Social Engineering Techniques
What Is a ClickFix Attack?
ClickFix is a social engineering technique that uses fake error messages, fraudulent browser alerts, and counterfeit verification prompts such as fake CAPTCHA checks or system alerts to manipulate victims into copying and pasting malicious scripts or commands and then executing them.
ClickFix is a social engineering technique that uses fake error messages, fraudulent browser alerts, and counterfeit verification prompts such as fake CAPTCHA checks or system alerts to manipulate victims into copying and pasting malicious scripts or commands and then executing them. This self-infection tactic preys on users' desire to solve minor technical issues themselves rather than alerting IT support, exploiting their tendency to take immediate action when encountering seemingly official system warnings.
The technique represents a significant evolution in social engineering methodology. Rather than relying on victims to click malicious links or open infected attachments, ClickFix convinces victims to manually execute commands that compromise their own systems. According to Microsoft Security research, between May 2024 and May 2025, the volume of phishing URLs tied to ClickFix almost quadrupled (Microsoft, Proofpoint, 2025). NCC Group reported that ClickFix attacks surged by over 500% in the first six months of 2025, while LevelBlue indicated ClickFix campaigns jumped 1,450% from H2 2024 to H1 2025 (NCC Group, LevelBlue, 2025). By H1 2025, ClickFix accounted for nearly 8% of all blocked attacks (LevelBlue, 2025).
How Does a ClickFix Attack Work?
ClickFix attacks follow a multi-stage process that transforms victims from cautious users into unwitting accomplices in their own compromise. The attack begins with fake alert display, where victims encounter fake browser alerts, pop-ups claiming "human verification needed," or fake CAPTCHA checks. These alerts may appear to be from browsers like Chrome or Firefox, operating systems like Windows or macOS, or security services. Messages create urgency through warnings like "Your system is at risk," "Verify your identity," or "Update required."
The second stage involves instruction delivery. The fake alert provides step-by-step instructions to "fix the problem" or "verify identity," typically involving copying a block of text or code. Users are directed to open Windows Run dialog using Win+R, Windows Terminal, PowerShell, or command prompt. The instructions are presented in a way that appears to be standard troubleshooting methodology.
The third stage executes malware delivery. When users paste and execute the provided script or command, it initiates a download of malware. Common malware delivered via ClickFix includes Lumma Stealer (information stealer), DarkGate (remote access trojan), AsyncRAT (remote access trojan), Danabot (banking malware), NetSupport RAT (remote access trojan), and Matanbuchus (loader/downloader).
The final stage exploits user trust by convincing users they are following official system procedures. The technique bypasses traditional security defenses because there is no exploit code, phishing attachment, or malicious link—the user runs the command themselves using legitimate system tools. The self-infection nature makes detection difficult because the malicious activity originates from the user's own actions.
Technical implementation details enhance ClickFix's effectiveness. Some variants use clipboard hijacking where webpages inject malicious scripts into the user's clipboard. Command execution vectors use legitimate system binaries like cmd.exe and powershell.exe, making them harder to detect. ClickFix can target Windows, macOS, and Linux systems with appropriately adapted commands.
How Does ClickFix Differ From Related Attack Types?
Feature | ClickFix | Traditional Phishing | Exploit Attacks | Drive-by Downloads |
|---|---|---|---|---|
User action required | Copy and paste commands | Click link or open attachment | None - automatic | None - automatic |
Exploitation method | User self-infection | Credential theft or malware delivery | Software vulnerability | Automated code execution |
Detection difficulty | Very high - legitimate tools used | Moderate - email filtering | Variable | Moderate - file signatures |
Security control bypass | Bypasses most controls | Partial - email filtering | Partial - patching prevents | Partial - antivirus detection |
Scalability | High - automated fake alerts | Very high - mass email | Moderate | High - compromised websites |
Primary defense | User awareness | Email filtering + awareness | Patching and hardening | Updated security software |
Ideal for attackers | Initial access with minimal detection | Mass credential harvesting | Targeting specific vulnerabilities | Opportunistic infections |
Ideal for defenders | Organizations with strong user training | Email security infrastructure | Patch management programs | Endpoint protection deployment |
Why Does ClickFix Matter?
ClickFix represents a fundamental shift in social engineering methodology that defeats many traditional security controls and awareness training. Organizations have invested heavily in training employees not to click suspicious links or open unknown attachments, and email security systems have become effective at filtering malicious messages. ClickFix circumvents these defenses by convincing users that they are following legitimate troubleshooting procedures.
The explosive growth demonstrates exceptional effectiveness against modern security architectures. The 1,450% surge in ClickFix campaigns from H2 2024 to H1 2025 indicates attackers have identified a technique that consistently defeats organizational defenses (LevelBlue, 2025). The fact that ClickFix accounted for nearly 8% of all blocked attacks in H1 2025—becoming the second most common attack vector—demonstrates how quickly it became a preferred method for initial access (LevelBlue, 2025).
Nation-state adoption validates ClickFix's strategic value. Over three months from late 2024 through early 2025, threat actor groups from North Korea, Iran, and Russia were observed using ClickFix, including MuddyWater (Iran-linked APT) and APT28 (Russia-linked). Nation-state adoption indicates the technique is effective against even sophisticated, security-conscious targets.
According to Palo Alto Networks Unit 42's 2025 Global Incident Response Report, in early 2025, social engineering caused 39% of initial access incidents, driven by a 1,450% spike in fake CAPTCHA attacks like ClickFix campaigns (Unit 42, 2025). The malware delivered through ClickFix creates serious consequences. Information stealers extract credentials and sensitive documents. Remote access trojans provide persistent access for espionage and ransomware deployment. Banking malware targets financial credentials.
What Are the Limitations of ClickFix Attacks?
User Skepticism Defeats the Technique - Users who understand that legitimate system operations do not require copying and pasting commands into PowerShell are inherently resistant to ClickFix. The technique relies on users not recognizing that manual command execution is abnormal.
IT Department Awareness Reduces Effectiveness - Organizations with educated IT departments that have specifically warned users about ClickFix are substantially more resistant. When employees have been briefed on specific ClickFix characteristics, they recognize the patterns and report them.
System Monitoring Detects Execution - Organizations monitoring PowerShell execution, command-line activity, and script execution can detect ClickFix attacks in progress. Windows Event Viewer logging, command-line auditing, and endpoint detection and response solutions can identify suspicious command patterns.
Command Whitelisting Prevents Execution - Strict AppLocker policies, Software Restriction Policies, or application whitelisting can prevent malicious scripts from executing even when users attempt to run ClickFix commands.
User Access Control Creates Pause Points - User Access Control prompts can interrupt ClickFix execution, giving users a pause point to question whether the action is legitimate. When elevated privileges are required, UAC prompts force users to make an explicit decision.
How Can Organizations Defend Against ClickFix?
Implement Comprehensive User Awareness and Education - Educate users that legitimate system operations never ask users to copy and paste commands into PowerShell, Terminal, or command prompt. Teach users that browser alerts or CAPTCHA checks requesting command execution are always fraudulent. Create core awareness messages emphasizing "If you don't understand what you're copying, don't paste it." Establish a culture where users report suspicious alerts and strange instructions to IT security.
Deploy PowerShell and Script Execution Controls - Set PowerShell Execution Policy to 'AllSigned' or 'Restricted' to prevent unsigned or user-downloaded scripts from running. Use Software Restriction Policies or AppLocker to prevent PowerShell from launching for non-administrative users. Enforce User Access Control prompting for sensitive operations. Limit PowerShell, Terminal, and CMD execution to only users who require these tools.
Implement Run Dialog and Clipboard Controls - Block the Win+R key combination that opens the Run dialog through Group Policy or registry modifications. Implement security policies to monitor and restrict clipboard usage. Disable or restrict access to command-line tools for regular users who do not require them.
Enable Comprehensive Monitoring and Logging - Enable Windows Event Viewer logging for PowerShell script block execution and command-line activity. Monitor for execution of common malware delivery commands including curl, wget, certutil, and bitsadmin. Set up alerts for suspicious commands executed from user accounts. Log and monitor clipboard access and modifications. Implement endpoint detection and response solutions with behavioral analysis.
Control Binary Execution and Code Signing - Block execution of commonly exploited binaries including mshta.exe, wscript.exe, and cscript.exe from user directories. Use application whitelisting to prevent execution of scripts from user-controlled locations. Implement code signing requirements for scripts.
Deploy Browser and Web Security Controls - Deploy web content filtering to block malicious websites known to serve ClickFix content. Use browser extensions that warn about potentially malicious sites. Implement pop-up blocking and content security policies. Use DNS filtering to block known malicious domains associated with ClickFix campaigns.
FAQs
Why is ClickFix so dangerous compared to other social engineering attacks?
ClickFix is exceptionally dangerous because it bypasses virtually all traditional security defenses by converting users into unwitting accomplices in their own compromise. Unlike phishing emails with malicious links that email filters can intercept, ClickFix uses fake system alerts that appear completely legitimate. Unlike exploit attacks targeting software vulnerabilities, ClickFix tricks users into infecting themselves using legitimate system tools like PowerShell. The attacker does not need to interact with the victim or deliver malicious files through monitored channels—the victim performs the entire attack by following instructions that appear to be standard troubleshooting. The 1,450% surge demonstrates how effectively this technique defeats modern security architectures (LevelBlue, 2025).
What happened to cause ClickFix attacks to surge 1,450% from H2 2024 to H1 2025?
Multiple factors drove the explosive growth. First, the technique's exceptional effectiveness against security-aware users became apparent to threat actors. Second, nation-states including North Korea, Iran, and Russia adopted the technique for intelligence operations, validating its effectiveness (Proofpoint, 2025). Third, malware delivery services began offering ClickFix as a distribution method, making it accessible to lower-skill attackers. Fourth, most users were not yet aware of the threat and did not recognize fake alerts requesting command execution as malicious. As awareness and technical controls spread throughout 2025, the growth rate began to moderate, though ClickFix remains a significant threat.
What is the difference between ClickFix and a legitimate system update or administrative request?
Legitimate system operations rarely if ever ask users to manually copy and paste commands into PowerShell or command prompt. Legitimate Windows updates use the Windows Update service accessed through Settings or automatically applied by IT departments—they never require users to manually execute PowerShell commands. Legitimate IT support in professional environments uses remote management tools, official ticketing systems, and documented procedures—they do not ask users to copy and paste code through pop-up alerts. Legitimate verification systems like CAPTCHA use graphical challenges or behavioral analysis—they never request command execution.
Has ClickFix evolved into new variants since its initial discovery?
Yes, ClickFix has evolved substantially since its initial discovery by Proofpoint in March 2024. In February 2026, Microsoft Security discovered a new variant called "CrashFix" that deploys a Python Remote Access Trojan instead of traditional malware like Lumma Stealer or DarkGate (Microsoft Security Blog, 2026). This demonstrates that the fundamental technique remains effective even as defenders implement mitigations. ClickFix has expanded from primarily Windows-focused attacks to include macOS and Linux variants. Attackers have developed more sophisticated fake alerts that better mimic legitimate system messages and improved clipboard hijacking techniques.
Can AppLocker and PowerShell Execution Policy completely prevent ClickFix attacks?
While AppLocker and PowerShell Execution Policy significantly reduce the risk of successful ClickFix attacks, they are not completely foolproof. Advanced users or malware with certain privileges can sometimes bypass Execution Policies through various techniques. Misconfigured AppLocker rules can create gaps. Sophisticated attackers may modify commands to use alternative execution methods such as VBScript, JavaScript, or batch files. The strongest defense strategy combines technical controls with comprehensive user awareness training, creating a layered defense where the attack fails at multiple points. User awareness makes victims less likely to attempt command execution in the first place, while technical controls provide a safety net.
