Secure ISS
NewsThreats
T

Threats

Active ClickFix Malware Campaign via a Compromised Website

Overview

Threat type: ClickFix social engineering / malware delivery

SISS Severity Rating: High

Date: 15 June 2026

Status: Active and developing


Secure ISS is responding to an active threat in which a live Australian website, reported as thinkertank[.]co, is currently serving ClickFix malware. The malicious site is being linked to from a large number of external sources, reportedly including a trusted government-facing web property and at least one client communication, which significantly widens the potential blast radius.

The risk is twofold. Visitors who reach the site may be tricked into running malicious commands on their own machines, and the trusted sources linking to the site lend it false credibility, increasing the likelihood that users will follow through.


What is happening

  • A live Australian website is hosting a ClickFix lure that attempts to trick visitors into running a malicious command on their device.

  • The malicious URL is being linked to from many external sources, amplifying its reach.

  • A trusted, government-facing web property has been reported as linking to the site (under verification, it is not yet confirmed whether the source is compromised or simply referencing the URL).

  • At least one organisation has distributed the link through a newsletter to its audience, extending exposure beyond direct visitors.


What is ClickFix

ClickFix is a social engineering technique that disguises malicious instructions as a legitimate technical verification or troubleshooting step. Victims are typically shown a fake Cloudflare or CAPTCHA-style “verify you are human” prompt and asked to copy and paste a command into the Windows Run dialog or PowerShell.

If the user follows the instructions, the command downloads and executes malware, commonly an information stealer that harvests credentials, session tokens, and other sensitive data. ClickFix campaigns targeting Australian users have frequently been associated with infostealer families such as Vidar, as well as tools like Lumma Stealer and NetSupport RAT.


Indicators and current containment

  • Reported malicious domain (defanged, under verification): thinkertank[.]co

  • Secure ISS has blacklisted the associated IP addresses.

  • The malicious URL has been flagged within the SIEM.

  • Full indicator list is being confirmed and will be updated as the investigation continues.


Recommended actions

Secure ISS recommends the following actions immediately:

  • Block the malicious domain and associated IP addresses at the firewall, web proxy, and DNS layers.

  • Warn users not to visit the site and, critically, never to copy or paste commands from a website, email, or pop-up into the Run dialog or PowerShell.

  • Review any internal or client communications that may have distributed the link, and issue a correction or takedown where appropriate.

  • If you operate a website that may be linking to or hosting the malicious URL, audit your pages, themes, and injected scripts for unauthorised content.

  • Hunt for ClickFix activity on endpoints: look for suspicious use of the Run dialog, PowerShell, mshta.exe, rundll32.exe, certutil.exe, and unexpected child-process activity.

  • Review web proxy, DNS, and SIEM logs for any connections to the indicators above, and investigate affected hosts for signs of infostealer activity (credential and token theft).

  • Reset credentials and invalidate sessions for any user confirmed to have run a ClickFix command.


Summary for IT Teams

Threat: Active ClickFix malware campaign using a live Australian website

Threat Level: High, active and developing

Action Required: Block the malicious domain and IPs, warn users against pasting commands from web prompts, review communications that distributed the link, and hunt for ClickFix-related endpoint activity. Treat the indicators as provisional until the SOC confirms them.


Reference


Need help?

If your organisation needs assistance blocking these indicators, reviewing whether your website or communications referenced the malicious URL, or hunting for ClickFix activity on your endpoints, Secure ISS can help.

Please get in touch on 1300 769 460 or email us. We are here to help you strengthen your cybersecurity posture.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US