BleepingComputer reports that between April 12 and April 16, 2025, the website of iClicker, a widely used student engagement platform, was compromised in a social engineering scheme known as a ClickFix attack.
Visitors to the site were shown a fake CAPTCHA prompt that tricked them into copying and executing a malicious PowerShell script, leading to potential malware installation. The attack impacted users who followed these instructions on Windows devices, granting threat actors full access to compromised systems. The malicious script was designed to behave differently depending on the visitor. Non-targeted users, such as automated malware analysis systems, received a legitimate Microsoft component. In contrast, targeted users received a script that likely deployed an infostealer capable of extracting browser data, saved credentials, financial information, and cryptocurrency wallet contents. The stolen data could be exploited for further intrusions, including ransomware attacks, especially targeting academic institutions. Although iClicker later published a security bulletin confirming that the core platform and user data were unaffected, the company initially did not respond to inquiries. The bulletin, hidden from search engines, advised users who interacted with the fake CAPTCHA to scan their systems and change passwords. Those using iClicker through the mobile app or who bypassed the CAPTCHA were reportedly not affected.
Visitors to the site were shown a fake CAPTCHA prompt that tricked them into copying and executing a malicious PowerShell script, leading to potential malware installation. The attack impacted users who followed these instructions on Windows devices, granting threat actors full access to compromised systems. The malicious script was designed to behave differently depending on the visitor. Non-targeted users, such as automated malware analysis systems, received a legitimate Microsoft component. In contrast, targeted users received a script that likely deployed an infostealer capable of extracting browser data, saved credentials, financial information, and cryptocurrency wallet contents. The stolen data could be exploited for further intrusions, including ransomware attacks, especially targeting academic institutions. Although iClicker later published a security bulletin confirming that the core platform and user data were unaffected, the company initially did not respond to inquiries. The bulletin, hidden from search engines, advised users who interacted with the fake CAPTCHA to scan their systems and change passwords. Those using iClicker through the mobile app or who bypassed the CAPTCHA were reportedly not affected.
