One of Russia's most elite hacking units, Sandworm, has adopted the Clickfix attack technique to compromise devices belonging to sensitive organizations in Ukraine, according to the country's CERT. The campaign, active from spring through summer 2026, uses fake CAPTCHA prompts to trick victims into running malicious PowerShell commands, leading to infection with custom malware such as FreakyPoll.
Clickfix explained: the fake CAPTCHA deception
Clickfix is a social-engineering technique that emerged over the past year, primarily used by financially motivated criminals. Attackers compromise websites and display a fake CAPTCHA that requires visitors to copy a jumble of text and paste it into a terminal. The text contains scripts that perform malicious actions, such as installing malware or exfiltrating data. In Sandworm's campaign, the PowerShell command is disguised as a human verification step. Ukrainian authorities discovered at least ten compromised websites hosting this trick.
Sponsored Protocol
Sandworm: elite GRU hackers borrow from common criminals
Sandworm, an advanced hacking unit within Russia's GRU military intelligence, has a history of devastating attacks like BlackEnergy and NotPetya. Now it is using Clickfix to target Ukrainian organizations. The campaign, tracked as "GhettoVibe" and "ScoutCurl," has already compromised at least one organization, infecting a connected device with the FreakyPoll malware. This shows how attack techniques cross over from criminal to state-sponsored actors.
Sponsored Protocol
For more on evolving cyber threats, see the analysis on OpenAI's GPT-Red, an AI designed for security testing, or the article on advanced SQL injection for other attack methods. An external reference on Wikipedia provides historical context on the group.