One of Russia's most advanced state-sponsored hacking units has adopted a technique once favored by financially motivated cybercriminals to infiltrate networks in Ukraine, according to a warning from Ukraine's CERT. The group known as Sandworm, part of the GRU military intelligence agency, is now using Clickfix attacks to compromise devices at sensitive organizations.

What You Need to Know

Clickfix attacks trick users into copying malicious scripts from fake CAPTCHA prompts. The technique has been used by cybercriminals for about a year. Now Sandworm, one of the Kremlin's most dangerous hacking units, has adopted it. Ukrainian authorities have identified 10 compromised websites hosting these attacks.

Sandworm's New Tactic

Ukraine's CERT disclosed Wednesday that Sandworm has been running Clickfix campaigns since spring 2025, continuing through the summer. At least one organization suffered network compromise after a device was infected with FreakyPoll, a custom malware package used by the group. The campaign marks a significant escalation as state actors adopt commodity attack methods.

How Clickfix Works

The attack relies on compromised websites that display a fake CAPTCHA. Visitors are told to copy a jumble of text and paste it into a terminal to verify they are human. The text contains PowerShell commands that execute malicious actions. The Clickfix technique has been used by financially motivated criminals but is now being weaponized by Sandworm.

  • Fake CAPTCHA: Users see a prompt that requires copying text into a terminal.
  • PowerShell Commands: The copied text contains scripts that install malware or exfiltrate data.
  • FreakyPoll Malware: Sandworm's custom payload used in this campaign.

Why This Matters

Sandworm's adoption of Clickfix signals a blurring line between state-sponsored and criminal cyber operations. For organizations in Ukraine and beyond, this means an increased risk of sophisticated attacks that are harder to detect. Defenders must now account for advanced threat actors using widely available techniques. The use of fake CAPTCHAs as a delivery vector requires updated training for users to recognize social engineering tactics. The campaign also demonstrates how quickly state actors can incorporate effective attack methods from the criminal underground.

Ukraine's CERT continues to monitor the threat and has urged organizations to verify any CAPTCHA prompts that require terminal commands. The Clickfix attacks are expected to persist as Sandworm targets additional networks.