shows how ClickFix attacks have evolved beyond simple fake CAPTCHA pages. By combining domain impersonation, server-side cloaking, clipboard padding, and payload disguise, attackers can make a malicious workflow look like a routine browser interaction.
The key risk is that the attack does not rely on a traditional software exploit. It relies on user trust, live page behavior, and a paste action that appears legitimate. Prisma Browser Advanced Web Protection uses real-time live page scanning to help detect malicious lures, suspicious browser-driven behavior, and payload infrastructure before a routine web interaction becomes a full compromise.
Domains and URLs
|
Indicator |
Type |
|
lirunex[.]tech |
Lure domain (typosquat of lirunex.com) |
|
aromi-fr[.]shop |
Related site with same clipboard injection |
|
aromi-fr[.]com |
Related site with same clipboard injection |
|
convmasters[.]com |
Related site with same clipboard injection (api-eu3 subdomain) |
|
hxxps[:]//colafunfacts[.]net/log |
First-stage payload URL |
|
hxxps[:]//colafunfacts[.]net/firefox.zip |
Second-stage payload URL |
|
hxxp[:]//104.207.131[.]216[:]16443 |
Command-and-control server |
|
hxxp[:]//188.166.20[.]222[:]8000 |
Additional infrastructure |
|
hxxp[:]//95.179.240[.]32[:]9999/build |
Additional infrastructure |
Additional Information
To see Advanced Web Protection in action, schedule a Prisma Browser demo with your Palo Alto Networks team.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 2 Likes | |
| 2 Likes | |
| 1 Like | |
| 1 Like |

