ClickFix Malware Campaign Hijacks 700+ Websites — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 27, 2026

Severity: CRITICAL | View Full Scam Details

ClickFix Malware Campaign 2026: How 700+ Indian Websites Were Hijacked in a Massive Phishing Scam

The ClickFix malware campaign has infected over 700 websites across India, putting millions of internet users at risk of fraud, data theft, and financial loss.

What Is the ClickFix Malware Campaign Hijacks 700+ Websites?

In 2026, cybersecurity experts uncovered a highly dangerous phishing scam known as the ClickFix malware campaign. This campaign involves hackers infecting legitimate Indian websites with malicious malware designed to steal sensitive user information such as login credentials, UPI PINs, Aadhaar details, and banking passwords. Over 700 websites, including e-commerce platforms, local news portals, and educational sites, have been compromised, affecting users from metros to smaller towns.

This scam primarily targets everyday Indian internet users who trust these websites and enter personal or financial information normally. Many victims do not realize they have interacted with a manipulated site until they suffer financial losses. CERT-In, India’s national cybersecurity agency, issued multiple advisories warning citizens to remain cautious while browsing suspicious websites. The Indian government’s I4C (Indian Cyber Crime Coordination Centre) is actively tracking this malware’s spread and coordinating with affected website administrators.

RBI has also highlighted the increased risk of fraud linked to such infected websites, cautioning users against sharing UPI PINs or OTPs prompted via compromised platforms. The scale and sophistication of this malware campaign make it a critical threat to India’s digital ecosystem.

How This Scam Works — Step by Step

1. Compromised Website Visit: You visit a familiar Indian website — for example, a local news portal or a shopping site that has unknowingly been infected by the ClickFix malware.
2. Fake Popup or Redirect: Upon visiting, you see a message prompting you to "ClickFix" or update your account details for better security or delivery service.
3. Phishing Form Appears: When you click the popup, a form appears asking for sensitive information like Aadhaar number, bank account details, or UPI PIN under the guise of account verification.
4. Malware Installation: Behind the scenes, the malware silently downloads onto your device, often masquerading as a browser extension or an app update.
5. Data Harvested & Transferred: All the details you enter, including OTPs sent over WhatsApp or SMS, are transmitted directly to the fraudsters.
6. SIM Swap & Account Takeover: Using your stolen data, fraudsters may initiate SIM swap frauds, reverse UPI transactions, or even misuse your Aadhaar details to open loan accounts or steal from your bank.
7. Victim Notified Too Late: You may receive a WhatsApp message or phone call only after your money is transferred out or your account is drained.

This combination of malware infection on trusted sites and real-time phishing attacks makes the ClickFix campaign especially dangerous and difficult to detect.

Real Warning Signs to Watch For

• Unexpected popups asking for Aadhaar, UPI PIN, or OTP on legitimate websites
• Requests to "ClickFix" or update app/browser immediately without official communication
• Suspicious URLs showing slight misspellings of trusted Indian websites
• Receiving unsolicited WhatsApp messages prompting urgent action linked to website visits
• Browser requesting permission to install unknown extensions or apps during browsing
• SMS or WhatsApp OTP verification requests unrelated to your actual banking activity
• Unusual delays or redirects while browsing common sites before form appears

What Happens to Victims

Victims of the ClickFix malware scam often face significant financial losses. With India’s growing reliance on UPI for instant payments, attackers quickly use stolen UPI PINs and OTPs to make unauthorized fund transfers before victims realize. Even attempts to reverse transactions via UPI refunds often fail because the fraudsters maintain full control over the victim’s mobile number through SIM swapping.

Furthermore, misuse of Aadhaar or bank details can result in longer-term damage such as identity theft, unauthorized loans, or fraudulent credit card applications. Beyond money, victims suffer emotional distress and loss of trust in India’s digital platforms. Many struggle with the complicated process of regaining control over their accounts and data privacy.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has reiterated its guidance on never sharing UPI PINs or OTPs with anyone, including websites or customer support calls. RBI’s grievance redressal helpline is available to assist those affected by such scams. CERT-In urges users to keep their devices updated and avoid clicking on suspicious links or popups on any website. The agency encourages reporting any suspected cybercrime to the national 24x7 cybercrime helpline at 1930 or through the official portal, cybercrime.gov.in.

Both RBI and CERT-In emphasize vigilance when browsing any website, even familiar ones, and recommend using trusted antivirus software to detect malware like ClickFix.

How to Protect Yourself

1. Avoid clicking on sudden popups or links asking to update or verify account details on any website.
2. Do not enter OTPs, UPI PINs, or Aadhaar numbers on unverified forms or popups.
3. Check website URLs carefully for slight misspellings or unusual domains before entering any data.
4. Keep your phone’s operating system, browser, and apps updated with the latest security patches.
5. Install reputable antivirus and anti-malware software on your devices.
6. Do not permit unknown browser extensions or apps to install without confirmation.
7. Regularly monitor your bank and UPI transaction alerts for any unauthorized activity.

What to Do If You've Been Targeted

1. Immediately contact your bank or UPI provider to freeze or block your account to prevent unauthorized transactions.
2. Report the fraud to the 24x7 national cybercrime helpline at 1930 for further assistance.
3. File a complaint online at cybercrime.gov.in detailing the ClickFix malware attack and the losses incurred.
4. Inform your mobile service provider if you suspect SIM swap fraud to block further misuse.
5. Change all passwords, especially for financial services, ASAP using a secure device.
6. Notify Aadhaar authorities if you believe your Aadhaar number has been compromised to prevent identity misuse.
7. Seek help from consumer protection bodies or banking ombudsman for grievance redressal.

Frequently Asked Questions

Q: Can ClickFix malware steal my UPI PIN even if I use biometric authentication?
A: Yes. Even with biometric login, the malware steals OTPs and inputs you provide for digital payments, bypassing biometric security.

Q: How can I know if a website I visited was infected by ClickFix malware?
A: Warning signs include unexpected popups asking for sensitive info or prompts to install browser extensions. Also, check if your antivirus flags the site.

Q: Is it safe to reverse UPI transactions after becoming a victim?
A: Reversals can be difficult, especially if SIM swap fraud is involved. Contact your bank’s customer care immediately and report the fraud for possible recovery.

Stay alert and protect yourself. When you receive suspicious messages or popups related to Aadhaar, UPI, or banking on any website, verify them first at BharatSecure.app — India’s trusted platform to detect and stop digital fraud.