ClickFix Malware Turns Gizmodo Against Windows PCs

A compromised Gizmodo account briefly turned a trusted tech news site into a delivery surface for ClickFix malware prompts, putting Windows readers at risk of a remote access trojan if they followed the fake instructions.

Gizmodo confirmed the incident after readers reported fake CAPTCHA-style windows appearing on article pages, according to The Register Security. The prompts were designed to push users into running malicious code from their own machines, rather than exploiting the browser directly.

Why a ClickFix malware prompt on Gizmodo should worry ordinary readers

The danger here wasn’t that readers visited some obviously shady download site. They were on Gizmodo, a long-running tech publication. That matters because social engineering works best when the setting feels normal.

A fake CAPTCHA on a random piracy page raises suspicion. A fake CAPTCHA on a familiar article page can make people pause less and click faster.

ClickFix malware attacks usually start with a simple lie: the page claims there is a browser issue, CAPTCHA problem, Cloudflare-style check, or security verification step. The user is then told to copy or paste a command into Windows Run, PowerShell, Terminal, or another system tool.

That is the trick. The attacker doesn’t need to break the operating system first. The user is pressured into doing the dangerous part.

In Gizmodo’s case, the risk was uneven by operating system. Proofpoint threat researcher Tommy M said the prompt appeared to be tailored to each user’s OS. The Windows path attempted to install NetSupport RAT, while the macOS version had a configured payload but appeared broken because it required a password to open a ZIP archive.

XOOMAR analysis: That split matters. Windows users faced the clearer path to compromise. Mac users appear to have had a less effective version in this incident, but the broader technique still applies across platforms.

How one compromised account put fake CAPTCHA boxes in front of readers

Gizmodo said the attack came through a compromised account, not a confirmed takeover of every part of the site.

“We identified and resolved a security incident on our site earlier today,” the outlet said. “A compromised account was exploited to inject a malicious script, briefly exposing users to scam content. The site was taken offline immediately, the script removed, and the account secured.

“We're back up. If you notice anything unusual, reach out.”

That statement points to a common and dangerous middle ground. A site does not need to be fully owned by attackers for readers to be exposed. If an attacker gets access to an account with enough publishing or administrative reach, they may be able to inject script, alter page behavior, or trigger malicious overlays.

The visible symptom is usually simple: a pop-up, fake verification panel, browser-style warning, or urgent security check. The underlying condition is access abuse.

The Register said user reports spanned only a few hours, matching Gizmodo’s claim that the prompts appeared only “briefly.” The Register also confirmed that Gizmodo was no longer serving the ClickFix prompts as of Monday.

The attack was reportedly linked by Tommy M to an affiliate of ErrTraffic, described as a ClickFix-as-a-service program. In plain terms, that means attackers can use the ClickFix delivery method while choosing the malware they want to push.

That model changes the publisher’s security problem. A malicious script on one trusted page can become a storefront for different payloads.

What ClickFix malware asks Windows users to do after the fake prompt appears

A ClickFix flow usually moves fast.

First, the user sees a verification demand. Then the page asks for an action that feels technical but harmless. The user may be told to press Windows + R, paste something from the clipboard, and hit Enter.

That final step crosses the line from browser annoyance to device compromise.

A realistic sequence looks like this:

1. Fake prompt: A reader sees a CAPTCHA or verification box on an article page.
2. Clipboard trick: The page pushes or prepares a command for the user to paste.
3. System action: The reader opens Windows Run or PowerShell as instructed.
4. Payload chain: The pasted command can download code, run scripts, alter settings, or install malware.
5. Persistence risk: The attacker may gain continuing access if the payload succeeds.

In the Gizmodo incident, the Windows version attempted to install NetSupport RAT. The Register cited Darktrace as saying NetSupport RAT can be used to exfiltrate files from affected systems and load more payloads, including other malware strains and ransomware.

That is why ClickFix is more than a fake CAPTCHA nuisance. If a reader runs the command, the browser has become the starting point for host-level compromise.

The same pattern shows up in other malware delivery stories. Related XOOMAR coverage on Paid ShapedPlugin Updates Smuggle Malware Into WordPress and Ransomware Gang Hides Malware Behind Microsoft Teams Relays shows the same broad lesson for defenders: trusted software and trusted platforms can become delivery paths when account, update, or routing controls fail.

Why Mac users appeared to get a lighter version this time

The macOS version of the Gizmodo prompt was not harmless by design. It had a payload configured, according to The Register. But it appeared broken because opening the ZIP archive required a password.

That difference likely reduced the immediate risk for Mac users in this specific incident.

ClickFix campaigns can tailor instructions by OS. Windows users may see Run or PowerShell steps. Mac users may see Terminal instructions, ZIP files, or other Mac-specific lures.

XOOMAR analysis: The broken macOS flow should not be read as protection. It was more likely an execution failure than a sign that Mac users are outside the target set. The supplied source also references macOS ClickFix attacks delivering AppleScript stealers in other cases, so the platform is clearly in scope for this style of social engineering.

How to spot a real security check versus a ClickFix trap

The cleanest rule is also the most useful: a real browser check does not ask you to paste commands into your operating system.

Legitimate CAPTCHAs and verification pages happen inside the browser. They may ask you to click a box, identify images, wait, or retry. They should not ask you to open Run, PowerShell, Terminal, Command Prompt, or File Explorer to execute code.

Red flags include:

• Command prompts: Any webpage telling you to run a command is a major warning sign.
• Clipboard instructions: If the page asks you to copy and paste code you did not write, stop.
• Urgent verification language: Fake prompts often pressure users to act before thinking.
• Mismatch: A news article should not need operating system-level commands to display.

If you followed a prompt and ran a command, treat it as a possible compromise:

• Disconnect: Take the device offline.
• Stop logging in: Don’t access sensitive accounts from that machine.
• Scan: Use trusted security tools from a known source.
• Reset credentials: Change important passwords from a clean device.
• Review accounts: Check financial, work, and crypto-related accounts for unusual activity.
• Escalate: If it is a work device, notify IT or security staff immediately.

If you only saw the prompt and did not run anything, close the tab, clear suspicious downloads, update the browser, and report the incident if the site provides a contact.

What publishers need to harden before the next fake prompt lands

The Gizmodo incident is a reminder that newsroom security is now reader security.

Publishers should focus on the controls that stop one account from becoming a reader-facing malware channel:

• Phishing-resistant MFA for publishing and admin accounts.
• Least privilege so compromised accounts cannot inject scripts broadly.
• Credential rotation after suspicious access.
• Login alerts for unusual geography, timing, or device patterns.
• Admin audit logs that show who changed what and when.
• Script monitoring for unexpected JavaScript on article pages.
• Content security policies to limit what injected scripts can do.
• Fast takedown workflows when readers report malicious prompts.

The immediate watch item is whether more trusted publishers see similar ClickFix injections through account compromise rather than classic server intrusion. For readers, the practical rule is simpler: if a website asks you to leave the browser and run a command, assume the page is hostile until proven otherwise.

Impact Analysis

• Trusted websites can become malware delivery surfaces when accounts are compromised.
• ClickFix attacks rely on tricking users into running commands themselves rather than exploiting the browser directly.
• Windows readers faced the clearest compromise path through a potential NetSupport RAT infection.