iClicker site hack targeted students with malware via fake CAPTCHA

The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.

iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in California.

According to a security alert from the University of Michigan’s Safe Computing team, the iClicker site was hacked between April 12 and April 16, 2025, to display a fake CAPTCHA that instructed users to press “I’m not a robot” to verify themselves.

However, when visitors clicked on the verification prompt, a PowerShell script was silently copied into the Windows clipboard in what is known as a “ClickFix” social engineering attack.

The CAPTCHA would then instruct users to open the Windows Run dialog (Win + R), paste the PowerShell script (Ctrl + V) into it, and execute it by pressing Enter to verify themselves.

While the ClickFix attack is no longer running on iClicker’s site, a person on Reddit launched the command on Any.Run, revealing the PowerShell payload that gets executed.

The PowerShell command used in the iClicker attack was heavily obfuscated, but when executed, it would connect to a remote server at http://67.217.228[.]14:8080 to retrieve another PowerShell script that would be executed.

Unfortunately, it is not known what malware was ultimately installed, as the retrieved PowerShell script was different depending on the type of visitor.

For targeted visitors, it would send a script that downloads malware onto the computer. The University of Michigan says that the malware allowed the threat actor to have full access to the infected device.

For those who were not targeted, such as malware analysis sandboxes, the script would instead download and run the legitimate Microsoft Visual C++ Redistributable, as shown below.

iwr https://download.microsoft.com/download/9/3/f/93fcf1e7-e6a4-478b-96e7-d4b285925b00/vc_redist.x64.exe -out "$env:TMP/vc_redist.x64.exe"; & "$env:TMP/vc_redist.x64.exe"

ClickFix attacks have become widespread social engineering attacks that have been used in numerous malware campaigns, including those pretending to be a Cloudflare CAPTCHA, Google Meet, and web browser errors.

From past campaigns, the attack likely distributed an infostealer, which can steal cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.

This type of malware can also steal cryptocurrency wallets, private keys, and text files likely to contain sensitive information, such as those named seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf.

This data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces.

The stolen data can also be used to conduct widescale breaches that lead to ransomware attacks. As the attack targeted college students and instructors, the goal could have been to steal credentials to conduct attacks on college networks.

BleepingComputer contacted MacMillan multiple times with questions regarding this attack this week, but did not respond to our questions.

However, BleepingComputer later found that iClicker published a security bulletin on its website on May 6 but included a  tag in the page’s HTML, preventing the document from being indexed by search engines and thus making it more difficult to find information on the incident.

“We recently resolved an incident affecting the iClicker landing page (iClicker.com). Importantly, no iClicker data, apps, or operations were impacted and the identified vulnerability on the iClicker landing page has been resolved,” reads iClicker’s security bulletin.

“What happened: an unrelated third party placed a false Captcha on our iClicker landing page before users logged into iClicker on our website. This third party was hoping to get users to click on the false captcha similar to what we unfortunately experience quite often in phishing emails these days.”

“Out of an abundance of caution, we recommend that any faculty or student who encountered and clicked on the false Captcha from April 12- April 16 on our website run security software to ensure their devices remain protected.”

Users who accessed iClicker.com while the site was hacked and followed the fake CAPTCHA instructions should immediately change their iClicker password, and if the command was executed, change all passwords stored on their computer to a unique one for every site.

To help with this, it is suggested that you use a password manager like BitWarden or 1Password.

It’s important to note that users who accessed iClicker through the mobile app or did not encounter the fake CAPTCHA are not at risk from the attack.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Read the Red Report 2025