Hackers Perfect The ClickFix Attack With A Dangerous New Consent Bypass
By 813 Staff
Breaking from the tech world: Hackers Perfect The ClickFix Attack With A Dangerous New Consent Bypass, according to BleepingComputer (@BleepinComputer) (on July 2, 2026).
Source: https://x.com/BleepinComputer/status/2072728633848861064
First came ClickFix, the social engineering trick that convinced users to copy-paste malicious PowerShell commands into their terminals to “fix” fake browser errors. Then came the wave of copycat campaigns that automated the payload delivery through fake CAPTCHA pages and phony software update prompts. Now, researchers are tracking a new variant called ConsentFix, and according to details shared by BleepingComputer (@BleepinComputer), this iteration takes the attack chain to a far more insidious level.
Internal documents circulating among threat intelligence teams describe ConsentFix as a multi-stage operation that no longer relies on convincing a user to manually run a command. Instead, the attacker abuses legitimate browser APIs to request system-level permissions, effectively weaponizing the consent dialogs users are trained to accept. Engineers close to the project explain that the malware uses WebAuthn and OAuth pop-ups that appear identical to standard authentication flows. When a user clicks “Allow” to unlock a document or verify their identity, they are actually granting the script persistent access to clipboard contents, file system directories, and browser-stored credentials.
The rollout has been anything but smooth from a defender’s perspective. The attack first surfaced in late June across tech forums and collaborative documents shared via platforms like Google Drive and Notion. Victims report seeing a screen claiming their document contains an “encrypted security layer” requiring browser-level authorization. BleepingComputer’s reporting confirms that once consent is granted, the script immediately exfiltrates saved passwords and session cookies before deploying a secondary payload that establishes remote access. Researchers still cannot confirm whether a single threat group is behind ConsentFix or if the technique has been adopted by multiple actors.
Why this matters is straightforward: traditional security advice to “never run unknown commands” no longer covers the full threat surface. ConsentFix exploits the user’s trust in browser-native UI elements that are impossible for antivirus software to flag as malicious. What happens next is uncertain, but several browser vendors have already issued internal advisories. Expect emergency patches that restrict permission requests from third-party iframes and cross-origin pop-ups within the next two weeks. Until then, the safest posture is to deny any authentication prompt you did not explicitly initiate yourself—even if it looks exactly like the one you see every day.
Source: https://x.com/BleepinComputer/status/2072728633848861064

