Ukraine's CERT UA says Sandworm, Russia's elite GRU military cyber unit, is using Clickfix to seed custom malware on Ukrainian networks, with at least one organization compromised.
A fake CAPTCHA page asks the visitor to copy a line of "verification" text and paste it into a terminal. That text is actually a PowerShell command, and the visitor has just run the attacker's first stage. That trick, known as Clickfix, was the province of financially motivated criminal crews. Now Sandworm, the GRU's most capable military cyber unit, is using it against Ukrainian organizations, per a CERT-UA advisory translated by Ars Technica, with custom tools named on July 15, 2026 and at least one sensitive organization confirmed compromised.
The shift matters because of who is doing it. Sandworm is the same unit that has hit Ukrainian power grids, knocked out telecommunications, and burned bespoke zero-day exploits on targeted intrusions. Picking up a commodity social-engineering trick is a different kind of bet: it is cheaper than a zero-day, it scales across many targets at once, and it works against the one component defenders have not been able to patch, which is the person reading the screen.
The campaign disclosed on July 15, 2026 PDT has been running since spring. According to the advisory, Ukrainian authorities identified 10 compromised websites that served a fake CAPTCHA directing visitors to copy and paste a PowerShell command. The mechanics, in plain language: a page looks like a routine bot check, asks the user to open the Windows Run dialog or PowerShell, and instructs them to paste a line of "verification" code. The pasted line downloads a VBScript dropper, one variant of which is called GHETTOVIBE, and plants it in the Windows Startup directory so it runs on every reboot. A PowerShell reconnaissance tool called SCOUTCURL then exfiltrates basic system characteristics, installed programs, files, and browser data. Machines SCOUTCURL flags as high-value get a follow-on backdoor. Less-interesting hosts appear to stop at reconnaissance.
The named backdoor, FreakyPoll, is what CERT-UA tied to at least one confirmed network compromise inside a sensitive organization, through a connected device. The operational result: a single employee who pastes a "verification" line is enough to convert a compromised website into a foothold, and from there the attacker decides which machines are worth a second-stage implant.
Clickfix itself is not new. Security researchers began tracking it in 2024, and by early 2025 it was the dominant social-engineering technique used by criminal initial-access brokers, the crews that compromise corporate networks and sell access to ransomware affiliates. The tradecraft flips the usual phishing math. Instead of tricking a user to download and execute a file, which modern email and endpoint controls increasingly catch, it asks the user to do the executing inside a tool the user trusts. Detecting a pasted PowerShell command that reaches out to an attacker-controlled host is harder than scanning an attachment, and the user's own hands have already bypassed the usual checkpoints.
Criminal crews use Clickfix against corporate networks they can monetize through ransomware or access resale. Sandworm is using the same trick against specific Ukrainian organizations, including critical infrastructure and government-adjacent institutions, where the value is in what the network contains rather than what the network can be ransomed for. The same low-effort social-engineering technique that fools one office worker in a phishing simulation can land a nation-state foothold inside a sensitive institution. Treating the technique as a "criminal problem" misses that.
A CAPTCHA page is not a security control. It is a verification ritual, and rituals are what social engineers exploit. Enterprise defenses built around detecting malicious files and URLs do not see a pasted command, and security awareness training that warns against clicking links and opening attachments does not always cover the act of copying text out of a browser and running it. The cheap mitigations, browser hardening, restricted PowerShell execution, and EDR rules that alert on interactive shells launched from the browser, become load-bearing precisely because a top-tier state actor is now using the cheap technique.
If the same fake-CAPTCHA infrastructure resurfaces against targets outside Ukraine, that would be the clearest signal that the technique has graduated from theater-specific use to a general tool in Sandworm's playbook. CERT-UA is the only public source so far, and Western CERTs have not yet corroborated the campaign. The advisory lists named tools rather than a single indicator of compromise, a tell that the operators expect defenders to catch the first wave and rotate.