A new ClickFix campaign uses a fake $TEMU cryptocurrency airdrop website to trick victims into running malicious commands via Win+R. Unlike earlier ClickFix attacks, this one deploys a Python-based backdoor using pythonw.exe (windowless, no UI) that fetches and executes code dynamically from a command server rather than storing payloads on disk. Each victim receives a uniquely identified payload, defeating file-hash-based detection. The backdoor can steal credentials, log keystrokes, take screenshots, and pivot to other machines. A Telegram notification system alerts attackers on new infections. Indicators of compromise include a Python3133 folder in %LOCALAPPDATA% and a temp_settings file in %TEMP%.
Table of contents
Same opener, different gameFirst, the malware identifies the hostA windowless house guestWhat they can do with an open doorClickFix keeps evolvingHow to stay safeIf you think you’ve been affectedIndicators of Compromise (IOCs)Sort: