Almost a year after my last ClickFix post, ClickFix continues to be all the rage and remains a technique of choice for initial access among many threat actors. ClickFix has since evolved from solving CAPTCHA and error prompts to impersonating documentation for products such as Claude Code, Mac storage cleaning guides, and malicious instructions via Medium blogs, among many other lures. This post will look at how a single ClickFix domain can be used to help discover many others.

Starting with a known ClickFix domain, claude-code-macos[.]com, we can see it is typically advertised via Google Ads, as shown in the screenshot below:

If we now navigate to the Google Ads Transparency Center, we can search for ads across Google based on a given domain name. If we enter the ClickFix domain mentioned earlier and select “Ads in anywhere,” we are presented with the results below:

Clicking the domain name shows that three companies are paying to boost or advertise this domain via Google Ads. All of these companies are also marked as “Verified,” as shown in the screenshot below:

If we now click one of the companies, such as “LLT Group Incorporated,” we can view all of the ads they are paying for:

As highlighted in the previous image, we can now see several adverts that this company is paying for, including Claude Code lures across Grammarly and Kimi.

These may be Google Ads accounts that have been compromised and are being used by threat actors to publish malicious Claude Code lures, or they may be dummy companies created by threat actors. Regardless of how the Google Ads account is being abused, this vector allows us to pivot from one ClickFix domain to several others. This can be a useful technique for proactive threat hunting in defensive operations (e.g., blocking malicious domains across a corporate fleet) and for brand abuse investigations (e.g., reporting domain takedowns via trademark impersonation to better protect customers).

As with any investigative technique like the one outlined in this post, there are important caveats to consider. It should never be assumed that this approach provides complete coverage of all domains operated by a threat actor. One known visibility gap is that if Google removes an advert or domain in response to an abuse report, it may no longer appear in the Google Ads Transparency Center. This can impact defensive investigations, particularly when correlating activity such as DNS requests to determine whether a user has interacted with other ClickFix domains under a threat actor’s control.