Cybersecurity Alert – Fake BBC News and Fraudulent Cloudflare Verification Exploit in Latest ClickFix Attack

Cybersecurity researchers have identified a sophisticated new threat campaign that weaponizes trusted news sources and security verification systems to deliver malware.

The latest ClickFix attack variant combines convincing BBC news impersonation with fake Cloudflare verification screens, contributing to a staggering 517% surge in ClickFix attacks during the first half of 2025, according to ESET’s Threat Report.

Attack Methodology and Technical Execution

The campaign begins when victims click on deceptive online advertisements or search results, redirecting them to pixel-perfect replicas of BBC news websites populated with stolen legitimate articles.

These fake sites serve as delivery mechanisms for the primary attack vector: fraudulent Cloudflare verification pages.

The fake verification screens replicate authentic Cloudflare Turnstile challenges with genuine logos and Ray ID footers. When users attempt to complete the “Verify you are human” checkbox, they receive instructions to execute what appears to be a routine verification process.

The attack instructs users to press Windows + R to open the Run dialog, followed by Ctrl + V to paste a “verification command,” and Enter to execute it.

Unknown to victims, clicking the verification button pre-loads malicious PowerShell commands into their system clipboard. The executed commands download and install various malware families, including Lumma Stealer, DarkGate, AsyncRAT, and NetSupport.

These malicious payloads often retrieve Base64-encoded code from legitimate-seeming services and include anti-analysis features that terminate execution in virtual machine environments, achieving zero detection across many antivirus platforms.

Evolving Tactics and Advanced Evasion

Security researcher mr d0x recently identified a variant called FileFix that adapts the technique by leveraging Windows File Explorer instead of the Run dialog, instructing users to paste malicious commands into the address bar.

This evolution demonstrates threat actors’ continuous adaptation to maintain effectiveness as security awareness increases.

The fake Cloudflare pages incorporate authentic marketing text copied directly from Cloudflare’s official website, making detection extremely challenging.

Some variants display fake progress indicators and success messages to convince users further they’re completing legitimate security processes.

Defense Strategies

Security experts recommend several mitigation strategies: disabling the Windows Run dialog through Group Policy modifications, implementing behavioral monitoring for unusual PowerShell activity, and training users to recognize that legitimate services like Cloudflare never require direct operating system interaction for verification.

Microsoft tracks these campaigns under threat actor designations like Storm-1865, while security firms have developed specialized detection rules targeting ClickFix attacks.

This campaign represents a concerning escalation in social engineering sophistication, exploiting user psychology rather than technical vulnerabilities to bypass traditional security measures.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cybersecurity Alert – Fake BBC News and Fraudulent Cloudflare Verification Exploit in Latest ClickFix Attack appeared first on Cyber Security News.