Background

ClickFix has quickly become a rampant social-engineering tactic. First observed back in October 2023, it aims to trick users into pasting commands into the run dialog box under the guise of verifying the user’s connection and authenticity to the domain. Given its ease of use and ability to bypass technical security measures, adoption of ClickFix has been growing at an alarming rate. ^[1]

Executive Summary

This investigation began after a user was observed navigating to a legitimate website that prompted the user with a fake Captcha prompt. Once the Fake Captcha prompt instructions had been performed, a curl command to a malicious domain led to malicious scripts and file downloads on the user’s asset. A threat actor is then observed performing domain level reconnaissance from the user’s machine before being caught and locked out by the LevelBlue MDR SOC team. This threat actor has been associated with the Interlock ransomware group, with Indicators of Compromise identified by the LevelBlue Open Threat Exchange (OTX) and other Open-Source Intelligence (OSI) sources such as Sekoia.

The Interlock ransomware group was first observed in September 2024. Unlike most ransomware groups seen today that employ Ransomware as a Service (RaaS) models, this was an independent group. They gained notoriety back in October 2024 when they claimed responsibility for the Texas Tech University Health Sciences Center incident that compromised the data of roughly 1.5 million patients.

In January 2025, researchers at Sekoia observed Interlock expanding their tactics and leveraging the Social Engineering technique now known as ClickFix. ^[2]

Investigation

The Level Blue MDR team observed two alarms on the same endpoint from Sentinel One which prompted further investigation. During the investigation, our analysts uncovered the threat actors’ tactics, techniques, and procedures (TTPs) and identified indicators of compromise (IOCs) associated with the Interlock ransomware group. Due to the swift action of the LevelBlue MDR team, the attack was contained, and the hashes from the investigation were added to the blocklist within SentinelOne. Click here to read the full blog and learn key takeaways from LevelBlue’s investigation, including recommendations to prevent these attacks from affecting your organization.

[1] https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims

[2] https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar

The content provided herein is for general informational purposes only and should not be construed as legal, regulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or cybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s Managed Threat Detection and Response solutions are designed to support threat detection and response at the endpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a full cybersecurity program.