One of Russia's most advanced state-sponsored hacking units has adopted a technique once favored by financially motivated cybercriminals to infiltrate networks in Ukraine, according to a warning from Ukraine's CERT. The group known as Sandworm, part of the GRU military intelligence agency, is now using Clickfix attacks to compromise devices at sensitive organizations.
Sandworm's New Tactic
Ukraine's CERT disclosed Wednesday that Sandworm has been running Clickfix campaigns since spring 2025, continuing through the summer. At least one organization suffered network compromise after a device was infected with FreakyPoll, a custom malware package used by the group. The campaign marks a significant escalation as state actors adopt commodity attack methods.
How Clickfix Works
The attack relies on compromised websites that display a fake CAPTCHA. Visitors are told to copy a jumble of text and paste it into a terminal to verify they are human. The text contains PowerShell commands that execute malicious actions. The Clickfix technique has been used by financially motivated criminals but is now being weaponized by Sandworm.
Why This Matters
Sandworm's adoption of Clickfix signals a blurring line between state-sponsored and criminal cyber operations. For organizations in Ukraine and beyond, this means an increased risk of sophisticated attacks that are harder to detect. Defenders must now account for advanced threat actors using widely available techniques. The use of fake CAPTCHAs as a delivery vector requires updated training for users to recognize social engineering tactics. The campaign also demonstrates how quickly state actors can incorporate effective attack methods from the criminal underground.
Ukraine's CERT continues to monitor the threat and has urged organizations to verify any CAPTCHA prompts that require terminal commands. The Clickfix attacks are expected to persist as Sandworm targets additional networks.



