> cd .. / HUB_EDITORIALE
News

Sandworm Uses Clickfix to Attack Ukraine with Fake CAPTCHA Technique

[2026-07-17] Author: Ing. Calogero Bono
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

One of Russia's most elite hacking units, Sandworm, has adopted the Clickfix attack technique to compromise devices belonging to sensitive organizations in Ukraine, according to the country's CERT. The campaign, active from spring through summer 2026, uses fake CAPTCHA prompts to trick victims into running malicious PowerShell commands, leading to infection with custom malware such as FreakyPoll.

Clickfix explained: the fake CAPTCHA deception

Clickfix is a social-engineering technique that emerged over the past year, primarily used by financially motivated criminals. Attackers compromise websites and display a fake CAPTCHA that requires visitors to copy a jumble of text and paste it into a terminal. The text contains scripts that perform malicious actions, such as installing malware or exfiltrating data. In Sandworm's campaign, the PowerShell command is disguised as a human verification step. Ukrainian authorities discovered at least ten compromised websites hosting this trick.

Sponsored Protocol

Sandworm: elite GRU hackers borrow from common criminals

Sandworm, an advanced hacking unit within Russia's GRU military intelligence, has a history of devastating attacks like BlackEnergy and NotPetya. Now it is using Clickfix to target Ukrainian organizations. The campaign, tracked as "GhettoVibe" and "ScoutCurl," has already compromised at least one organization, infecting a connected device with the FreakyPoll malware. This shows how attack techniques cross over from criminal to state-sponsored actors.

Sponsored Protocol

For more on evolving cyber threats, see the analysis on OpenAI's GPT-Red, an AI designed for security testing, or the article on advanced SQL injection for other attack methods. An external reference on Wikipedia provides historical context on the group.

Source: https://arstechnica.com/security/2026/07/now-even-russias-most-elite-hackers-are-using-clickfix-to-infect-devices

> share
Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()