reddit.com via Reddit

Harvard among 140 sites hijacked for ClickFix malware

cybersecurity malware clickfix supply-chain active-exploit

Key insights

  • ClickFix operators compromised ~140 legitimate high-authority domains, including Harvard, to bypass reputation-based security filters.
  • Specific article-level URLs on Harvard International Review were confirmed live infection vectors, not merely the root domain.
  • A researcher released defanged URLs enabling immediate defender action, suggesting the campaign was caught mid-operation.

Why this matters

Security tooling built around domain reputation scoring is structurally vulnerable to this class of attack, meaning organizations that rely on blocklists or trust-scoring for web filtering need to audit that assumption now. The use of .edu and similarly trusted TLDs as delivery infrastructure raises the cost of defense significantly, since blocking Harvard-affiliated URLs creates real operational friction for academic and research-heavy organizations. For founders building security products, this campaign illustrates why static reputation signals are insufficient and behavioral or content-level analysis at the URL and payload layer is increasingly the baseline requirement.

Summary

Harvard University's website and roughly 140 other high-authority domains have been confirmed as active distribution points for ClickFix malware, with specific Harvard International Review article URLs verified as live infection vectors as of this reporting. The attack strategy is deliberate: by planting malware on trusted, high-reputation domains, threat actors route around reputation-based security filters that most enterprise and consumer tools rely on. A compromised .edu or established media domain doesn't trigger the same automated blocks as a freshly registered throwaway site. ClickFix campaigns typically lure victims into running malicious PowerShell or terminal commands by displaying fake error prompts asking users to "fix" a problem. Essentially: (ClickFix operators) are laundering malware delivery through institutional credibility. - Approximately 140 legitimate high-profile domains confirmed compromised, with Harvard among the named examples. - Specific article-level URLs from Harvard International Review were identified as live infection vectors, not just the root domain. - A security researcher published defanged URLs to enable immediate blocking by defenders. The pattern signals a maturation in ClickFix distribution tactics, where attackers are investing in compromising trusted infrastructure rather than burning through disposable domains.

Potential risks and opportunities

Risks

  • Organizations using reputation-based web filters without URL-level or behavioral inspection remain exposed to any of the 140+ still-active compromised domains until blocklists are updated.
  • Harvard and other affected institutions face reputational and potential legal liability if their compromised infrastructure is traced to downstream infections at third-party organizations.
  • Security vendors selling domain-reputation products (Cisco Umbrella, Zscaler, Proofpoint) face customer pressure to explain gaps if enterprise infections are traced back to these trusted domains.

Opportunities

  • Behavioral and content-inspection security vendors (Menlo Security, Perception Point, Abnormal Security) can use this campaign as a concrete case for why URL-level analysis outperforms domain reputation scoring.
  • Threat intelligence platforms (Recorded Future, Mandiant, GreyNoise) gain an immediate sales angle offering real-time compromise detection for trusted-domain abuse, a gap this campaign made visible.
  • Web application firewall and CMS security vendors (Sucuri, Wordfence, Imperva) can target universities and media organizations with hardened monitoring offerings, since those sectors are now confirmed high-value targets.

What we don't know yet

  • How Harvard and the other 140 domains were initially compromised remains unaddressed in current reporting, whether via CMS vulnerability, stolen credentials, or supply chain.
  • Whether Harvard and other affected institutions have been notified and have begun remediation as of May 22, 2026 is not confirmed.
  • Attribution for the ClickFix campaign behind this distribution escalation has not been publicly established.

Originally reported by reddit.com

Read the original article →

Original headline: Harvard and 140 Other Legitimate Websites Compromised to Spread ClickFix Malware