ClickFix Malware Attacks Employ Advanced Social Engineering and Multi-OS Support
Attackers have significantly upgraded the ClickFix malware delivery technique, incorporating sophisticated social engineering tactics inspired by online retail sites. Recent campaigns feature embedded tutorial videos, countdown timers, and dynamic counters such as "users verified in the last hour" to create a sense of urgency and legitimacy, closely mimicking trusted services like Cloudflare's bot checks. The malicious pages automatically detect the visitor's operating system and provide tailored instructions, even copying the necessary malicious code to the user's clipboard via JavaScript, making the infection process seamless and convincing for victims.
ClickFix lures are distributed through multiple channels, including email, instant messaging, social networks, in-app phishing, and especially malvertising on platforms like Google Search, YouTube, and Steam. The primary objective is to trick users into pasting and executing malicious code, which typically results in the deployment of information-stealing malware. According to Push Security and the 2025 Microsoft Digital Defense report, ClickFix has become the most prevalent initial access method, accounting for nearly half of observed attacks in the past year. The evolution of these attacks, with multi-OS support and enhanced deception techniques, underscores the growing sophistication and reach of social engineering threats in the current threat landscape.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers warn ClickFix may move fully into the browser
Security researchers warned that future ClickFix variants could become even more sophisticated, potentially executing entirely in the browser to better evade endpoint detection and response tools. The warning accompanied guidance for users not to run terminal commands copied from websites unless they fully understand them.
ClickFix infections deliver infostealers via LOLBins and shell commands
The attacks tricked users into pasting and executing malicious terminal commands, leading to payloads such as information-stealing malware. On Windows, the chains commonly abused living-off-the-land tools like MSHTA and PowerShell to execute the next stage.
Malvertising and compromised WordPress sites spread ClickFix lures
The updated ClickFix campaigns were observed being distributed through Google Search malvertising and through legitimate websites compromised via outdated WordPress plugins or SEO poisoning. These delivery methods funneled users to fake Cloudflare-style verification pages.
ClickFix campaigns evolve with videos, timers, and OS-aware lures
Researchers documented a new wave of ClickFix attacks using embedded tutorial videos, countdown timers, and automatic operating system detection to make fake bot checks and CAPTCHA pages more convincing. The lures tailored instructions to Windows and Mac users and often used JavaScript to copy malicious commands to victims' clipboards.
Attackers commoditize ClickFix with weaponized landing page builders
By 2025, advanced ClickFix phishing infrastructure, including weaponized landing page builders, was being sold or shared to help less technical criminals run campaigns. This lowered the barrier to launching fake verification and self-infection lures at scale.
ClickFix attacks surge 517% in the first half of 2025
Researchers reported a 517% increase in ClickFix attacks during the first half of 2025. By that period, the technique accounted for nearly 8% of all blocked attacks, reflecting its rapid adoption by cybercriminals.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Fake CAPTCHA sites now have tutorial videos to help victims install malware | Malwarebytes
malwarebytes.com
Open sourceAttackers upgrade ClickFix with tricks used by online stores
helpnetsecurity.com
Open sourceNew ClickFix attacks feature ‘self-infection’ videos
scworld.com
Open sourceClickFix malware attacks evolve with multi-OS support, video tutorials
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix and FileFix Social Engineering Techniques for Malware Delivery
Cybercriminals are leveraging social engineering techniques known as ClickFix and its new variant, FileFix, to trick users into executing malicious commands on their Windows systems. The ClickFix method involves compromised websites displaying fake CAPTCHA-style pages that prompt users to "verify you are human." When users interact with these pages, malicious content is injected into their clipboard, and they are instructed to paste and run this content via the Windows Run dialog, leading to the installation of remote access tools such as NetSupport RAT. The SmartApeSG campaign is one example actively using this approach, with infection chains triggered under specific conditions on compromised sites. The FileFix variation, recently observed in the wild, shifts the attack vector by instructing users to paste malicious commands into the Windows File Explorer address bar instead of the Run dialog. This subtle change exploits user familiarity with File Explorer, making the attack less suspicious and increasing the likelihood of success. Both techniques rely on phishing emails or fake service pages to lure victims, and the end goal is typically the deployment of remote access malware. Security teams should be aware of these evolving tactics and educate users about the risks of following unsolicited instructions involving system dialogs or file paths.
Apr 6, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social Engineering Attacks Spread Infostealers via TikTok and Other Channels
Cybercriminals are increasingly leveraging ClickFix-style social engineering attacks to distribute information-stealing malware, with a notable surge in campaigns utilizing popular platforms such as TikTok. In these attacks, threat actors create videos or web pages that purport to offer legitimate activation guides or fixes for widely used software, including Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The core technique involves tricking users into copying and pasting malicious PowerShell commands or scripts into their systems, often under the guise of resolving software issues or unlocking premium features. Once executed, these commands connect to attacker-controlled infrastructure to download and run additional payloads, such as the Aura Stealer malware, which is designed to harvest browser credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data. The attacks are highly effective due to their use of legitimate-looking lures, such as fake CAPTCHAs, embedded instructional videos, and professional web design, which lower user suspicion and bypass traditional security awareness training that focuses on phishing links and suspicious downloads. Security researchers have linked these tactics to both financially motivated cybercriminal groups, such as Interlock ransomware, and state-sponsored advanced persistent threats (APTs). Recent public breaches at organizations like Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been attributed to ClickFix-style techniques, though the full extent of their impact is likely underreported. The attacks are further amplified by the viral nature of social media platforms, where malicious videos can quickly reach large audiences. Technical analysis reveals that the malicious scripts often use JavaScript to automate clipboard actions, making the attack seamless for the victim. Once the initial payload is executed, additional malware may be downloaded to establish persistence or exfiltrate data. Security experts warn that user education must evolve to address these new attack vectors, emphasizing the dangers of running copied commands and the importance of verifying the source of any technical instructions. Organizations are advised to implement technical controls to block suspicious script execution and to monitor for signs of credential theft and unauthorized access. The growing prevalence of ClickFix attacks highlights the need for a multi-layered defense strategy that combines user awareness, endpoint protection, and proactive threat intelligence.
Mar 21, 2026