ClickFix uses social engineering to trick users into loading LOLBINS malware on their own devices, in this case using PowerShell. With evasion built into the ClickFix code and PowerShell execution undertaken in memory, the presence of ClickFix malware is easily missed. On June 13, 2025, researchers at Todyl, a networking and security platform for MSPs, detected a ClickFix variant that has not previously been seen. It was found on a compromised WordPress travel site being used in a traditional waterholing attack. Visitors to the site seeking a holiday in the Galapagos would receive a pop-up dialog box purporting to be part of Cloudflare’s CAPTCHA security process. The social engineering process is not new, being similar to that used in the variant discussed by SlashNext in early June.