Lesson 1.1: New ClickFix Attack Targets Crypto Wallets and 25+ Browsers with Infostealer - Hackread

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: New ClickFix Attack Targets Crypto Wallets and 25+ Browsers with Infostealer - Hackread! Over the next 45 minutes, we will explore a sophisticated data breach campaign that uses fake tech support pop-ups to steal cryptocurrency and sensitive browser data from over 25 different applications.

But first, let me tell you about Marcus Webb.

It's 3:15 PM on a Tuesday in October. Marcus, a freelance graphic designer working from a co-working space in Bristol, is finalising a client presentation. His screen flickers. A bright red pop-up appears, blocking his work: 'CRITICAL ALERT: Your system is infected with Trojan.ClickFix.365. Call Microsoft Support immediately at 1-800-555-0199 to prevent data loss.' The warning includes his IP address and a timer counting down from five minutes.

Marcus feels a cold knot in his stomach. He has client files, business invoices, and his personal cryptocurrency wallet on this machine. The pop-up looks official, with Microsoft logos and technical jargon. The timer ticks to four minutes. He thinks about the Ethereum he's been accumulating for a year, stored in a browser extension wallet. He can't afford to lose his work or his savings.

He hesitates, then clicks the 'Connect to Support Agent' button in the pop-up. A remote desktop session window opens. A voice with a faint accent comes through his speakers. 'Hello, this is Microsoft Security. We see the infection. We need to run a diagnostic tool to remove it. Please do not close any windows.' Marcus watches as a command prompt flashes on his screen, downloading and executing a file named 'fix_tool.exe'.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is the ClickFix Attack?

Think of the ClickFix attack like a con artist dressed as a police officer. It doesn't break down your digital door; it knocks, shows a convincing badge, and you willingly let it in to 'inspect' your home. Once inside, it takes everything of value.

The Social Engineering Hook

The attack starts with a pop-up warning that mimics legitimate system alerts from companies like Microsoft or Apple. These pop-ups are triggered by malicious advertisements or compromised websites. They use urgent language, fake security logos, and often display the victim's own IP address to appear authentic.

The pop-up claims a severe infection like 'Trojan.ClickFix.365' is detected and urges the user to call a fake support number or click to connect to an 'agent'. The inclusion of a countdown timer creates pressure, short-circuiting careful thinking.

This method bypasses technical defences by targeting human psychology. No exploit is needed if the user can be convinced to grant access willingly.

The Infostealer Payload

Once the user interacts, the attack deploys an infostealer. This is a type of malware designed for one job: to find, collect, and exfiltrate specific valuable data from the infected computer.

Research suggests this particular infostealer targets over 25 different web browsers, including Chrome, Firefox, Edge, and Brave. It scrapes saved login credentials, autofill data, cookies, and browsing history. Its primary target, however, is cryptocurrency. It searches for and steals data from browser-based wallets like MetaMask, Coinbase Wallet, and Phantom, as well as desktop wallet applications.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to have processes for identifying and managing digital operational risks, including those stemming from social engineering and malware designed to steal client assets.

ISO A.8.1 ISO 27001 A.8.1 mandates that assets associated with information and information processing facilities be identified and an inventory maintained. The ClickFix attack directly targets identified assets like credentials and cryptographic keys.

Content Section 2: Technical Execution and Data Exfiltration

Understanding the attack flow reveals why it's so effective. Let me show you exactly how Marcus was compromised after he clicked that button.

The Attack Flow

Step 1: The user visits a legitimate website with a compromised advertising network or a maliciously created site. A script triggers a pop-up that mimics a system alert.

Step 2: The user, concerned by the urgent warning, clicks to connect. This may initiate a direct download of the infostealer payload or connect them to a fake support agent who talks them through downloading and running the 'fix tool'.

Step 3: The infostealer executes. It first disables security notifications and may attempt to uninstall or interfere with endpoint protection software. It then begins a systematic search of the file system and browser data paths.

The Data Harvest

The malware scans for specific directories and browser profiles. It targets files containing login data, web data, and local storage. For crypto wallets, it looks for extension data folders and configuration files that might hold encrypted private keys or, in some cases, poorly stored seed phrases.

The harvested data is packaged into a file, often compressed and encrypted. It is then sent to a command-and-control server controlled by the attackers, typically using a standard HTTPS connection to blend in with normal web traffic.

Why Traditional Defences Can Fail

Notice what all of these methods have in common. They are designed to stop *unauthorised* access or *known* malicious code. The ClickFix attack operates in the grey area of *authorised but deceived* user action and may use *unknown* malware.

Many common security controls are not optimised to catch this attack chain. Here's how they are bypassed:

NIST PR.IP-12 NIST CSF PR.IP-12 requires a vulnerability management plan. This attack highlights that vulnerability management must extend beyond software patches to include user awareness and controls for malicious websites and social engineering.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures. For this threat, measures must include security awareness training, web filtering, and advanced endpoint detection capable of identifying suspicious data harvesting behaviour.

Content Section 3: Detection and Defence Mechanisms

Marcus's computer knew something was wrong. The malware was creating files, reading sensitive data, and calling out to the internet. It just couldn't tell him. Here's what to look for.

Endpoint-Level Indicators

Look for unusual process behaviour. The infostealer will spawn processes that rapidly access files in browser profile directories (like `AppData\Local\Google\Chrome\User Data\Default\Login Data`) and crypto wallet data paths.

Monitor for processes making outbound web requests immediately after accessing these sensitive files. The creation of large temporary data files in `%Temp%` or `AppData\Local\Temp` that are quickly compressed and deleted can also be a sign of data staging.

Endpoint Detection and Response tools should be configured with behavioural rules to alert on processes that read from a high number of credential stores across different applications within a short time window.

Network-Level Indicators

While exfiltration uses HTTPS, the destination may be suspicious. Look for connections to newly registered domains, domains with random-looking names, or IP addresses with poor reputation scores shortly after the detection of suspicious endpoint activity.

The size and pattern of the upload may be anomalous. A single, compressed HTTPS upload of several megabytes from a workstation, when that user's normal pattern is small, frequent requests, could be a signal.

Proactive Defence Controls

Implement web filtering or a secure web gateway to block access to known malicious advertising networks and newly created suspicious domains. This can stop the initial pop-up.

Use application allowlisting or restricted execution policies on endpoints. This can prevent the execution of unknown binaries like `fix_tool.exe` from user download directories.

For high-value targets like finance teams, consider using isolated browsing environments or hardware security keys for cryptocurrency wallets to separate the sensitive data from the general-purpose browser.

SOC2 CC6.1 SOC 2 CC6.1 requires logical access security over protected information. Defences against ClickFix, such as application control and monitoring for unauthorised access to credential stores, are direct evidence of protecting information assets from security events.

GDPR Article 32 GDPR Article 32 requires appropriate technical measures to ensure security of processing. Detecting and preventing the large-scale harvesting of personal data (passwords, browsing history) from browsers is a key technical measure for compliance.

Content Section 4: Documenting Your Defence for Compliance

Compliance documentation is often seen as a box-ticking exercise. Think of it instead as the blueprint you hand to an auditor to prove your digital house has alarms, strong locks, and an informed occupant, not just a sign that says 'Beware of Dog'.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework considers social engineering and infostealer threats targeting financial assets, and that you provide training on specific threats like fake tech support pop-ups.

For ISO A.8.1 auditors... For ISO 27001 assessors, you can evidence that you have identified browser-stored credentials and cryptocurrency wallet data as assets, and have implemented controls (awareness, endpoint detection) to protect them from theft.

For NIST PR.IP-12 auditors... For NIST CSF reviewers, you can show your vulnerability management plan addresses non-technical vulnerabilities by including user security awareness training focused on identified threat patterns like the ClickFix attack.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

Two days later, Marcus tried to access his cryptocurrency wallet. The balance was zero. The transaction history showed a transfer to an unknown address hours after the 'support' session. His saved passwords in Chrome were also changed on several sites over the following week. The loss was over £8,000 in cryptocurrency and countless hours recovering his online accounts.

His organisation, though he was a freelancer, mandated new security training. They implemented a managed browser with stricter extension controls and network filtering for all connected devices. Marcus now uses a hardware wallet and a separate, dedicated password manager.

But it doesn't have to be your story. That's why we're here.

You should now understand how the ClickFix attack uses social engineering as its primary weapon. You understand its technical goal: to harvest data from browsers and crypto wallets. You know why traditional perimeter defences can miss this threat. And you understand the specific detection signs and defensive controls that can stop it.

Next, we'll explore Next, we'll explore Lesson 1.2: Supply Chain Compromise via Open-Source Packages. We'll look at how attackers are poisoning the very tools developers rely on to build software.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (suspicious process behaviour, data staging in Temp folders) and immediate response steps (network isolation, credential rotation) for a ClickFix-style infostealer infection on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for social engineering and data theft to the DORA, ISO 27001, NIST CSF, NIS2, SOC 2, and GDPR frameworks, using the ClickFix attack as a reference threat.
• Risk Assessment Template - Assess your organisation's specific exposure to infostealer threats based on the use of browser-based credentials, cryptocurrency wallets, and user susceptibility to tech support scams.
• Further reading - Links to official framework documentation (NIST, ISO) and threat intelligence sources reporting on infostealer malware and social engineering campaigns.

New ClickFix Attack Targets Crypto Wallets and 25+ Browsers with Infostealer - Hackread Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026