Detection in the Middle

Browser attacks end before they start.

Modern attacks happen inside the browser — ClickFix lures, AitM phishing proxies, credential hijacking. Traditional security tools are blind to them. DiTM detects the attack at its source.

Get ClickArmor (Free) Join Enterprise Waitlist
6,000+
Domains Covered
1,373
Active Lures Detected
100%
Detection Rate
0
Data Collected
Free Product
Live on Chrome + Firefox
ClickArmor

Browser extension that detects and blocks ClickFix-style social engineering attacks before malicious commands are executed. Runs entirely on-device.

🛡️
ClickFix Detection
Catches fake CAPTCHAs, fake browser updates, clipboard hijacks, and command execution lures across all known variants.
📋
Clipboard Interception
Monitors clipboard writes and blocks malicious PowerShell, mshta, and encoded command payloads before the user can paste them.
🔒
100% On-Device
No telemetry. No API calls. No cloud lookups. No data collection. All detection runs locally in your browser.
🔬
Research-Validated
Tested against 6,000+ domains from ThreatFox, Hudson Rock, and independently sourced ClickFix campaigns.
Install on Chrome Install on Firefox
How It Works
8 Detection Layers

ClickArmor analyzes pages in real time using multiple behavioral detection layers. No blocklists. Pattern and behavior-aware detection that catches new variants.

01
Lure Phrase Analysis
Detects social engineering instructions — Win+R, Ctrl+V, "paste into PowerShell", multi-step command guides.
02
Fake CAPTCHA Detection
Identifies spoofed Cloudflare Turnstile, reCAPTCHA, and custom verification flows without real CAPTCHA providers.
03
Fake Browser Update Detection
Catches fake Chrome/Edge/Firefox update pages with version spoofing, download simulation, and command finalization flows.
04
Embedded Payload Detection
Finds malicious commands embedded in DOM elements — code blocks, hidden textareas, data attributes — with adjacent copy buttons.
05
Obfuscated Loader Detection
Detects atob() decoding, _0x obfuscation, dynamic script injection, and clipboard-write + update-simulation combos.
06
Multi-Stage C2 Loader Detection
Catches data: URI script bootstraps, XHR page replacement, document.write() DOM nukes, and onerror fallback chains.
07
Clipboard Monitoring
Hooks navigator.clipboard.writeText, execCommand('copy'), DataTransfer.setData, and hidden textarea staging patterns.
08
Command Payload Scoring
Regex engine scoring PowerShell, mshta, curl, certutil, bitsadmin, nslookup DNS staging, and encoded command patterns.
Enterprise Platform
Coming Soon
DiTM Enterprise

Browser-native threat detection platform. ClickFix is just the beginning — DiTM expands detection to cover the full spectrum of browser-based attacks targeting enterprise identity and access.

AitM phishing proxy detection
PhaaS kit fingerprinting (Tycoon 2FA, Sneaky2FA, Evilginx)
Browser-in-the-Browser (BitB) detection
TLS certificate trust boundary validation
Cookie domain mismatch detection
OAuth / consent phishing detection
Malicious extension monitoring
Session hijack / token replay detection
Credential submission interception
Org-wide management console + SIEM integration

Early access for security teams. No spam. We'll reach out when the beta is ready.

You're on the list. We'll be in touch.
Validation
Research-Driven Detection

Every detection rule is validated against real attack infrastructure, not synthetic samples.

5,983
ClickFix domains extracted from abuse.ch ThreatFox IOC feed (last 3 months)
1,373
Active lure pages tested in a real browser with ClickArmor loaded via automated Puppeteer pipeline
2,111
Live ClickFix domains detected across validated datasets including Hudson Rock infostealer feed
0
Missed detections across all active ClickFix lure variants encountered during testing