I built ClickArmor to detect ClickFix social engineering attacks directly in the page using page-behavior signals and command-pattern analysis. Everything runs locally in the browser — no telemetry, no API calls, no data collection.
Detection layers include: - Clipboard write interception - Lure phrase analysis (Win+R, Ctrl+V instructions) - Fake CAPTCHA / fake browser update detection - Embedded command payload detection - Obfuscated loader detection - Multi-stage C2 loader detection
I validated it against 5000+ clickfix domains with encouraging results so far.
The long-term project is DiTM (Detection in the Middle) — expanding browser-native detection to cover AitM phishing, credential interception, and other browser-based identity attacks.
Chrome: https://chromewebstore.google.com/detail/gbbiaedhdapkbfmjgpe... Firefox: https://addons.mozilla.org/en-US/firefox/addon/clickarmor/ Website: www.ditmsecurity.com
Would love feedback — especially bypass attempts. If you can get a ClickFix page/ payload past it, I want to see it.