"Prove you're human" just became the attack

Share this content

July 6, 2026

A fast-moving malware campaign is exploiting the one security ritual almost nobody questions: clicking through a verification check, and it has already hit hundreds of education-sector websites.

Human

What happened

Anyone who has browsed the web recently has hit one of these pages: a box that says "verify you are human," a Cloudflare or Google-branded checkmark, a quick click to prove you're not a bot. It's such a routine, forgettable moment that almost no one stops to question it, and that is exactly what a malware technique called ClickFix is counting on.

Instead of the usual checkbox, some of these fake verification pages instruct the visitor to open the Windows Run dialog or a terminal and paste in a short command, framed as a routine fix for a verification glitch. The moment the victim pastes and hits enter, they've run the attacker's code themselves, no exploit or download required, just a user following instructions on a page designed to look official. Malwarebytes researchers reported this month that campaigns using fake Google and Cloudflare verification pages are actively distributing a wide range of malware, including the info-stealing programs StealC and Amatera, the HijackLoader and CastleLoader delivery tools, the NetSupport remote access trojan, and a newly identified loader called ResiLoader that disables security software before installing its payload. In one infection chain, attackers even trojanized a legitimate messaging app to slip ResiLoader onto victims' machines.

This isn't a one-off. A related Malwarebytes investigation earlier this year found more than 700 education and technology websites had been hijacked to serve these same fake verification pages to visitors, meaning the infrastructure behind this campaign has already been sitting on sites that people at schools, colleges, and universities visit regularly. Researchers say the broader campaign has been running since at least late 2025 and continues to evolve its lures and payloads.

Why it matters for Texas institutions

This threat doesn't need a vulnerable server or an unpatched appliance; it needs one distracted person willing to follow instructions on a webpage. That makes it a threat to every Texas higher education institution, state agency, and community college regardless of how well-patched their infrastructure is, because the attack targets human behavior, not software. Faculty, students, and staff spend their days clicking through consent screens and verification prompts without a second thought, and campuses' large, decentralized user populations make consistent security awareness especially hard to maintain. With education-sector websites already confirmed among the hijacked infrastructure delivering these lures, the risk isn't hypothetical for RSOC constituents; it's already touched the sector.

What your institution should do

Start with a simple, memorable rule your community can actually retain: legitimate services like Google, Cloudflare, and Microsoft will never ask a user to open a terminal or Run dialog and paste in a command to prove they're human or fix an error. Build that message into security awareness training, IT helpdesk scripts, and any campus phishing simulation program you run this fall. Configure browser and endpoint protections to flag or block clipboard-to-terminal execution patterns where possible, since several endpoint security vendors have added detections specifically for this ClickFix technique. Audit your own institutional websites and any third-party plugins or ad networks they rely on, since compromised sites are how many victims encounter these fake verification pages in the first place. Finally, make sure your helpdesk knows the warning signs of ResiLoader, StealC, and NetSupport infections so a report of "weird verification page" from a confused user gets escalated quickly rather than dismissed.

RSOC tracks social engineering campaigns like this one because they consistently outpace technical defenses on college campuses. If your institution wants help building awareness materials or reviewing indicators tied to this campaign, reach out through rsoc.utexas.edu.