HQ/EMEAFind out how we can help your business
ClickFix malware has been used in a recent cyberattack targeting the iClicker website, compromising the safety of students and instructors across the United States. iClicker, a digital classroom engagement platform owned by Macmillan, was exploited in a social engineering campaign that tricked users into executing malicious scripts through a fake CAPTCHA prompt.
According to cybersecurity researchers, the attack occurred between April 12 and 16, 2025. During this period, visitors to iClicker’s homepage were shown a deceptive CAPTCHA asking them to confirm, “I’m not a robot.” Once clicked, the page secretly copied a hidden PowerShell script to the user’s clipboard. Instructions then prompted users to open the Windows Run dialogue, paste the script, and execute it, unwittingly installing malware on their systems.
The payload, delivered via ClickFix malware, was tailored to the type of visitor.
Infected users received a secondary script from a remote server that granted attackers full access to their devices. For non-targets, such as security sandboxes, the script downloaded a harmless Microsoft Visual C++ installer instead.
Although the exact nature of the malware varied, cybersecurity experts believe it likely included infostealers, which are malicious tools that harvest passwords, cookies, credit card information, and even cryptocurrency wallets from popular browsers and applications. This stolen data can then be sold on cybercrime marketplaces or used for further attacks, including ransomware and network breaches.
The University of Michigan’s Safe Computing team flagged the breach, and iClicker has since removed the malicious content. The company posted a discreet security bulletin on May 6, confirming the incident but stressing that no core apps or user data were affected. However, the bulletin was hidden from search engines, making it harder for affected users to find critical information.
This incident adds to growing concerns around ClickFix malware, which has recently been used in other high-profile campaigns. Researchers at iZOOlogic recently reported its deployment in an attack spoofing Indian government websites. That campaign, attributed to the hacking group APT36, involved fake Ministry of Defence and India Post sites used to distribute malware across Windows, Linux, and Android platforms.
Users who visited iClicker[.]com between April 12 and 16 and interacted with the fake CAPTCHA are urged to run security scans and change all stored passwords. Using a trusted password manager like BitWarden or 1Password is also recommended.
Those who used the mobile app or never encountered the CAPTCHA are not at risk. Nonetheless, the incident highlights the mounting sophistication of social engineering attacks powered by ClickFix malware.
