Russia’s Elite Sandworm Hackers Turn to ClickFix Trickery in Assault on Ukraine

Sandworm, Russia's most sophisticated GRU hacking unit, has adopted ClickFix - a fake CAPTCHA that tricks users into pasting malicious PowerShell commands. Once reserved for cybercriminals, the technique now targets Ukrainian networks with reconnaissance tools and custom backdoors like FreakyPoll and FluidLeech. The shift reveals state actors embracing proven crimeware tactics for greater efficiency.
Russia’s Elite Sandworm Hackers Turn to ClickFix Trickery in Assault on Ukraine
Written by Eric Hastings

Russian military hackers have a new favorite ploy. Sandworm, the GRU unit long feared for its destructive cyber campaigns, now relies on a social engineering tactic once reserved for common crooks. The method, known as ClickFix, tricks users into pasting malicious commands into their terminals under the guise of a simple CAPTCHA check.

But this isn’t some amateur operation. Ukraine’s computer emergency response team spotted the shift in spring 2026. By summer the attacks had hit sensitive targets across the country. At least one network fell after a single infected device let the intruders in deeper. The Ars Technica report laid out the details first.

Short. Effective. And now state-sponsored.

The lure looks ordinary enough. A compromised website flashes a fake verification prompt. It claims the visitor must prove they aren’t a bot. Copy this string of text, it says. Paste it into PowerShell or the Run dialog. Do it now. What follows isn’t verification. It’s infection.

Once executed, the pasted code drops a Visual Basic script. One variant, called GhettoVibe, lands in the Startup folder so it runs every time the machine boots. From there the attackers load ScoutCurl, a reconnaissance tool. It pulls system details, installed programs, file lists, browser history. Everything useful. Only high-value systems receive the next stage. Backdoors. Persistent access. Real damage.

Sandworm deploys several custom tools in this chain. FreakyPoll, a Python-based backdoor. FluidLeech, disguised as legitimate antivirus software. LoadLoop, which keeps the connection alive. The CERT-UA advisory names them all. It warns that more than ten websites carried the malicious prompts during June and July alone.

The group didn’t stop at basic web compromises. They layered in SMARTAXE, their own code that pulls instructions from an Ethereum smart contract. Using an eth_call function, it dynamically swaps page content for selected visitors. Cloaking.House, a commercial traffic-filtering service, provides additional targeting. The combination lets the hackers serve the ClickFix prompt only to Ukrainians. Everyone else sees normal pages. Precision matters when the goal is espionage, not mass infection.

And the technique works. Users trust CAPTCHAs. They follow instructions without thinking. Real security checks never ask for terminal commands. Yet the prompt feels familiar enough. Cloudflare-style boxes. Verification text. A single paste. Game over.

Sandworm once preferred other routes. They seeded torrent sites with booby-trapped pirated software. They spent weeks chatting targets over Signal, then pushed fake security apps. Android users faced CowardDuck, malware hidden in seemingly helpful utilities that quietly exfiltrated files. Now they mix these methods. ClickFix just added another arrow to an already full quiver.

The adoption signals something larger. Even the most sophisticated Russian operators have started borrowing from the cybercrime playbook. Financially motivated gangs popularized ClickFix last year. They hit hotels, regular users, anyone who visited the wrong site. Success rates climbed. State actors noticed.

Recent reporting shows the trend accelerating. Google’s Threat Analysis Group linked the Russia-aligned group Star Blizzard, also known as COLDRIVER, to ClickFix campaigns delivering LostKeys data-theft malware as early as May 2025. SecurityWeek covered the findings. The group targeted select accounts with the same fake CAPTCHA prompts.

Other Russian actors followed. Dark Reading noted in April 2026 that Fancy Bear, the GRU-linked unit also called APT28, mixed ClickFix with standard phishing in ongoing global operations. The article highlighted how the group continues to evolve while relying on proven tricks.

Ukraine remains the primary testing ground. CERT-UA has tracked Sandworm, also designated APT44, as it refines these attacks against government offices, critical infrastructure and private firms tied to the war effort. The latest advisory urges website owners and hosting providers to hunt for web shells and unauthorized plugins. Compromised sites serve as the delivery vehicles. Take one down and others pop up.

Defenders face a tough reality. Traditional antivirus misses the initial stage. The malware arrives only after the user pastes the command. No malicious attachment. No drive-by download. Just human error, carefully engineered.

Training helps. Tell employees never to paste unknown commands into terminals. Verify every CAPTCHA that asks for system-level action. But habits die hard. And Sandworm keeps changing the bait.

So the bar for entry drops. What once required zero-day exploits or months of custom development now uses off-the-shelf social engineering. Elite hackers don’t need to reinvent the wheel when the wheel already runs over targets so effectively.

Western governments have watched this evolution with growing concern. The U.S. Cybersecurity and Infrastructure Security Agency warned last year about Fancy Bear’s focus on logistics and technology companies supporting Ukraine. ClickFix fits neatly into that pattern. It scales. It evades many network controls. It exploits trust.

Researchers expect the tactic to spread further. Other state groups may test it against NATO targets or critical infrastructure in Europe. The code is simple. The psychology is universal. One prompt. One paste. Access granted.

Yet the campaign also reveals limits. Sandworm still needs initial access to web properties. They plant web shells, modify plugins, control the infrastructure upstream. That leaves footprints. CERT-UA found the compromised sites. They traced the smart contract calls. Attribution holds because the follow-on malware bears Sandworm’s fingerprints.

The full picture shows a hybrid approach. Old tactics. New delivery. Persistent pressure on Ukraine. As one advisory put it, the reconnaissance stage decides whether a victim merits deeper compromise. Not every infected machine receives the crown jewels of the toolkit. Only the important ones.

That selectivity makes the operation efficient. Resources focus where they matter most. And the ClickFix method keeps the initial infection numbers high without burning advanced implants on every mark.

Industry watchers say this convergence of crimeware and state tactics will define the next phase of cyber conflict. Hackers on both sides of the profit-espionage divide share tools and techniques faster than ever. Defenders must adapt just as quickly.

Monitoring for anomalous PowerShell executions helps. So does blocking clipboard content from reaching terminals in sensitive environments. But the human factor remains the weakest link. And Sandworm knows exactly how to pull it.

The attacks continue. New compromised sites appear. Ukrainian organizations stay on high alert. For now the elite hackers have found a simple trick that delivers results. They show no sign of abandoning it.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us